[Openswan Users] Working with ISA Server 2006

Paul Wouters paul at xelerance.com
Wed Nov 18 15:07:15 EST 2009


On Wed, 18 Nov 2009, Brandon Rock wrote:

> A partner company is using ISA Server 2006. I have set up an IPSEC tunnel between our sites. In order to do this, I
> had to establish three tunnels:
> 
> 1. A tunnel between the public IP addresses
> 2. A tunnel between my private subnet and their public IP address
> 3. A tunnel between my public IP address and their private subnet
> 
> The tunnel is working fine most of the time. The problem is that when the remote ISA Server is restarted, OpenSwan
> does not renegotiate the Phase 1 (IKE) key. Instead, it attempts to reuse the key it obtained before the remote
> computer was restarted.

It should just restart the negotiation and work fine. Actually, the ISA server should restart the tunnels after a
reboot, since the openswan end does not know the state on the other end is lost until it has to rekey ISAKMP.

You can trigger openswan into rekeying if the ISA server supports Dead Peer Detection (not sure if it does)

Paul


More information about the Users mailing list