> # cat /etc/isakmpd.isakmpd.conf > [General] > Default-phase-1-lifetime= 3600 > Default-phase-2-lifetime= 1200
Question: Can I have an isakmpd.conf file, set only the config options I want, run isakmpd WITHOUT the -K and still use ipsectl? > Another item - IS PFS disabled or enabled by default when one uses > > ipsecctl? Can this be set? > > pfs is enabled by default. PFS is off on the vendors side, does this matter? I will search how to disable on my end > > > > ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main > ^ > typo? > (Looks right in isakmpd_out) Out of curiousity, why would you consider 10.110.38.0/24 a typo? Am I doing something wrong here? Please provide the full isakmp configuration of that sonicwall. This is the information they give us about their configuration. I compiled this from EXCEL spread sheets so forgive the layout In a file called client settings: ------------------------------------------- Router: Dlink External IP: 66.151.2.218 Local Router Lan IP: 10.110.38.1 SubnetMask: 255.255.255.0 IP Range: 10.110.38.2 - 254 In a sub-section marked IPSEC VPN Settings Gateway IP Address: 204.244.106.134 Exchange: Main Mode Subnet: 10.110.38.0 Subnet Mask: 255.255.255.0 Remote IP address: 172.28.128.0 Subnet Mask: 255.255.248.0 Keying Mode: IKE P1 Encrypt: 3DES P1 Auth: SHA1 P1 Lifetime: 28800 p2 Encrypt: 3DES P2 Auth: SHA1 PFS: Disabled Preshared Key: "XXXXXXXXXX" In another file marked 4060 settings ---------------------------------------------------- Under GENERAL: SA Name: Peachnet - West IPSec Gateway Address: 66.151.2.218 Shared Secret: "XXXXXXX" Under Network: Subnet: 10.110.38.0 Mask: 255.255.255.0 Under Proposal: Exchange: Main Mode DH GROUP: Group 2 Encryp: 3DES Auth: SHA1 LifeTime: 28800 Protocol: ESP Encrypt: 3DES Auth: SHA1 PFS: No DHGroup: N/A LifeTime: 28800 Hope this is useful and thank you for your response!
