[Swan] L2TP/IPsec: Strange problems with rekey

[Paul Wouters 🔓]

On Mon, 24 Nov 2014, Michael Schwartzkopff wrote:

> we want to set up a OpenSWAN server in the data center and some Windows
> L2TP/IPsec clients in remote location. In most of the cases it works, but some
> clients behave very strange.
>
> When the time for rekey comes they send out a Informationnal Message to delete
> the current IPsec SA WITHOUT setting up a new phase 2 SA before. Of course
> communication breaks down, the windows client recognizes it after one minute
> and starts the complete Main Mode negotiation again.
>
> tcpdump in the Windows machine shows that the Windows machine really does not
> send out Quick IKE packets to negotiate new Phase 2 credentials.
>
> Together with the customer I try to figure out what might be the differences
> between a working and a failing Windows installation. But perhaps anybody on
> the list did see this behaviour before and knows the cause of the problem.
>
> Any hints?

If using username/passwords, ensure those are saved in the connection or
else it cannot rekey. Other than that, I don't know. Usually people do
not use L2TP/IPsec for long lived IPse connections. You could try using
the native XAUTH with libreswan using Shrew VPN client for windows?

Paul