[Openswan Users] NAT-T inter-op problem with Cisco?
Paul Wouters
paul at xelerance.com
Mon Nov 3 14:23:51 EST 2008
On Tue, 28 Oct 2008, Snitgen, John wrote:
> I am seeing the following set of prints in my debug log (see below)
> associated with a failure to renegotiate my VPN tunnel.
Note that XAUTH and rekeying has always been somewhat tricky. Xauth is
best only deployed on roadwarriors wit limited uptime, and with keylifes
greater then any expected uptime of the roadwarrior, to avoid rekeying.
> the third re-negotiation of the SA after the initial establishment of
> the VPN tunnel. In other words, the tunnel is initiated and comes up
> fine - in this example, the initial establishment of the tunnel occurred
> at around 3:30 a.m.. The keylife=12h on the local side and is set to 6
> hours on the remote end (remote end is a Cisco aggregator). So the
It might be an ikelifetime= issue instead of a keylife= issue.
> Openswan KLIPS IPsec stack version: 2.4.6., I can provide more info if
> needed.
You should upgrade to 2.4.13 or 2.6.18 and see if the problem has gone away.
Paul
More information about the Users
mailing list