Coincidentally I have exactly same symptoms connecting 4.1-stable (using isakmpd.conf and AES SHA1) to an unknown remote Firebox VPN gateway running "firebox software 8.3" (very sketchy information because I had to prie it out of the IT people at the remote end).
Rekeying occasionaly fails, Phase 2 is down but Phase 1 SA remains active. The Firebox side does not reply to my Phase 2 proposals until I manually kill the Phase 1 SA on my end and reestablish everything. I'm inclined to assume the problem lies at Firebox's end. But I have no access to Watchguard's support pages to see if it is a known problem. Mitja > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of [EMAIL PROTECTED] > Sent: Thursday, July 26, 2007 10:05 AM > To: [email protected] > Subject: IPSec Keylifetime using ipsecctl and ipsec.conf? > > Hi, > > I am using ipsecctl and /etc/ipsec.conf to create an IPSec > tunnel to a > WatchGuard Firebox X700 in my company. It works fine, but the > re-keying always makes some trouble, it does not always work. My > question now is, how can I set the keylifetimes for phase 1 and 2 in > /etc/ipsec.conf? Is there a way to do this? The manpage does > not give > any more info... > > I am running an OpenBSD 4.1 current. My ipsec.conf file looks > like this: > > ike esp from 10.240.1.0/24 to 192.168.128.0/24 \ > peer 1.2.3.4 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group none \ > psk "XXXX" > > Regards, > James
