9 Replies Latest reply: Dec 29, 2011 4:12 AM by armalite RSS

    SideWinder 8.2 VPN with ShrewSoft Client

    armalite

      Hi List,

       

      i ve have a strange rekeing problem with the combination Sidewinder - ShrewSoft Client.

       

      There is no rekeying between both endpoints. My workaround at the Moment is to switch off the rekeying at the sidewinder and set the maximum Time auf rekeying Intervall at the client side.

       

      Any Ideas out there for this??

       

       

       

       

      Thx in advance

       

       

      Andreas

        • 1. Re: SideWinder 8.2 VPN with ShrewSoft Client
          mtuma

          ello,

           

          Without examining the audit to possibly see information related to the problem, I do have a suggestion. You typically want to configure the client to rekey before the firewall. Usually the client is behind a NATted device, and if the firewall tries to rekey first, the NATted device may have timed out it's NAT session. If you set the client to rekey first, it will initiate a new connection on UDP 500/4500 through the NATted device to rekey the VPN.

           

          Hope this helps.

           

          Matt

          • 2. Re: SideWinder 8.2 VPN with ShrewSoft Client
            armalite

            OK,

             

            only for better understanding let's asume the hardlifetime on the sidewinder is set to 7200 sec & soft percentage is 85 %.

             

            Force XAuth is disabled, Nat-T too. Forced Rekey is enabled.

             

            So i set the rekey intervall to (i.e.) 6000 seconds??

             

             

            thx in advance

             

             

            Andreas

            • 3. Re: SideWinder 8.2 VPN with ShrewSoft Client
              mtuma

              Hello,

               

               

              >So i set the rekey intervall to (i.e.) 6000 seconds??

               

              I am thinking that you are talking about 6000 seconds on the client, and that should work, but is cutting it a bit close. 7200 * 85% = 6120, so if I were you, I would configure the client to rekey at say, 5000 seconds. Just to make sure that the client rekeys first.

               

              Also, you should not forget that there are rekey times for phase 1 and phase 2 and I would recommend having the client rekey both first.

               

              Let me know if you need any clarification.

               

              -Matt

              • 4. Re: SideWinder 8.2 VPN with ShrewSoft Client
                armalite

                I have testet this at the moment.

                 

                Problem still exists. On the Shrewsoft Client i see, every time the Client reaches the phase 2 key Time Limit  a new SA is established (for the fist time i.e. Established 2 SA's and expired 1 SA).

                 

                 

                thanks for help

                 

                Andreas

                • 5. Re: SideWinder 8.2 VPN with ShrewSoft Client
                  mtuma

                  I think that it would make sense at this point to open up a ticket with Support. We would want to know more about the 2 SA's that you see established (and where you see them, ie in the Shrewsoft?). Also we would need to look at audit with the ISAKMP server in debug mode.

                   

                  -Matt

                  • 6. Re: SideWinder 8.2 VPN with ShrewSoft Client
                    sliedl

                    I tested this out.  I set the phase 2 rekey time to 60 seconds and phase 1 rekey time to 180 seconds on the firewall.  On the ShrewSoft client I set each to 300 seconds (so the firewall rekeys first).

                     

                    After 60 seconds the firewall and ShrewSoft client rekey phase 2 successfully.

                     

                    After 180 seconds the firewall tries to rekey phase 1 but the ShrewSoft client does not allow it for some reason.  I see this in the ShrewSoft logs:

                    ike packet from 192.168.15.8 ignored, contact is denied for peer

                    ike packet from 192.168.15.8 ignored, contact is denied for peer

                    ike packet from 192.168.15.8 ignored, contact is denied for peer

                    ike packet from 192.168.15.8 ignored, contact is denied for peer

                     

                    In tcpdumps I can see the firewall sending four port 500, phase 1 packets to the ShrewSoft client, with no response.  It's like the ShrewSoft client loses its phase 1 configuration or something.

                     

                    The firewall then deletes the phase 1 association because the ShrewSoft client does not respond to its rekey attempts.  I see this type of message in the firewall audit:

                    AGGRESSIVE_MODE exchange terminated - AGGRESSIVE_MODE negotiation timed out (retransmission threshold reached)

                     

                     

                     

                    I then reversed the values and made the phase 2 rekey 60 seconds and phase 1 rekey 180 seconds on the ShrewSoft client (and set the firewall's rekey times to 300 seconds).  The client will successfully rekey with the firewall then (both phase 1 and phase 2).

                    • 7. Re: SideWinder 8.2 VPN with ShrewSoft Client
                      armalite

                      Wow,

                       

                      Many thanks for y our effort!

                       

                      I wil check this out today. We are now in the last phase of our firewall project. We are comming from checkpoint and we 'll switch with the 01.01.12 to the sidewinder (HA config)

                       

                       

                      andreas

                      • 8. Re: SideWinder 8.2 VPN with ShrewSoft Client
                        armalite

                        Ok let's putting  all together (hope doing it in the right way)

                         

                        The Timeouts:

                         

                        ShrewsoftClient: phase2: 60 secs; phase 1: 180 secs

                        Sidewinder both Timeouts 300 secs

                         

                        On the ShrewSoft Trace Tool we see the the rekeying counter ticks to 49 secs an then a new sa is build, but no data is transfered over this sa (0 Bytes). At this time we lose something about 4 or 5 pings (ping host.internal -t is running in the background). when the first sa is near the dying timeout (57 from 60 secs) the second sa is transfering data und i get ping responds, so i have a leak of something about 6 - 8 seconds or 4 -6 pings at every phase2 rekeying.

                         

                         

                        Andreas

                        • 9. Re: SideWinder 8.2 VPN with ShrewSoft Client
                          armalite

                          a little Update:

                           

                           

                          it seems the problem only ocours if the client is behind a natting device.

                           

                          If we directly connected to the internet over UMTS/HSDPA all the rekeying stuff is working like a charm. checked with 2 service providers here