[Openswan Users] Windows Vista - ipsec tunnel breaks down after one hour

Christian Hocken christian at hocken.net
Wed Oct 3 10:43:36 EDT 2007 

Hi again,
I had some trouble subscribing to the mailinglist. This is my second  
attempt.
We have set up an ipsec gateway based on Openswan 2.4.5 which is  
running on Fedora Core 6 with kernel 2.6.22.7-57.fc6.
Several road warriors with different operating systems are connected  
to the gateway, including Windows XP SP2,
Windows Vista and Mac OS X. All of them are using a combination of  
ipsec and l2tp.
Initialising the connection works fine but the Vista client gets  
disconnected after one hour. It seems as if something during
the rekey attempt goes wrong.
On XP, everything works fine. The client stays connected for hours.  
In the past OS X worked fine, too. But newer tries aren't available.

This is my config:

ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all"  
for lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,% 
v4:192.168.0.0/16,%v4:!192.168.24.0/24

include /etc/ipsec.d/*.conf



and my connection:
conn l2tp-cert-nat
         #
         # Configuration for users with any type of IPsec/L2TP client
         # including the updated Windows 2000/XP (MS KB Q818043), but
         # excluding the non-updated Windows 2000/XP.
         #
         #
         # Use a certificate. Disable Perfect Forward Secrecy.
         #
         authby=rsasig
         pfs=no
         #
         # Add connection.
         #
         auto=add
         #
         # We cannot rekey for %any, let client rekey.
         #
         rekey=no
         #
         #
         # Do not enable the line below. It is implicitely used, and
         # specifying it will currently break when using nat-t.
         #
         # type=transport. See http://bugs.xelerance.com/view.php?id=466
         #
         #
         # The server:
         #
         left=%defaultroute
         leftrsasigkey=%cert
         leftcert=/etc/ipsec.d/certs/example.com-cert.pem
         leftprotoport=17/1701
         #
         #
         # The remote user:
         #
         right=%any
         rightsubnet=vhost:%no,%priv
         rightca=%same
         rightrsasigkey=%cert
         rightprotoport=17/%any


I hope someone has a clue.

I'm attaching my logfiles.

Thanks a lot!

best regards
Christian Hocken
-------------- next part --------------
A non-text attachment was scrubbed...
Name: secure.log
Type: application/octet-stream
Size: 18847 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20071003/43d9a745/attachment-0001.obj 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsecwhack.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20071003/43d9a745/attachment-0001.txt 
-------------- next part --------------

More information about the Users mailing list