Re: IPSec Keylifetime using ipsecctl and ipsec.conf?
Hi, On Thu, Jul 26, 2007 at 10:04:31AM +0200, [EMAIL PROTECTED] wrote: Hi, I am using ipsecctl and /etc/ipsec.conf to create an IPSec tunnel to a WatchGuard Firebox X700 in my company. It works fine, but the re-keying always makes some trouble, it does not always work. My question now is, how can I set the keylifetimes for phase 1 and 2 in /etc/ipsec.conf? Is there a way to do this? The manpage does not give any more info... sorry, you can't. However, you can use isakmpd.conf to set the default lifetimes. Please see isakmpd.conf(5) for details. isakmpd.conf: [General] Default-phase-1-lifetime= 3600,60:86400 Default-phase-2-lifetime= 1200,60:86400 I am running an OpenBSD 4.1 current. My ipsec.conf file looks like this: ike esp from 10.240.1.0/24 to 192.168.128.0/24 \ peer 1.2.3.4 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk Regards, James
Re: IPSec Keylifetime using ipsecctl and ipsec.conf?
Am 26.07.2007 um 19:09 schrieb Mitja MuEeniD : Coincidentally I have exactly same symptoms connecting 4.1-stable (using isakmpd.conf and AES SHA1) to an unknown remote Firebox VPN gateway running firebox software 8.3 (very sketchy information because I had to prie it out of the IT people at the remote end). Rekeying occasionaly fails, Phase 2 is down but Phase 1 SA remains active. The Firebox side does not reply to my Phase 2 proposals until I manually kill the Phase 1 SA on my end and reestablish everything. I'm inclined to assume the problem lies at Firebox's end. But I have no access to Watchguard's support pages to see if it is a known problem. Mitja Hi! The problem with the WatchGuard Firewalls is that they are pretty strict. They are really great. So your end is running Fireware 8.3. On my end it is the old software version 7.3 which can only do 3DES. I think I will have to try to use isakmpd as well and see how this works. You should also supply the DH Groups for both phases. As far as I know the WatchGuard Firewalls only support DH1 and DH2 so do not forget to set this in your isakmpd.conf file. James
Re: IPSec Keylifetime using ipsecctl and ipsec.conf?
Coincidentally I have exactly same symptoms connecting 4.1-stable (using isakmpd.conf and AES SHA1) to an unknown remote Firebox VPN gateway running firebox software 8.3 (very sketchy information because I had to prie it out of the IT people at the remote end). Rekeying occasionaly fails, Phase 2 is down but Phase 1 SA remains active. The Firebox side does not reply to my Phase 2 proposals until I manually kill the Phase 1 SA on my end and reestablish everything. I'm inclined to assume the problem lies at Firebox's end. But I have no access to Watchguard's support pages to see if it is a known problem. Mitja -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 26, 2007 10:05 AM To: misc@openbsd.org Subject: IPSec Keylifetime using ipsecctl and ipsec.conf? Hi, I am using ipsecctl and /etc/ipsec.conf to create an IPSec tunnel to a WatchGuard Firebox X700 in my company. It works fine, but the re-keying always makes some trouble, it does not always work. My question now is, how can I set the keylifetimes for phase 1 and 2 in /etc/ipsec.conf? Is there a way to do this? The manpage does not give any more info... I am running an OpenBSD 4.1 current. My ipsec.conf file looks like this: ike esp from 10.240.1.0/24 to 192.168.128.0/24 \ peer 1.2.3.4 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk Regards, James
