[ previous ] [ next ] [ threads ]
 From:  Michael Stecher <Michael dot Stecher at cib dot de>
 To:  'Eric Boudrand' <eric at boudrand dot net>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification
 Date:  Wed, 26 Nov 2008 11:26:15 +0100
Hello Eric,

you can find my logs in separated mail to mailinglist.

This is our first tunnel between m0n0wall and cisco. We've got some stable tunnels between some
m0n0walls on other hardware without any problems.

I think we can send IKE und ESP. The peer told me that ESP, UDP 500 and UDP 4500 is opened for us.

Have many thanks.

Kind regards,
Michael (133)

-----Ursprüngliche Nachricht-----
Von: Eric Boudrand [mailto:eric at boudrand dot net]
Gesendet: Mittwoch, 26. November 2008 10:24
An: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME


> I've got a Problem with our IPSec tunnel. Tunnel work's fine for about an hour. After this time we
can't send any packets. Only a restart of the tunnel brings it up again - for about the next hour.

What do you have in the logs ? You can't send IKE packets or ESP packets ?

> Maybe this is the problem:
> At the beginning of the connection we receive this warning:
> racoon: WARNING: attribute has been modified.
> racoon: WARNING: ignore RESPONDER-LIFETIME notification.

You can find details about this notification in RFC 2407 section 4.5.4.
RESPONDER-LIFETIME notification is sent by the responder (that is the
Cisco) when "the initiator offers an SA lifetime longer than the
responder is willing to accept". The raccon is ignoring the fact the
Cisco cannot deal with its lifetime.

> I've found some threads about this problem. To solve this problem we should use same key lifetime
as our peer. The peer has a lifetime (phase 1) about 86400 secs.
> But whatever I set this value the peer will receive a lifetime of 28800:
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 8 policy
> Nov 25 12:11:51.899: ISAKMP:      life type in seconds
> Nov 25 12:11:51.899: ISAKMP:      life duration (basic) of 28800
> Nov 25 12:11:51.899: ISAKMP:      encryption 3DES-CBC
> Nov 25 12:11:51.899: ISAKMP:      auth pre-share
> Nov 25 12:11:51.899: ISAKMP:      hash SHA
> Nov 25 12:11:51.899: ISAKMP:      default group 5
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
> Did anybody know this problem? Is there another problem?
> The peer is a CISCO router, I don't know which one. On our side it's a m0n0wall 1.3b15.

Do you have several tunnels on the CISCO ?



To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch