[ previous ] [ next ] [ threads ]
 From:  Michael Stecher <Michael dot Stecher at cib dot de>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification
 Date:  Tue, 25 Nov 2008 15:21:00 +0100
Hello List!

I've got a Problem with our IPSec tunnel. Tunnel work's fine for about an hour. After this time we
can't send any packets. Only a restart of the tunnel brings it up again - for about the next hour.

Maybe this is the problem:

At the beginning of the connection we receive this warning:
racoon: WARNING: attribute has been modified.
racoon: WARNING: ignore RESPONDER-LIFETIME notification.

I've found some threads about this problem. To solve this problem we should use same key lifetime as
our peer. The peer has a lifetime (phase 1) about 86400 secs.

But whatever I set this value the peer will receive a lifetime of 28800:
Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 8 policy
Nov 25 12:11:51.899: ISAKMP:      life type in seconds
Nov 25 12:11:51.899: ISAKMP:      life duration (basic) of 28800
Nov 25 12:11:51.899: ISAKMP:      encryption 3DES-CBC
Nov 25 12:11:51.899: ISAKMP:      auth pre-share
Nov 25 12:11:51.899: ISAKMP:      hash SHA
Nov 25 12:11:51.899: ISAKMP:      default group 5
Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

Did anybody know this problem? Is there another problem?

The peer is a CISCO router, I don't know which one. On our side it's a m0n0wall 1.3b15.

Have many thanks for your help.

Kind regards,