ISAKMP timeout (over GPRS) ?

jlacis · ‎11-14-2003

I have got strange situation. If I connect to VPN server using home GPRS network VPN service works fine. As soon as the same client (same computer, same Cisco VPN client) goes abroad, there are complains that VPN access does not work. Although I see that packets come in on UDP:500.

It does seem that ISAKMP phase times out in excanging certificates because it takes longer from foreign GPRS network ! I tried to find how to enlarge the initial ISAKMP timeout but was not successful yet :-( Any idea ?

nikhil_m · ‎11-19-2003

But this problem does not look like something to do with timeout.

jlacis · ‎11-20-2003

But ACL log shows packets are coming in:

Nov 19 15:23:23: %SEC-6-IPACCESSLOGP: list 102 permitted udp 210.117.153.165(500) -> XXX.XXX.XXX.XXX(500), 5 packets

I looked at "debug crypto isakmp" - it seemed quite normal. The idea about timeout came to my mind because if I do not enter username/password (already after ISAKMP phase with certificates is done) just for a few seconds it times out and disconnects.

mjreupenny · ‎11-20-2003

Hi,

I've encountered the same problems with some of my users who vpn from home using GPRS. I too suspected that the connection failed because of the timing for ISAKMP was 'out of sync'. So to fix that, I just switched the option on the Cisco VPN client (Properties -- Transport) to enable transparent tunneling 'IPSec over TCP' and problem was solved. At least with TCP, it'll provide a mechanism with reliability instead using unreliable UDP. Hope this helps in some way.

-mrew-

jlacis · ‎11-25-2003

Thanks for an advice ! I do suspect that my Cisco Router 3620 with IOS=c3620-ik9o3s7-mz.122-15.T9.bin does not support Transparent Tunneling over TCP ? Might be some configuration has to be done ?

What kind of device are You using as VPN concentrator ?