locked
IPSec between Windows XP clients and Windows 2008 server RRS feed

  • Question

  • Hello,
     
    We've started replacing our servers with fresh new installations of Windows 2008 (32 bit). We have too many XP workstations, so upgrading those will be gradual, after servers are upgraded. We use IPSec in our network to protect data. Now we have two 2008 servers with IPSec on them using Policy Agent, firewall temporarily disabled. The two servers have no problem between them. XP systems have no problem with older servers. But communication between XP systems (SP3 and same on SP2) and 2008 servers is unstable:

    It works fine for a while then it's interrupted for a minute or so. After digging I’ve noticed this is related to SA expiration (Quick Mode). E.g. when idle for a little more then 5 minutes (which is the default idle expiration for SA) the SA on the 2008 servers is removed, but on the XP client it remains active for about one extra minute or so. In the oakley.log on XP there is an "Expire spi failed 1169", logged after an expire attempt "Expiring SPI 2538871135 src 5601a8c0 dst 9701a8c0" - this happens after 5 minutes idle. The SA on the client stays there for another minute or so and there is no reply to packets sent to the server during this minute as the SA on the server has already been deleted. After about one minute the client SA is deleted too and a new SA is created so communication can continue.

    This can be reproduced almost every time, after idle for about 5 minutes and 10 seconds. The SA expiration (with traffic) is set to one hour and less then 100 MB. Even with ping -t (traffic) sometimes same thing happens when the SA must expire (one hour).
    So the problem seems to be related with the SA expiration acknowledgement reply that I guess must be sent from the 2008 to XP. XP clients seem to attempt to expire the SA but fail to get the acknowledgement from the server and still keep the obsolete one, blocking traffic initiated by the client, or at least this is how it looks.

    In most cases pinging the XP client from the 2008 server reestablishes communication.

    Please let me know if there is any solution to this, or we must first upgrade to Windows 7 before upgrading the servers to Windows 2008 or Windows 2008 R2.

    Thank you.

     

     

     

    Friday, April 30, 2010 6:46 AM