From: Ross Clarke <ross@ne...> - 2007-10-04 15:55:05
We are running a L2TP server using ipsec-tools and everything has been
great using Windows XP as a client, however we are having endless
problems trying to get Vista machines to connect. If I restart racoon
the first vista machine that attempts to connect will work perfectly,
after that the same vista machine cannot disconnect/reconnect and no
other vista machines can connect. If I restart racoon again I will be
allowed that 1 vista connection then the same problem. I can also have
my 1 vista connection happen again but using setkey to delete the SPD
entries. I have rebuilt everything from CVS tree and same result.
Has anyone ever experienced anything like this ?
From: Nick Sharp <nsharp@va...> - 2007-11-15 06:22:27
Having read your previous message with this same subject (regarding the L2tp
VPN under Vista connecting once, then never again until racoon is restarted)
and may have some useful information on this (though not a solution as yet,
I currently have the same problem. I am using a debian etch setup and
tracing it via the windows IKE Auditing, it looks to be that it is Vista not
wanting to use a new SA presented upon reconnect.
As this site suggests http://blogs.isaserver.org/pouseele/2007/07/ I get the
ID 4653: An IPsec Main Mode negotiation failed. Failure Reason: New policy
invalidated SAs formed with old policy.
XP is working fine and has been from day on.
I then set this up on a BSD based install and found that the
net.key.preferred_oldsa kernel switch resolved the issue straight away.
Back under linux, I have tried playing with SA timeouts & proposal_check
options and nothing seemed to make it work so far.
My question is, is there a development plan to include a similar kernel
switch to fix this under linux? And/or is there another solution anyone has
come across, or a test I can try to help debug?
(08) 8373 5522
This email (including any attachments) is intended only to be read or used
by the addressee. It contains information that may be confidential and
legally privileged. If you are not the addressee, or you have received this
email by mistake, you must not disclose, copy or distribute it or use the
information contained in it (or any attachments) in any way. If you have
received this message in error please notify Megaw and Hogg National Valuers
by return email and then delete this message and any copies of it.
Please also contact us if you have any doubts about the authenticity of this
email. If you have received this email as a result of subscribing to a
particular distribution list and no longer wish to be included in this or
any other list(s), please send an email to admin@... with the
'unsubscribe' in the subject field and details of the list(s) from which you
wish to unsubscribe. This email (including any attachments) may contain
computer viruses or other defects. It is your responsibility to check this
email and its attachments for viruses and defects before opening or
forwarding them, and Megaw and Hogg National Valuers is not liable for any
loss or damage that may be caused by any such viruses or defects.