Mobile clients: SAD/SPD hard,soft limits are not using the phase1/2 policies



  • I have an issue where every 48/54minutes I get a prompt on my OSX lion cisco vpn client to re-authenticate.  The IPSEC logs are stating "racoon: [Self]: INFO: ISAKMP-SA expired"

    When i do a "setkey -D" i see all of the hard limits are set to 3600sec and the soft limits are set to 2880secs.

    From what i understand, they should be using my phase1/2 lifetime limits, which i have set to 86400, and 86000(respectively).

    I'm a bit lost at this point, the tunnels same to be working perfectly, I just can't seem to keep them up for longer then 1hr without doing another Xauth.

    I've tried many different variations of setting with Policy Generation and Proposal Checking.

    currently i have Policy Generation = Unique
    and Proposal Checking = Strict
    and NAT-Traversal = Force

    I'ts not just my OSX Lion VPN, I get the same issue with my iPhone, IPAD and Android(ICS 4.0.2)  - they all connect perfectly, and the tunnels pass traffic great, i just can't keep them connected longer than 1hour.

    I ideas?  i'm on the frustration trains right now…. please help.... thanks.


  • Rebel Alliance Developer Netgate

    Most IPsec clients/servers will expire the connection at about 2/3 or so of the limit to be sure it gets rekeyed before it would expire on the other side.

    As far as I can see, racoon doesn't have a parameter to control whether or not xauth is re-forced when the Phase 1 expires.

    What you set for your p1/p2 times may be getting overridden by what the client is requesting on connection (that's what setting 'obey' will do, generally)


Locked