Mobile clients: SAD/SPD hard,soft limits are not using the phase1/2 policies
I have an issue where every 48/54minutes I get a prompt on my OSX lion cisco vpn client to re-authenticate. The IPSEC logs are stating "racoon: [Self]: INFO: ISAKMP-SA expired"
When i do a "setkey -D" i see all of the hard limits are set to 3600sec and the soft limits are set to 2880secs.
From what i understand, they should be using my phase1/2 lifetime limits, which i have set to 86400, and 86000(respectively).
I'm a bit lost at this point, the tunnels same to be working perfectly, I just can't seem to keep them up for longer then 1hr without doing another Xauth.
I've tried many different variations of setting with Policy Generation and Proposal Checking.
currently i have Policy Generation = Unique
and Proposal Checking = Strict
and NAT-Traversal = Force
I'ts not just my OSX Lion VPN, I get the same issue with my iPhone, IPAD and Android(ICS 4.0.2) - they all connect perfectly, and the tunnels pass traffic great, i just can't keep them connected longer than 1hour.
I ideas? i'm on the frustration trains right now…. please help.... thanks.
Most IPsec clients/servers will expire the connection at about 2/3 or so of the limit to be sure it gets rekeyed before it would expire on the other side.
As far as I can see, racoon doesn't have a parameter to control whether or not xauth is re-forced when the Phase 1 expires.
What you set for your p1/p2 times may be getting overridden by what the client is requesting on connection (that's what setting 'obey' will do, generally)