[strongSwan] Win7 L2TP/IPSEC clients disconnect every 8 hours

Michael Ulitskiy mulitskiy at acedsl.com
Tue Jul 30 17:12:26 CEST 2013 

For the list reference here's the working config:

ipsec.conf:
conn l2tp
        ike = 3des-sha1-modp1024!
        ikelifetime = 4h
        lifetime = 2h
        rekey = yes
        type=transport
        leftauth=psk
        rightauth=psk
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        auto=add

basically you have to make strongswan initiate rekey of ike_sa, while letting win7 to initial child_sa rekey.
with this config it's been stable for several days now.
thanks again for the very useful tip.

Michael

On Monday, July 22, 2013 02:43:33 PM Paton, Andy wrote:
> Some useful info from the Wiki<http://wiki.strongswan.org/projects/strongswan/wiki/Windows7> which may help you on this one:
> 
> Rekeying behavior
> IKE_SA rekeying
> The Windows 7 client supports IKE_SA rekeying, but can't handle unsupported Diffie Hellman groups. If a strongSwan gateway initiates IKE_SA rekeying, it must use modp1024 as the DH group in the first attempt, otherwise rekeying fails. You can achieve this by setting modp1024 as the first (or only) DH group in the gateways ike proposal.
> CHILD_SA rekeying
> Rekeying CHILD_SAs is also supported by the Windows 7 client. For some reason, a client behind NAT does not accept a rekeying attempt and rejects it with a Microsoft specific notify 12345, containing an error code ERROR_IPSEC_IKE_INVALID_SITUATION.
> To work around the issue, let the client initiate the rekeying. It will do so about every 58 minutes and 46 seconds, so set the gateway rekey time a little higher. There is no way known to change the rekey time (the netsh.ras.ikev2saexpiry options affect the Windows Server implementation only).
> Another option is to set no rekey time, but only a hard lifetime to delete the CHILD_SA. The client will renegotiate the SA when required.
> 
> 
> Andy Paton - Bsc. (Hons), MBCS
> Innovation Engineer
> 
> andy.paton at hp.com<mailto:andy.paton at hp.com>
> M +44 7786 748 199
> 
> 
> [HP]<http://www.hp.com/>
> 
> From: users-bounces+andy.paton=hp.com at lists.strongswan.org [mailto:users-bounces+andy.paton=hp.com at lists.strongswan.org] On Behalf Of Michael Ulitskiy
> Sent: 22 July 2013 15:40
> To: users at lists.strongswan.org
> Subject: [strongSwan] Win7 L2TP/IPSEC clients disconnect every 8 hours
> 
> 
> Hello,
> 
> 
> 
> I've setup strongswan/openl2tp pair as l2tp/ipsec server for win7 clients.
> 
> IPSEC part is using PSK authentication.
> 
> Everything works fine except one problem. Win7 clients disconnect exactly every 8 hours.
> 
> It seems it fails to rekey IKE SA. The config is pretty standard:
> 
> 
> 
> ipsec.conf:
> 
> conn l2tp
> 
> rekey = no
> 
> type=transport
> 
> leftauth=psk
> 
> rightauth=psk
> 
> leftprotoport=17/1701
> 
> right=%any
> 
> rightprotoport=17/%any
> 
> auto=add
> 
> 
> 
> I wonder if it's a known problem and if there's any fix for it. I did some googling, but didn't find any definitive answers.
> 
> Please help,
> 
> Thanks,
> 
> 
> 
> Michael
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130730/66c09fa4/attachment.html>

More information about the Users mailing list