On Thu, Aug 23 2007 at 58:21, James Lepthien wrote: > Hi again, Hi, > just for your information and if anybody runs into the same problem. I > found outr that there are a lot of sysctl values for IPSec which can be > changed so that it is possible for me to not use the default timeout of > 86400. Have a look: [...] > net.inet.ip.ipsec-pfs=1 > net.inet.ip.ipsec-timeout=28800 > net.inet.ip.ipsec-soft-timeout=80000 [...] soft timeout should be inferior to ipsec-timeout. Frow what I understood, ipsec timeout is when isakmpd *needs* new key pair. ipsec-soft-timeout is when the kernel computes the key pair. So if soft-timeout is longer than the isakmpd one, then isakmpd has to wait for the calculation of the key as soon as it requires it. As the calculation may take some times, you certainly prefer the kernel computes the keys before isakmpd asks them.
> I already changed the ipsec-timeout to my WatchGuard value at the other end > and also change the encryption to 3des. Now I will take a closer look if it > really works flawlessly ;) Aren't these values fixed with ipsecctl or isakmpd.conf?! > Cheers, > James > > PS: Does anybody know which are the timeouts for phase 1 and 2? I guess the > ipsec-timeout I changed is fpr phase 2 only. Which of the others is for > phase 1? The phase1 and phase2 timeouts are managed by isakmpd.conf (search misc, it was already mentionned serveral times ;)) By default, isakmpd negociates the value with the peer between 60 and 84600 seconds. [...] >>>>> My ipsec.conf looks like this: >>>>> >>>>> ike esp from $ext_IP to $peer_GW >>>>> ike esp from $ext_IP to $peer_LAN peer $peer_GW >>>>> ike esp from $int_LAN to $peer_LAN \ >>>>> peer $peer_GW \ >>>>> main auth hmac-sha1 enc 3des group modp1024 \ >>>>> quick auth hmac-sha1 enc 3des group none \ >>>>> psk "XXXX" You have "group none" for phase 2. That means you don't use PFS. But in this email you fixed sysctl's pfs option to 1. There is a contradiction. Regards, Claer
