Michael Stecher wrote:
> Hello List!
> I've got a Problem with our IPSec tunnel. Tunnel work's fine for about an hour. After this time we
can't send any packets. Only a restart of the tunnel brings it up again - for about the next hour.
> Maybe this is the problem:
> At the beginning of the connection we receive this warning:
> racoon: WARNING: attribute has been modified.
> racoon: WARNING: ignore RESPONDER-LIFETIME notification.
> I've found some threads about this problem. To solve this problem we should use same key lifetime
as our peer. The peer has a lifetime (phase 1) about 86400 secs.
> But whatever I set this value the peer will receive a lifetime of 28800:
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 8 policy
> Nov 25 12:11:51.899: ISAKMP: life type in seconds
> Nov 25 12:11:51.899: ISAKMP: life duration (basic) of 28800
> Nov 25 12:11:51.899: ISAKMP: encryption 3DES-CBC
> Nov 25 12:11:51.899: ISAKMP: auth pre-share
> Nov 25 12:11:51.899: ISAKMP: hash SHA
> Nov 25 12:11:51.899: ISAKMP: default group 5
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
> Did anybody know this problem? Is there another problem?
> The peer is a CISCO router, I don't know which one. On our side it's a m0n0wall 1.3b15.
> Have many thanks for your help.
> Kind regards,
I have 4 tunnels set up from my m0n0wall (also 1.3b15) to Cisco routers
that are reliable and stay up 24/7. However, I've had the problem you
are having and it was always a mis-match of the lifetime setting. Be
110% sure these numbers match or you will be constantly trying to figure
out why they come up then drop. For reference, I have my lifetime
setting on 3600 seconds. However, my setting may not be what you
need/want. I am simply stating that setting to demonstrate that what
you put in that setting does matter. I know that 28800 is the default
setting on a Cisco and it appears you probably haven't changed that to
match your 86400 you have on the m0n0wall. Try setting the m0n0wall to
28800. If you could show us your configs on both sides we may be able
to help further.
P.S. Those racoon warnings are just that, warnings. I have the
identical warnings with stable tunnels.