[Openswan Users] Working with ISA Server 2006
Brandon Rock
brandon at rockfam.org
Wed Nov 18 11:18:32 EST 2009
Hello,
A partner company is using ISA Server 2006. I have set up an IPSEC tunnel
between our sites. In order to do this, I had to establish three tunnels:
1. A tunnel between the public IP addresses
2. A tunnel between my private subnet and their public IP address
3. A tunnel between my public IP address and their private subnet
The tunnel is working fine most of the time. The problem is that when the
remote ISA Server is restarted, OpenSwan does not renegotiate the Phase 1
(IKE) key. Instead, it attempts to reuse the key it obtained before the
remote computer was restarted. Consequently, once the remote computer is
restarted, OpenSwan cannot bring the tunnel back online. I might note that
the ISA Server is able to reestablish its end of the tunnel. My question
is, how can I get OpenSwan to bring its end of the tunnel back online when
the remote ISA Server is restarted? Assuming my static IP is 1.1.1.1 and
their static IP is 2.2.2.2, my VPN config is a follows:
config setup
# just use defaults
# Add connections here.
conn isa
type=tunnel
authby=secret
ike=3des-sha1-modp1024
ikelifetime=8h
esp=3des-sha1
keylife=1h
keyingtries=%forever
pfs=yes
pfsgroup=modp1024
dpdaction=restart
left=1.1.1.1
right=2.2.2.2
auto=start
conn isa1
leftsubnet=1.1.1.1/32
rightsubnet=192.168.52.0/24
also=isa
conn isa2
leftsubnet=192.168.50.0/24
rightsubnet=2.2.2.2/32
also=isa
Best Regards,
Brandon Rock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091118/83be3270/attachment.html
More information about the Users
mailing list