Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[dmac]

I have a L2TP/IPSEC w PSK VPN setup on my DFL-210 that I connect to via the windows xp built in VPN client support.  Everything works fine except the XP VPN client always fails after 7hrs and 54 minutes which I believe is related to a failing IKE renegotiation.  Has anyone else seen a simliar issue?  Here are my IPSEC algorithm settings:
IKE Algorithms: High (3des, AES, Blowfish, MD5, SHA1)
IKE Lifetime: 28800 seconds

IPSec Algorithms: High
IPSec Life Time: 3600 seconds
IPSec Life Time: 250000 kilobytes

I also have a similar issue with a site to site IPSEC VPN with a Cisco ASA 5505.  I don't have the logs handy now but they indicated the IKE negotiating was failing.  If I used the killsa command to clear it out it would create a new connection and work fine for another 8 hrs or so.

[NovaE]

Had a Similar issue with this once before, What firmware are you running ?

[dmac]

It's running: 2.20.02.12-7178

I see there's a newer firmware out so I'll give it a try.

[Fatman]

The latest firmware (from security.dlink.com.tw) is:

Dec 05, 2008   DFL-210 Firmware Ver. 2.20.03.08

This is an IKE negotiation error.

Do you experience issues if you remove the throughput based lifetime for IPsec?

Have you tried killing this SA like you did last time, does it give you another 8 hours?

[dmac]

Ok, I tried the firmware update but the problem still exists.

Killing the SA does give another 8hrs of connectivity.

I haven't tried removing the throughput limit yet but will try that next.

Here is the log after a l2tp/ipsec session fails after 8 hrs:

2009-09-02 17:53:22 Warning    L2TP 2800019 malformed_packet iface=l2tp_wan_dialup_vpn remotegw=rr.r.rrr.rrr error_code=5002
2009-09-02 17:53:21 Info IPSEC 1802732 ipsec_sa_destroyed spiin="ESP 47274dbf" spiout="ESP b9596941"
2009-09-02 17:53:21 Warning IPSEC 1800106 ike_invalid_payload local_ip=ll.lll.l.lll remote_ip=rr.r.rrr.rrr cookies= reason="IKE_INVALID_COOKIE"
2009-09-02 17:53:21 Info IPSEC 1803021 ipsec_sa_statistics done=44 success=44 failed=0
2009-09-02 17:53:21 Info IPSEC 1802045 ipsec_sa_lifetime kb=250000 sec=3600
2009-09-02 17:53:21 Info IPSEC 1802043 ipsec_sa_informal spiin="a64749a1 " spiout="2f1a9336 " alg=3des-cbc keysize= mac=hmac-md5-96
2009-09-02 17:53:21 Info IPSEC 1802058 ipsec_sa_informal local_id="ll.lll.l.lll udp:1701" remote_id="squarepants udp:1701"
2009-09-02 17:53:21 Info IPSEC 1802703 ike_sa_negotiation_completed ike_sa_completed local_peer="ll.lll.l.lll:4500 ID ll.lll.l.lll" remote_peer="rr.r.rrr.rrr:43535 ID squarepants" initiator_spi="7bbcadb6 4f2cb9e5" responder_spi="3719a92a 0d9b55dd" int_severity=6
2009-09-02 17:53:21 Info IPSEC 1802040 ipsec_sa_negotiation_completed ipsec_sa_enabled sa=Responder info="NAT-T" local_peer="ll.lll.l.lll:4500 ID ll.lll.l.lll" remote_peer="rr.r.rrr.rrr:43535 ID squarepants" spi_in="ESP a64749a1" spi_out="ESP 2f1a9336"
2009-09-02 17:53:21 Info IPSEC 1802703 ike_sa_negotiation_completed ike_sa_completed local_peer="ll.lll.l.lll:4500 ID ll.lll.l.lll" remote_peer="rr.r.rrr.rrr:43535 ID squarepants" initiator_spi="7bbcadb6 4f2cb9e5" responder_spi="3719a92a 0d9b55dd" int_severity=6
2009-09-02 17:53:21 Info IPSEC 1802024 ike_sa_negotiation_completed options="Responder, NAT-T" mode="Main Mode" auth="Pre-shared keys" encryption=3des-cbc keysize= hash=sha1 dhgroup=2 bits=1024 lifetime=28800

[Fatman]

Keep us informed, I hope this works out for you.

[csierra]

Hi, I experienced the same problem and after weeks of tweaks I found that by changing the IPSEC settings "Encapsulation mode" from TUNNEL to "BOTH" (Tunnel and Transport) the "ike_invalid_payload" message disappear and traffic flows with no problems.

Hope this can help you,

Regards,

CARLOS