[ previous ] [ next ] [ threads ]
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.3b2 - broken IPSec tunnels to Cisco PIX
 Date:  Thu, 28 Dec 2006 11:23:52 +0100

I have a 1.3b2 running a VPN to a PIX without any problems.
Too bad you don't have access to the PIX since I guess it is a lifetime mismatch.
I know that PIX (and ASA) are pretty restrictive regarding lifetime negotiation.
Actually every IPSec endpoint should negotiate the lifetime with its peer and both should take the
shortest one.
Don't ask me why but with some IPSec implementation negotiation work, with some other not.

Try to configure matching lifetimes.
The PIX defaults to 86400 sec for phase-1 and 28800 for phase-2.


Shaun Sutterfield wrote:
> I have 6 IPSec tunnels continuously running from my office to client 
> sites.  Two of them are to Cisco PIX's.  No problems in the past, but 
> was eager to offer some testing of 1.3b2, so I installed it yesterday 
> afternoon.
> Well, since then, the two tunnels that go to PIX's have been acting up. 
>  Three times, they just stopped passing traffic for a few hours (caused 
> Nagios which runs in my office to think the client sites were down)
> I downgraded a few hours ago back to 1.22 and everything is fine again.
> Sorry, I did not have a chance to gather any debug information--but, I'm 
> willing to run the experiment again in a few days if you can tell me any 
> specifics on what information you would like.
> (for what it's worth, the upgrade & downgrade went very smoothly :-)
> Generic PC image (using a CF card)
> VPN tunnels UNAFFECTED are all using blowfish-cbc for the encryption 
> (going to M0n0walls I've setup at my client sites that are all running 
> 1.22)
> The two tunnels affected were using 3des-cbc, connecting to Cisco PIX's 
> (sorry, don't know specifics on the config on the PIX's themselves, as I 
> don't personally have access to them).
> Again, I would love to contribute some helpful information--outline what 
> you'd like.
> - Shaun
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.