[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: [Sidewinder] VPN
From: sidewinder-admin () adeptech ! com
Date: 2002-12-11 2:26:41
[Download RAW message or body]
Hi, thanks for the (long) answer!
> If you users are leaving their VPN open for long periods of time, you also need to \
> remember that the client will close the tunnel after 1 >rekey event without traffic \
> passing. This means that if your VPN is active, goes through a phase 2 rekey, \
> passes no traffic through the >VPN, then reaches another phase 2 rekey, the client \
> will close the VPN as it is no longer needed. If your mail clients are not passing \
> >traffic with enough frequency, you may need to run a side process (bat file that \
> > sends a ping every 1 minute or something like that) to >maintain the VPN tunnel.
You guessed right about the VPN config, i'm using a fixed shared key, agressive mode \
and extended auth. I had problems with configuring a split tunel so all of them \
except me are running a "secure-all" type of connection. I've noticed that it \
sometimes takes 10 seconds to complete the SA when using a split-tunel. I get a lot \
of those errors. Personally i don't mind but less technical people, it has to work \
fast. Here's the error :
18:57:17.638 My Connections\Converge-Net - SENDING>>>> ISAKMP OAK INFO *(HASH, \
NOTIFY:INVALID_SPI) 18:57:17.748 My Connections\Converge-Net - SENDING>>>> ISAKMP OAK \
INFO *(HASH, NOTIFY:INVALID_SPI) 18:57:17.748 My Connections\Converge-Net - \
SENDING>>>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SPI) 18:57:17.758 My \
Connections\Converge-Net - SENDING>>>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SPI) \
18:57:17.768 My Connections\Converge-Net - SENDING>>>> ISAKMP OAK INFO *(HASH, \
NOTIFY:INVALID_SPI)
I'll get a complete page of this and then :
18:57:18.129 My Connections\Converge-Net - SENDING>>>> ISAKMP OAK INFO *(HASH, \
NOTIFY:INVALID_SPI) 18:57:18.149 My Connections\Converge-Net - SENDING>>>> ISAKMP OAK \
INFO *(HASH, NOTIFY:INVALID_SPI) 18:57:18.489 My Connections\Converge-Net - \
SENDING>>>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SPI) 18:57:19.591 My \
Connections\Converge-Net - SENDING>>>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SPI) \
18:57:21.804 My Connections\Converge-Net - SENDING>>>> ISAKMP OAK INFO *(HASH, \
NOTIFY:INVALID_SPI) 18:57:24.558 My Connections\Converge-Net - RECEIVED<<< ISAKMP OAK \
INFO *(HASH, DEL) 19:06:44.583 My Connections\Converge-Net - RECEIVED<<< ISAKMP OAK \
QM *(HASH, SA, NON, ID, ID) 19:06:44.583 My Connections\Converge-Net - Received IKE \
Phase 2 Client IDs (message id: 8188B5F7) 19:06:44.583 Initiator = IP \
SUBNET/MASK=192.168.144.0/255.255.255.0, prot = 0 port = 0 19:06:44.583 Responder = \
IP ADDR=10.1.1.8, prot = 0 port = 0 19:06:44.583 My Connections\Converge-Net - \
SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) 19:06:44.654 My \
Connections\Converge-Net - RECEIVED<<< ISAKMP OAK QM *(HASH) 19:06:44.654 My \
Connections\Converge-Net - Loading IPSec SA (Message ID = 8188B5F7 OUTBOUND SPI = \
5DDF074F INBOUND SPI = 41879EA2)
Boom, connection is made. After that, everything is sweet.
I think that's the problem. Since the Phase2 rekey is every 700 seconds, it's quite \
possible that they leave the VPN on for 700 seconds without any traffic going \
through. it makes perfect sence. It's also logic to drop inactive connections, it's \
less of a risk.
I did take off all of the uncessesary checkboxes into the Crypto tab and the last \
one. I only left 3DES and MD5 since it's what the client is using. What I don't \
understand is the Oakley level (sorry I don't have the GUI on this compter).
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2722.900" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>
<DIV><FONT size=2>Hi, thanks for the (long) answer!</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>>If you users are leaving their VPN open for long periods
of time, you also need to remember that the client will close the tunnel after 1
>rekey event without traffic passing. This means that if your VPN is
active, goes through a phase 2 rekey, passes no traffic through the >VPN,
then reaches another phase 2 rekey, the client will close the VPN as it is no
longer needed. If your mail clients are not passing >traffic with
enough frequency, you may need to run a side process (bat file that sends a ping
every 1 minute or something like that) to >maintain the VPN
tunnel.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>You guessed right about the VPN config, i'm using a fixed
shared key, agressive mode and extended auth. I had problems with configuring a
split tunel so all of them except me are running a "secure-all" type of
connection. I've noticed that it sometimes takes 10 seconds to complete the SA
when using a split-tunel. I get a lot of those errors. Personally i don't mind
but less technical people, it has to work fast. Here's the error :</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV>
<DIV><FONT size=2>18:57:17.638 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:17.748 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:17.748 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:17.758 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:17.768 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SPI)</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>I'll get a complete page of this and then :</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>18:57:18.129 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:18.149 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:18.489 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:19.591 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:21.804 My Connections\Converge-Net -
SENDING>>>> ISAKMP OAK INFO *(HASH,
NOTIFY:INVALID_SPI)<BR>18:57:24.558 My Connections\Converge-Net -
RECEIVED<<< ISAKMP OAK INFO *(HASH, DEL)<BR>19:06:44.583 My
Connections\Converge-Net - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON,
ID, ID)<BR>19:06:44.583 My Connections\Converge-Net - Received IKE Phase 2
Client IDs (message id: 8188B5F7)<BR>19:06:44.583 Initiator = IP
SUBNET/MASK=192.168.144.0/255.255.255.0, prot = 0 port =
0<BR>19:06:44.583 Responder = IP ADDR=10.1.1.8, prot = 0 port =
0<BR>19:06:44.583 My Connections\Converge-Net - SENDING>>>> ISAKMP
OAK QM *(HASH, SA, NON, ID, ID)<BR>19:06:44.654 My Connections\Converge-Net -
RECEIVED<<< ISAKMP OAK QM *(HASH)<BR>19:06:44.654 My
Connections\Converge-Net - Loading IPSec SA (Message ID = 8188B5F7 OUTBOUND SPI
= 5DDF074F INBOUND SPI = 41879EA2)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Boom, connection is made. After that, everything is
sweet.</FONT></DIV></DIV>
<DIV> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>I think that's the problem. Since the Phase2 rekey is every
700 seconds, it's quite possible that they leave the VPN on for 700 seconds
without any traffic going through. it makes perfect sence. It's also logic to
drop inactive connections, it's less of a risk.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>I did take off all of the uncessesary checkboxes into the
Crypto tab and the last one. I only left 3DES and MD5 since it's what the client
is using. What I don't understand is the Oakley level (sorry I don't have the
GUI on this compter).</FONT></DIV></FONT></DIV></BODY></HTML>
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic