[ previous ] [ next ] [ threads ]
 
 From:  "Jai Ketteridge" <jai at innaloo dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Random lack of Dataflow over IPSEC VPN
 Date:  Wed, 20 Dec 2006 20:29:48 +0900 
According to http://doc.m0n0.ch/handbook/ipsec-tunnels.html it says that it
recommends using 28880 for phase 1?

Phase 1:
Lifetime: This field is far more important then it appears. This lifetime,
as opposed to the one in phase 2, is how long your end will wait for phase 1
to be completed. I suggest using 28800 in this field.

Phase 2:
Lifetime: This is the lifetime the negotiated keys will be valid for. Do not
set this to too high of a number. E.g. more than about a day (86400) as
doing so will give people more time to crack your key. Don’t be over
paranoid either; there is no need to set this to 20 minutes or something
like that. Honestly, one day is probably good.

Im willing to try anything so I will try what youve said, although I think
Phase 1 should complete rather quickly, so waiting  28880 seconds seems like
enough for me?

Thanks,
Jai

-----Original Message-----
From: Bjoern Euler [mailto:lists at edain dot de]
Sent: Wednesday, 20 December 2006 8:21 PM
To: m0n0wall at lists dot m0n0 dot ch
Cc: jai at innaloo dot net
Subject: Re: [m0n0wall] Random lack of Dataflow over IPSEC VPN


On 20.12.2006 12:09 Jai Ketteridge wrote:
> Its possible that its doing that - On the WAN home tab in the modem it
says
> that the Firewall and NAT is enabled. I may try disabling them but if I do
> that and it doesnt work im screwed because the modem is 5000km from me and
> If i cannot remote in Im in big trouble!!!

In that case I would not change any of the settings on the Dlink. We
don't want to make it worse and it was only a suggestion from my side.
No changes before there is some more information.

> Here is the IPSEC from SINGAPORE
> 	<encryption-algorithm>blowfish</encryption-algorithm>
> 	<hash-algorithm>sha1</hash-algorithm>
> 	<dhgroup>2</dhgroup>
> 	<lifetime>28880</lifetime>

What caught my attention when looking at your configuration are the
lifetime settings for Phase 1 and 2. I strongly suggest to set the phase
1 lifetime to a higher value than phase 2 lifetime!

I have made good experiences with
Phase 1 lifetime 86400
Phase 2 lifetime 3600

Try changing to these values before doing anything else.

Regards
-Bjoern