Hi, On Thu, Aug 10, 2006 at 12:04:08AM -0400, Steve Glaus wrote: > ... > One glaring difference that I can see is that when I connect to the > DLINK I use a passive connection and isakpmd sits and listens for > incoming connections. Could this be a lifetime issue? Tech support at > the other end said this is possible. How do you set the lifetime using > ipsecctl (I've read that this is only possible with -current)
this only works in -current: ike from 1.1.1.1 to 2.2.2.2 main life 3600 quick life 1200 However, this sets the life times for all connections, ie. it's not possible yet to say "use life time x for this connection and life time y fort that connection." For 3.9 you could achive the same with this isakmpd.conf: # cat /etc/isakmpd.isakmpd.conf [General] Default-phase-1-lifetime= 3600 Default-phase-2-lifetime= 1200 > Another item - IS PFS disabled or enabled by default when one uses > ipsecctl? Can this be set? pfs is enabled by default. > Looking at my logs I'm pretty sure that it's making it through phase1. yes, according to isakmpd_out phase 1 has succesfully finished. > Our vendors phase1 and phase2 use identical encryption/authorization so > I don't quite understand why I would be getting NO_PROPOSALS for only > phase2. The lifetimes for both phases are also identical on the vendors > end. > > > This is the relevant configuration info: > > ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main ^ typo? (Looks right in isakmpd_out) > auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XXXXXXXXXX" > > The debug outpout can be found here: > > http://ww2.bartowpc.com:8080/isakmpd_out Please provide the full isakmp configuration of that sonicwall.