[ previous ] [ next ] [ threads ]
 
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec VPN Problem on Monowall 1.0
 Date:  Tue, 03 Aug 2004 12:21:21 +0200
-------- Original Message --------


>>From http://www.onlamp.com/lpt/a/3009
> 
> "It is your job to ensure both peers are configured with the same lifetimes.
> If they are not, it is possible for the tunnel to be established initially,
> but then cease to work when one of the mis-matched lifetime periods
> arrives".
> 
> I would still be grateful if anyone can answer the question in my post
> below. Is the setting of SA lifetimes on the client and the server a totally
> manual process - or can you safely leave it unset on the client and rely on
> the client detecting the expiration of a SA lifetime?
> 

Personnaly, I'm not an IPsec expert at all and I just try to figure out 
how and *why* things work.

So, I've changed my config this morning and I've set up P1 lifetime to 
86400 seconds and P2 to 3600 seconds. Then I manually forced the remote 
machine to reboot many times: it seems all is working fine this time! 
Still don't know why... Still don't know if the problems will occur 
again...

In conclusion: I would recommend to set the values by hand on both ends. 
Exactly the same values, of course! My current point of view is: I need 
a working config so that my boss trust me and let me play with m0n0wall 
+ Soekris hardware and save money.

Curiosity is another topic. So, if any IPsec guru could answer...

I would like to thank all people who gave us feedback on that topic 
during the past days. We'll have to wait for Manuel to be back and read 
his tons of e-mail before we know what he thinks... (Manuel: good luck ;-)

-- Vincent