On 7/28/2010 9:06 AM, kevin shrew-vpn wrote:
On Sun, 11 Jul 2010 02:34:26 -0500
Matthew Grooms<[email protected]> wrote:
Your best bet is to always use matching lifetime values.
Hi Matthew, thanks for the detailed response. Matching the lifetimes
has really helped stabilize one of my VPNs.
However, for the other VPN, when Phase 1 expires, the VPN breaks.
Based on info from Shrew and the gateway it looks like some form of
re-authentication is occurring (Shrew seems to re-send PAP). This
appears to cause the gateway to assign a new virtual adapter IP, but
Shrew does not appear to realize this - at least, the virtual adapter
IP on the client does not change and no reference to a new
configuration appears in the Shrew iked trace.
Is assigning a new IP normal/permitted? Or is this a sign that I haven't
quite got the configs right between the client and gateway?
For what it's worth, the client is only able to connect if it is set to
'ike config pull'.
Hmmm. Odd that it would assign a different address after an ISAKMP SA
renegotiation. A replacement SA is required when the original expires.
Depending on the gateway, this involves another Xauth and an additional
modecfg negotiation as well. What kind of gateway do you use?
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
