vpnc - it keeps disconnecting after 24 minutes

Question

VPNC for some reason keeps disconnecting me after a period of time. I've tried timing it to see how long it takes and it seems to be everytime after 24 minutes.

After being disconnected I have no internett connection as my /etc/resolv.conf is still the same as it should be when connect to vpnc. If I try vpnc-disconnect it only sais "no vpnc found running". I have to take eth0 dow and up, then manually edit the /etc/resolv.conf to get a proper network connection.

My settings are the following:

IPSec gateway xx.xx.xx.xx
IPSec ID anonymized
IPSec secret anonymized
#IKE Authmode hybrid
Xauth username myUsername
DPD idle timeout (our side) 0

I also tried having a ping running continuously. I have streams and music playing continuously as well, but it still disconnects me.

This is working fine without disconnects on windows.

EDIT. More info: Ive added log from my /var/log/syslog of what happens when I am disconnected:

I connect first:

 Jul 24 14:03:09 cad-unix NetworkManager[1086]:    SCPlugin-Ifupdown: devices added 
 path: /sys/devices/virtual/net/tun0, iface: tun0)
 Jul 24 14:03:09 cad-unix NetworkManager[1086]:    SCPlugin-Ifupdown: device added 
 (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.

Then I am disconnected after 24 minutes:

 Jul 24 14:27:29 cad-unix avahi-daemon[1089]: Withdrawing workstation service for tun0.
 Jul 24 14:27:29 cad-unix NetworkManager[1086]:    SCPlugin-Ifupdown: devices removed 
 (path: /sys/devices/virtual/net/tun0, iface: tun0)

Edit: Tweaked the question a bit for better reading. Also now specifying that the problem happens at 24 minutes everytime.

Edit: Version Im running: vpnc version 0.5.3

Edit: After compiling version 0.5.1 I now recieve one more entry in the log file: vpnc[16364]: connection terminated by peer

Last edit I guess: Im desperate. Open for any suggestion. Even changing to another linux distro is an option if it is Ubuntu which is the problem.

harrymc · Accepted Answer · 2012-04-21T16:03:08.420

There is a bug report that addresses this problem, dating from 2010-10-28, but unfortunately still unsolved. It seems like the disconnect time is somewhat individual, although the reported times are still longer than 24 minutes.

The article points to a fix described here, which requires the recompilation of vpnc.

If your problem is related to rekeying, then the article rekeying problem with 0.5.3 claims that the bug is new to version 0.5.3 and does not exist in 0.5.1.

[EDIT}

It seems like going back to 0.5.1 didn't work for you. It also seems as if vpnc disconnects are common to many Linux distributions.

I have found Fixing vpnc disconnect problem above version 0.5.x, which suggests that maybe one needs to go back even to 0.4.x. In any case, the article suggests a fix which probably does not relate to your case but you could try :

After all we have to turn off DPD at the client end as well (vpnc) what we can achieve 2 ways:

add "--dpd-idle 0" command line switch when invoking "vpnc"

better yet to add this line to the config file: "DPD idle timeout (our side) 0"

Further information: man vpnc

There is similar info coming from RedHat support : Bug 484114 - VPN disconnect every 5 mins.

You could try going to vpnc 0.4.x, but I am starting to wonder if the problem is on your side or with some setting of the vpn server : 24 minutes is too precise.

score 4 · Answer 2 · answered Oct 07 '11 at 14:54

Try changing the NAT traversal mode to cisco-udp, that solved it for me

NAT Traversal Mode cisco-udp

My Full config looks like this

IPSec gateway VPNHOSTIP
IPSec ID SAMPLESHAREDUSER
IPSec secret SAMPLESHAREDKEY
Xauth username SAMPLEUSER
Xauth password SAMPLEUSERPASS
IKE Authmode psk
#IKE DH Group dh2 # this is the default
DNSUpdate no
DPD idle timeout (our side) 0
NAT Traversal Mode cisco-udp

My VPN conenction is still running after 20 hrs so far.

Yauhen Yakimovich · Answer 3 · 2012-01-12T18:06:23.153

Homepage of the VPNC project does not mention this to be a known problem, but I assume "phase2-rekeying" is still not that stable (based on reported bugs). Also note that

phase1-rekeying missing

Patched version of 0.5.3 (as the latest in SVN of the original project) release of VPNC at github includes:

Adds ability to answer XAuth questions with an external script

Adds cleanup routines that run in the event of an unexpected disconnection

Adds workaround for scenario where concentrator asks Xauth question as a password request.

Adds Mihai Maties' patch for Dead Peer Detection (http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2010-December/003492.html)

I also would recommend a watch guard as an ultimate solution for reconnects https://github.com/dcantrell/vpncwatch/network if an automated mode is very much desired and remote side can still cause (software-unrelated) disconnects.

PS

Since VPNC is a reversed-engineered version of commercial implementation, disconnects with emerging version changes on the remote side can be expected to reappear until being found&fixed again.

Finally,there is an option of using native client (anyconnect) for linux. One of the disadvantages are that client side configuration abilities as DNS record update and no default route are hugely limited. Another, disconnects will still take place but on much rare occasions.

score 1 · Answer 4 · answered Jul 03 '13 at 01:58

I had the same problem, and none of the suggested solutions worked for me. In the end, I gave up on vpnc and tried the ShrewSoft vpn client. It's a bit of a hassle because you have to compile it yourself (and manually install any missing dependencies -- in my case, cmake, libedit2, flex, and bison). But it seems to work fine.

At the time of writing, you can download it from https://www.shrew.net/download/ike

score 0 · Answer 5 · answered Jul 25 '11 at 16:52

0

You might look at the --nat-keepalive option, perhaps try --nat-keepalive 1200

At one point this was a known bug, not sure if it ever got fixed.

answered Jul 25 '11 at 16:52

Darth Android

38,658

score 0 · Answer 6 · answered Oct 06 '11 at 18:58

I Have the same issue, http://dietrichschroff.blogspot.com/2011/07/linux-vpn-client-disconnect-every-600s.html seems to mention that the issue maybe related to the DH Group being used. To Change the DH Group to 5, in your config file add

IKE DH Group dh5

The options for this config change are

IKE DH Group <dh1/dh2/dh5>

score 0 · Answer 7 · edited May 15 '14 at 15:55

I have the same problem on Ubuntu 12.04, and with VPNC it disconnects exactly after 24 minutes.

I tried "Shrew Soft" which I installed from software center. I was able to configure the VPN using .pcf file that I got from my IT department. Then I got the exact same problem.

However, with "Shrew Soft" you can configure a couple of things. The one that makes my connection stay up forever is the setting in Phase1-rekeying. I changed the "Key Life Time Limit" value from 86400 (24 hours) to 600 seconds. I suppose there is a bug somewhere where it uses 24 minutes instead of 24 hours.

score 0 · Answer 8 · answered Aug 15 '15 at 18:53

I proposed a patch for IKE phase I rekeying based on a previous patch submission which makes my vpnc initiated connection stable over multiple days against an ASA head-end. My phase 1 lifetime is 24h so it does successfully rekey and keeps the connection alive. E.g.

re-keys phase 2 SAs (IPsec) -and-
re-keys phase 1 SAs (ISAKMP).

vpnc - it keeps disconnecting after 24 minutes

8 Answers8