Wow, excellent help thank you. That's helped me track down some other
problems as well.
I have success!
And in the interests of full disclosure...
I,
um,
was missing a character in the PSK. [shame and embarrasment]
That's what you get when you generate a nice 63 character key and have
to weedle it down to 24 for Cisco. I never thought to check
considering the Cisco would show Phase1 complete, but I guess that'll
learn me.
Cheers and thanks again.
On 7-Dec-07, at 2:09 AM, Stuart Henderson wrote:
On 2007/12/07 00:53, visc wrote:
I'm going to toss out some generalities here before I resort to
posting
debugs from isakmpd because I think I'm only missing one critical
factor
in Phase2.
You can usually identify the problem more easily by looking at
packet traces, than by looking at logs. From memory, this should
do the trick:
# echo p on > /var/run/isakmpd.fifo
[allow it to attempt negotiation]
# echo p off > /var/run/isakmpd.fifo
# tcpdump -nvvr /var/run/isakmpd.pcap
My question is - what is the default key lifetime (in seconds
preferably)
for the 4.2 implementation of isakmp?
It's unchanged, and mentioned in isakmpd.conf(5);
[General]
Default-phase-1-lifetime= 3600,60:86400
Default-phase-2-lifetime= 1200,60:86400
The Main Mode lifetime currently defaults to one hour (minimum
60 sec-
onds, maximum 1 day). The Quick Mode lifetime defaults to 20
minutes
(minimum 60 seconds, maximum 1 day).
(note that ipsec.conf is parsed into isakmpd.conf configuration
sections, so this still applies; you can see this happening with
ipsecctl -nvf /etc/ipsec.conf).
- Is there a modifier in 4.2 ipsec.conf to use automatic keying
with a
specified key lifetime? I can't find it for the life of me.
It is currently only "documented" in the ipsecctl regression tests,
you can use this format:
ike esp from 10.1.1.0/24 to 10.1.2.0/24 \
peer 192.168.3.2 \
main life 12345 quick life 23456 \
srcid me.mylan.net dstid the.others.net
