Hi,
On Thu, Aug 10, 2006 at 12:04:08AM -0400, Steve Glaus wrote:
> ...
> One glaring difference that I can see is that when I connect to the
> DLINK I use a passive connection and isakpmd sits and listens for
> incoming connections. Could this be a lifetime issue? Tech support at
> the other end said this is possible. How do you set the lifetime using
> ipsecctl (I've read that this is only possible with -current)
this only works in -current:
ike from 1.1.1.1 to 2.2.2.2 main life 3600 quick life 1200
However, this sets the life times for all connections, ie. it's not
possible yet to say "use life time x for this connection and life
time y fort that connection."
For 3.9 you could achive the same with this isakmpd.conf:
# cat /etc/isakmpd.isakmpd.conf
[General]
Default-phase-1-lifetime= 3600
Default-phase-2-lifetime= 1200
> Another item - IS PFS disabled or enabled by default when one uses
> ipsecctl? Can this be set?
pfs is enabled by default.
> Looking at my logs I'm pretty sure that it's making it through phase1.
yes, according to isakmpd_out phase 1 has succesfully finished.
> Our vendors phase1 and phase2 use identical encryption/authorization so
> I don't quite understand why I would be getting NO_PROPOSALS for only
> phase2. The lifetimes for both phases are also identical on the vendors
> end.
>
>
> This is the relevant configuration info:
>
> ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main
^
typo?
(Looks right in isakmpd_out)
> auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XXXXXXXXXX"
>
> The debug outpout can be found here:
>
> http://ww2.bartowpc.com:8080/isakmpd_out
Please provide the full isakmp configuration of that sonicwall.
