[ previous ] [ next ] [ threads ]
 From:  Eric Boudrand <eric at boudrand dot net>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification
 Date:  Wed, 26 Nov 2008 10:24:15 +0100

> I've got a Problem with our IPSec tunnel. Tunnel work's fine for about an hour. After this time we
can't send any packets. Only a restart of the tunnel brings it up again - for about the next hour.

What do you have in the logs ? You can't send IKE packets or ESP packets ?

> Maybe this is the problem:
> At the beginning of the connection we receive this warning:
> racoon: WARNING: attribute has been modified.
> racoon: WARNING: ignore RESPONDER-LIFETIME notification.

You can find details about this notification in RFC 2407 section 4.5.4.
RESPONDER-LIFETIME notification is sent by the responder (that is the
Cisco) when "the initiator offers an SA lifetime longer than the
responder is willing to accept". The raccon is ignoring the fact the
Cisco cannot deal with its lifetime.

> I've found some threads about this problem. To solve this problem we should use same key lifetime
as our peer. The peer has a lifetime (phase 1) about 86400 secs.
> But whatever I set this value the peer will receive a lifetime of 28800:
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 8 policy
> Nov 25 12:11:51.899: ISAKMP:      life type in seconds
> Nov 25 12:11:51.899: ISAKMP:      life duration (basic) of 28800
> Nov 25 12:11:51.899: ISAKMP:      encryption 3DES-CBC
> Nov 25 12:11:51.899: ISAKMP:      auth pre-share
> Nov 25 12:11:51.899: ISAKMP:      hash SHA
> Nov 25 12:11:51.899: ISAKMP:      default group 5
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
> Did anybody know this problem? Is there another problem?
> The peer is a CISCO router, I don't know which one. On our side it's a m0n0wall 1.3b15.

Do you have several tunnels on the CISCO ?