[ previous ] [ next ] [ threads ]
 
 From:  "Jai Ketteridge" <jai at innaloo dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] 1.3b2 - broken IPSec tunnels to Cisco PIX
 Date:  Thu, 28 Dec 2006 22:00:55 +0900
Whats interesting is that a different PIX setup guide Ive seen says to set
phase 1 to 28800? And the monowall setup says phase 2 to 14400. Its so
confusing!

http://www.isaserver.org/tutorials/Implementing-IPSEC-Site-to-Site-VPN-betwe
en-ISA-Server-2006-Beta-Cisco-PIX-501.html

Could someone please explain exactly what phase 1 is, exactly what timings
are suitable, what phase 2 is and what timings are suitable!

Thank you everybody!

JK

-----Original Message-----
From: Daniele Guazzoni [mailto:daniele dot guazzoni at gcomm dot ch]
Sent: Thursday, 28 December 2006 7:24 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] 1.3b2 - broken IPSec tunnels to Cisco PIX


Shaun

I have a 1.3b2 running a VPN to a PIX without any problems.
Too bad you don't have access to the PIX since I guess it is a lifetime
mismatch.
I know that PIX (and ASA) are pretty restrictive regarding lifetime
negotiation.
Actually every IPSec endpoint should negotiate the lifetime with its peer
and both should take the shortest one.
Don't ask me why but with some IPSec implementation negotiation work, with
some other not.

Try to configure matching lifetimes.
The PIX defaults to 86400 sec for phase-1 and 28800 for phase-2.

Daniele

Shaun Sutterfield wrote:
> I have 6 IPSec tunnels continuously running from my office to client
> sites.  Two of them are to Cisco PIX's.  No problems in the past, but
> was eager to offer some testing of 1.3b2, so I installed it yesterday
> afternoon.
>
> Well, since then, the two tunnels that go to PIX's have been acting up.
>  Three times, they just stopped passing traffic for a few hours (caused
> Nagios which runs in my office to think the client sites were down)
>
> I downgraded a few hours ago back to 1.22 and everything is fine again.
>
> Sorry, I did not have a chance to gather any debug information--but, I'm
> willing to run the experiment again in a few days if you can tell me any
> specifics on what information you would like.
>
> (for what it's worth, the upgrade & downgrade went very smoothly :-)
>
> Generic PC image (using a CF card)
> VPN tunnels UNAFFECTED are all using blowfish-cbc for the encryption
> (going to M0n0walls I've setup at my client sites that are all running
> 1.22)
> The two tunnels affected were using 3des-cbc, connecting to Cisco PIX's
> (sorry, don't know specifics on the config on the PIX's themselves, as I
> don't personally have access to them).
>
> Again, I would love to contribute some helpful information--outline what
> you'd like.
>
> - Shaun
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch