[ previous ] [ next ] [ threads ]
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  Michael Stecher <Michael dot Stecher at cib dot de>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification
 Date:  Tue, 25 Nov 2008 18:59:41 -0500
Michael Stecher wrote:
> Hello List!
> I've got a Problem with our IPSec tunnel. Tunnel work's fine for about an hour. After this time we
can't send any packets. Only a restart of the tunnel brings it up again - for about the next hour.
> Maybe this is the problem:
> At the beginning of the connection we receive this warning:
> racoon: WARNING: attribute has been modified.
> racoon: WARNING: ignore RESPONDER-LIFETIME notification.
> I've found some threads about this problem. To solve this problem we should use same key lifetime
as our peer. The peer has a lifetime (phase 1) about 86400 secs.
> But whatever I set this value the peer will receive a lifetime of 28800:
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 8 policy
> Nov 25 12:11:51.899: ISAKMP:      life type in seconds
> Nov 25 12:11:51.899: ISAKMP:      life duration (basic) of 28800
> Nov 25 12:11:51.899: ISAKMP:      encryption 3DES-CBC
> Nov 25 12:11:51.899: ISAKMP:      auth pre-share
> Nov 25 12:11:51.899: ISAKMP:      hash SHA
> Nov 25 12:11:51.899: ISAKMP:      default group 5
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
> Did anybody know this problem? Is there another problem?
> The peer is a CISCO router, I don't know which one. On our side it's a m0n0wall 1.3b15.
> Have many thanks for your help.
> Kind regards,
> Michael
I have 4 tunnels set up from my m0n0wall (also 1.3b15) to Cisco routers 
that are reliable and stay up 24/7.  However, I've had the problem you 
are having and it was always a mis-match of the lifetime setting.  Be 
110% sure these numbers match or you will be constantly trying to figure 
out why they come up then drop.  For reference, I have my lifetime 
setting on 3600 seconds.  However, my setting may not be what you 
need/want.  I am simply stating that setting to demonstrate that what 
you put in that setting does matter.  I know that 28800 is the default 
setting on a Cisco and it appears you probably haven't changed that to 
match your 86400 you have on the m0n0wall.  Try setting the m0n0wall to 
28800.  If you could show us your configs on both sides we may be able 
to help further.


P.S. Those racoon warnings are just that, warnings.  I have the 
identical warnings with stable tunnels.