[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSEC with PAT and Rekeying Issues



Hi,
We are in a process of implementing IPSEC thru a PAT device.
After initial implementation with ISAKMP over source port 500/ destination port 500 we moved to
implementation of ISAKMP over source port <PATed port>/500 implementation to enable certain
VPN servers to allow multiple connections coming from the same client IP address. Since they rely on
different source ports to identify different clients coming from the same IP address.
 
The problem however is that it fails on a rekey. When the client is inactive (not sending any traffic)
the rekey fails 100 %. In case the client is active (ftp traffic) then rekey succeeds about 33%..
 
Any ideas?
Is it that servers want rekey to happen at 500/500 only?
Does the server doesnt like me fiddling with the port numbers? (we are using tunnel mode ESP)
 
the logs of interaction are below. I observe that the reason for failure is that
there are 0 Phase 1 SAs currently in the system
 
Any help woudl be appreciated,
Thanks,
Amit
 

696 16:31:01.367 12/18/01 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 64.209.75.174

697 16:31:01.367 12/18/01 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 64.209.75.174

698 16:31:01.367 12/18/01 Sev=Info/5 IKE/0x63000018

Deleting IPsec SA: (OUTBOUND SPI = CFD7402 INBOUND SPI = AB1B734D)

699 16:31:01.367 12/18/01 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 64.209.75.174

700 16:31:01.367 12/18/01 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 64.209.75.174

701 16:31:01.367 12/18/01 Sev=Info/5 IKE/0x6300003C

Received a DELETE payload for IKE SA with Cookies = 400539EC1B31FA0F86EBBAE9D13B58B1

702 16:31:01.367 12/18/01 Sev=Info/5 IKE/0x63000017

Marking IKE SA for deletion (COOKIES = 400539EC1B31FA0F 86EBBAE9D13B58B1) reason = DEL_REASON_PEER_DELETION

703 16:31:01.417 12/18/01 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x4d731bab

704 16:31:01.417 12/18/01 Sev=Info/4 IPSEC/0x6370000C

Key deleted by SPI 0x4d731bab

705 16:31:01.417 12/18/01 Sev=Info/4 IPSEC/0x63700013

Delete internal key with SPI=0x0274fd0c

706 16:31:01.417 12/18/01 Sev=Info/4 IPSEC/0x6370000C

Key deleted by SPI 0x0274fd0c

707 16:31:03.080 12/18/01 Sev=Info/5 IKE/0x63000055

Received a key request from Driver for IP address 255.255.255.255, GW IP = 64.209.75.174

708 16:31:03.080 12/18/01 Sev=Warning/3 IKE/0xE3000062

Could not find an IKE SA for 64.209.75.174. KEY_REQ aborted.

709 16:31:03.420 12/18/01 Sev=Info/4 IPSEC/0x63700010

Created a new key structure

710 16:31:04.923 12/18/01 Sev=Info/4 CM/0x63100013

Phase 1 SA deleted cause by DEL_REASON_PEER_DELETION. 0 Phase 1 SA currently in the system