[Openswan Users] IPSec/L2TP with Mac OS X drops connection after 1 hour
Kevin J. Arunski
kevin.arunski at netwitness.com
Sat Jul 18 16:11:14 EDT 2009
On Jul 18, 2009, at 4:03 PM, Marcus Carlson wrote:
> Kevin J. Arunski skrev:
>> I'm using Openswan in a roadwarrior setup for IPsec/L2TP clients,
>> and it appears the IPsec SA is dropped at exactly the one hour
>> mark when Mac OS X or Windows Vista clients connect.
>>
>> I'm using openswan 2.4.15 because the 2.6.X versions don't seem to
>> work at all. I'm using NETKEY on kernel 2.6.18-128.1.10.el5.
>>
>> Here is the configuration:
>>
>> conn L2TP-PSK-NAT
>> authby=secret
>> pfs=no
>> auto=add
>> keyingtries=3
>> rekey=no
>> ikelifetime=8h
>> keylife=1h
>> type=transport
>> left=---.---.---.---
>> leftprotoport=17/1701
>> right=%any
>> rightprotoport=17/%any
>> rightsubnet=vhost:%no,%priv
>>
>>
> You have rekey=no and keylife=1h, this means there will be no
> rekeying after the first key expires after 1 hour and the connection
> dies. Fix this by setting the clients to rekey within one hour.
>
> Paul, please comment if I'm wrong.
From what I understand, rekey=no is required in this situation. I
thought the log messages I posted indicate the client attempting to
rekey at about ~50 minutes.
Kevin
More information about the Users
mailing list