Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1852 Views 9 Replies Latest reply: Dec 29, 2011 4:12 AM by armalite RSS
armalite Newcomer 18 posts since
Dec 14, 2011
Currently Being Moderated

Dec 28, 2011 4:18 AM

SideWinder 8.2 VPN with ShrewSoft Client

Hi List,

 

i ve have a strange rekeing problem with the combination Sidewinder - ShrewSoft Client.

 

There is no rekeying between both endpoints. My workaround at the Moment is to switch off the rekeying at the sidewinder and set the maximum Time auf rekeying Intervall at the client side.

 

Any Ideas out there for this??

 

 

 

 

Thx in advance

 

 

Andreas

  • mtuma McAfee SME 317 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Dec 28, 2011 8:59 AM (in response to armalite)
    Re: SideWinder 8.2 VPN with ShrewSoft Client

    ello,

     

    Without examining the audit to possibly see information related to the problem, I do have a suggestion. You typically want to configure the client to rekey before the firewall. Usually the client is behind a NATted device, and if the firewall tries to rekey first, the NATted device may have timed out it's NAT session. If you set the client to rekey first, it will initiate a new connection on UDP 500/4500 through the NATted device to rekey the VPN.

     

    Hope this helps.

     

    Matt

  • mtuma McAfee SME 317 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Dec 28, 2011 10:11 AM (in response to armalite)
    Re: SideWinder 8.2 VPN with ShrewSoft Client

    Hello,

     

     

    >So i set the rekey intervall to (i.e.) 6000 seconds??

     

    I am thinking that you are talking about 6000 seconds on the client, and that should work, but is cutting it a bit close. 7200 * 85% = 6120, so if I were you, I would configure the client to rekey at say, 5000 seconds. Just to make sure that the client rekeys first.

     

    Also, you should not forget that there are rekey times for phase 1 and phase 2 and I would recommend having the client rekey both first.

     

    Let me know if you need any clarification.

     

    -Matt

  • mtuma McAfee SME 317 posts since
    Nov 3, 2009
    Currently Being Moderated
    5. Dec 28, 2011 1:14 PM (in response to armalite)
    Re: SideWinder 8.2 VPN with ShrewSoft Client

    I think that it would make sense at this point to open up a ticket with Support. We would want to know more about the 2 SA's that you see established (and where you see them, ie in the Shrewsoft?). Also we would need to look at audit with the ISAKMP server in debug mode.

     

    -Matt

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    6. Dec 28, 2011 4:31 PM (in response to armalite)
    Re: SideWinder 8.2 VPN with ShrewSoft Client

    I tested this out.  I set the phase 2 rekey time to 60 seconds and phase 1 rekey time to 180 seconds on the firewall.  On the ShrewSoft client I set each to 300 seconds (so the firewall rekeys first).

     

    After 60 seconds the firewall and ShrewSoft client rekey phase 2 successfully.

     

    After 180 seconds the firewall tries to rekey phase 1 but the ShrewSoft client does not allow it for some reason.  I see this in the ShrewSoft logs:

    ike packet from 192.168.15.8 ignored, contact is denied for peer

    ike packet from 192.168.15.8 ignored, contact is denied for peer

    ike packet from 192.168.15.8 ignored, contact is denied for peer

    ike packet from 192.168.15.8 ignored, contact is denied for peer

     

    In tcpdumps I can see the firewall sending four port 500, phase 1 packets to the ShrewSoft client, with no response.  It's like the ShrewSoft client loses its phase 1 configuration or something.

     

    The firewall then deletes the phase 1 association because the ShrewSoft client does not respond to its rekey attempts.  I see this type of message in the firewall audit:

    AGGRESSIVE_MODE exchange terminated - AGGRESSIVE_MODE negotiation timed out (retransmission threshold reached)

     

     

     

    I then reversed the values and made the phase 2 rekey 60 seconds and phase 1 rekey 180 seconds on the ShrewSoft client (and set the firewall's rekey times to 300 seconds).  The client will successfully rekey with the firewall then (both phase 1 and phase 2).

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points