Environment
Situation
An error was reported by the IKE application
Either (vpn server address) is an invalid vpn server address or the IKE is not loaded on the VPN server.
For more details please look at IKE.log
Ike.log on server shows the following:
2-26-2009 10:09:52 pm Start IKE-SA 99708120 - Responder,src=vpn server,dst=client vpn address,TotSA=1
2-26-2009 10:09:52 pm AUTH ALG IS 3
2-26-2009 10:09:52 pm Negotiating for an NMAS
user client vpn address
2-26-2009 10:09:52 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
2-26-2009 10:09:52 pm Local server's
interfaces : xx.xx.xx.xx
2-26-2009 10:09:52 pm Local server's
interfaces : yy.yy.yy.yy
2-26-2009 10:09:52 pm Recieved Supported
Vendor id Novell Border Manager VPN 4.0 client - Protected Net from client vpn address
2-26-2009 10:09:52 pm Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-03 from client vpn address
2-26-2009 10:09:52 pm ***Send Main Mode message to client vpn address
2-26-2009 10:09:52 pm I-COOKIE=A950C4DD67FB0CA6,R-COOKIE=8DCBE01438D52E8D,MsgID=0,1stPL=SA-PAYLOAD,state=-1714388660
2-26-2009 10:09:52 pm ***Receive Main Mode message from client vpn address
2-26-2009 10:09:52 pm I-COOKIE=A950C4DD67FB0CA6,R-COOKIE=8DCBE01438D52E8D,MsgID=0,1stPL=KEY-PAYLOAD,state=-1714388608
2-26-2009 10:09:53 pm There is NAT in between server and client
2-26-2009 10:09:53 pm Recieved MM ID payload type 1 protocol 0 portnum 0 length 8
2-26-2009 10:09:53 pm *Received MM ID
ID_IPV4_ADDR nn.nn.nn.nn
2-26-2009 10:09:53 pm copyPreSharedKey : Client's Real address - 0x201A8C0
2-26-2009 10:09:57 pm Retransmit timer expired :Peer lost our reply retransmit the old packet to client vpn address
The previous vpn clients, version 3.8.16 and 3.9.0 worked for 5-6 hours. After that, if trying a new connection it will display the same errorResolution
There is a new ike.nlm with the fix for this issue. It is available in the bm39sp2_ir1 patch and it is version 7.02.02, dated 12-nov-2009