Tips when connecting a Windows 7/8/10 VPN Client with Rockhopper.


- IKE SA's rekeying (soft-lifetime):

By default, a Windows 7/8 client executes an IKE SA's rekeying about every 3 hours (In case of Windows 10, the interval is about 7.6 hours). A Rockhopper's default interval for the rekeying is longer than it. This means that Rockhopper lets the Windows 7/8/10 client initiate the rekeying. You don't need to change the value in most cases. Otherwise you can enable the "responder_not_rekeying" setting for IKE SAs.

- Child SA's rekeying (soft-lifetime):

By default, a Windows 7/8/10 client executes a Child SA's rekeying about every 1 hour. A Rockhopper's default interval for the rekeying is longer than it. This means that Rockhopper lets the Windows 7/8/10 client initiate the rekeying. You don't need to change the value in most cases.
Especially, if the Windows 7 client is located behind a NAT/NAPT, an attempt of rekeying by the remote peer (Rockhopper) may be rejected, so it is better to define a longer rekeying interval for Rockhopper. Otherwise you can enable the "responder_not_rekeying" setting for Child SAs.

If no communication occurs between the VPN's nodes for several minutes, the idle Child SA is deleted by the Windows 7/8/10 client. A new Child SA is dynamically created again by Windows 7/8/10 client or Rockhopper gateway/server when the next communication to be encrypted occurs.

A Windows 7/8/10 client also starts a Child SA's rekeying when the total amount of encrypted or decrypted traffic reaches a threshold. However, this detailed specification is unknown. For example, when a 4.3GB file is transmitted from a Windows 7 client to a Samba server (Ubuntu) over VPN, more than 30 times rekeyings are executed between the Windows 7 client and a Rockhopper gateway/server.


- IKE SA's default SA proposals:

By default, a Windows 7/8/10 client(initiator) sends the following SA proposals(security algorithms) to establish an IKE SA. Though Rockhopper's default settings are compatible with them, you can change the settings from the viewpoint of performance, for example.

Proposal No. ENCR PRF INTEG DH
1 3DES HMAC_SHA1 HMAC_SHA1_96 Group2(MODP1024)
2 AES_CBC_256 HMAC_SHA1 HMAC_SHA1_96 Group2(MODP1024)
3 3DES HMAC_SHA2_256 HMAC_SHA2_256_128 Group2(MODP1024)
4 AES_CBC_256 HMAC_SHA2_256 HMAC_SHA2_256_128 Group2(MODP1024)
5 3DES HMAC_SHA2_384 HMAC_SHA2_384_192 Group2(MODP1024)
6 AES_CBC_256 HMAC_SHA2_384 HMAC_SHA2_384_192 Group2(MODP1024)
By default, proposal No.6 is selected by Rockhopper(responder).

- Child SA's default SA proposals:

By default, a Windows 7/8/10 client(initiator) sends the following SA proposals(security algorithms) to establish a Child SA. Though Rockhopper's default settigns are compatible with them, you can change the settings.

Proposal No. ENCR INTEG ESN
1 AES_CBC_256 HMAC_SHA1_96 Disabled
2 3DES HMAC_SHA1_96 Disabled
By default, proposal No.1 is selected by Rockhopper(responder).


- Child SA's default traffic selectors:

By default, a Windows 7/8/10 client(initiator) sends the following traffic selectors. You can narrow them down by adding Rockhopper's traffic selector settings.

Side Protocol Port range Address range
Initiator (TSi) Any(0) Any(0 -- 65535) Any(IPv4: 0.0.0.0 - 255.255.255.255)
Initiator (TSi) Any(0) Any(0 -- 65535) Any(IPv6: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
Responder (TSr) Any(0) Any(0 -- 65535) Any(IPv4: 0.0.0.0 - 255.255.255.255)
Responder (TSr) Any(0) Any(0 -- 65535) Any(IPv6: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
By default, Rockhopper(responder) narrows down only the initiator's address range to the internal address(unicast address) assigned for the client if "Remote Configuration Server" is enabled.


- Attributes of the remote configuration(Configuration(CP) payload):

By default, a Windows 7/8/10 client(initiator) sends the following configuration attributes.

Attribute sent by Windows 7/8/10 client (Initiator) Supported by Rockhopper (Responder)
INTERNAL_IP4_ADDRESS (VPN interface's address) Yes
INTERNAL_IP4_DNS (DNS Server) Yes
INTERNAL_IP4_NBNS (WINS Server) Yes
MS_INTERNAL_IPV4_SERVER(23456) Ignored
INTERNAL_IP6_ADDRESS Yes
INTERNAL_IP6_DNS Yes
MS_INTERNAL_IPV6_SERVER(23457) Ignored

Rockhopper supports INTERNAL_IP4_NETMASK (a Widows client uses a Point-to-Point interface as a VPN interface whose netmask value is '255.255.255.255'), INTERNAL_IP4_SUBNET(Split tunneling, internal routing tables), RHP_DNS_SFX(28467, Split DNS), RHP_IPV4_GATEWAY(28468, a default gateway for bridge config) and RHP_IPV6_GATEWAY(28469). However, these attributes are NOT supported for Windows 7/8/10 clients.


- Keep-Alive interval:

A default Keep-Alive interval of the Windows 7/8/10 client is relatively long and it may take a long time to detect network errors between VPN nodes. Therefore, try to close and reconnect a VPN session when you can't communicate with a VPN gateway/server because the VPN gateway/server may have already detected the errors and closed the VPN session.


- MOBIKE(RFC4555):

Supported.


- [IPv6] A default gateway (router):

A Windows client can handle Router Solicitation(RS) and Advertisement(RA) through a VPN tunnel. By receiving the RA, the windows client configures the VPN tunnel as a default route.

By Web Console, you can enable a Rockhopper gateway to automatically add traffic selectors allowing the RS and RA traffic between the remote client and an IPv6-enabled router located behind the Rockhopper gateway.

- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID:Realm Name[Left-Tree]
> Service[Left-Tree] > Remote Config Server[Left-Tree]
> Remote Config Server(IKEv2)[Pane] > Internal Route Map[Tab]:

Check Allow link-local ICMPv6 for Router Solicitation(RS) and Advertisement(RA).


- [IPv6] NAT Traversal (NAT-T):

If a Windows client located behind a NAT gateway doesn't enable ESP's UDP-encapsulation for IPv6 NAT traversal (NAT-T), you can also disable the function for a Rockhopper gateway by Web Console.

- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID:Realm Name[Left-Tree]
> Child SA settings[Left-Tree] > Child SA Detailed Settings[Pane]:

Check Disable ESP's UDP-encapsulation for IPv6 NAT-T.


If another Rockhopper client also connects VPN with the same Rockhopper gateway, you should enable the following setting in the same pane of the gateway's Web Console.

Check Enable ESP's UDP-encapsulation for IPv6 NAT-T after receiving a UDP-encapsulated packet from a remote peer(non-Rockhopper).

In this case, a remote peer(non-Rockhopper) means the Windows client. By checking this setting, ESP's UDP-encapsulation for IPv6 is enabled between the Rockhopper client and the Rockhopper gateway, while ESP packets transmitted between the Windows client and the Rockhopper gateway are not UDP-encapsulated.
Back to Top