On 2007/12/07 00:53, visc wrote:
> I'm going to toss out some generalities here before I resort to posting
> debugs from isakmpd because I think I'm only missing one critical factor
> in Phase2.
You can usually identify the problem more easily by looking at
packet traces, than by looking at logs. From memory, this should
do the trick:
# echo p on > /var/run/isakmpd.fifo
[allow it to attempt negotiation]
# echo p off > /var/run/isakmpd.fifo
# tcpdump -nvvr /var/run/isakmpd.pcap
> My question is - what is the default key lifetime (in seconds preferably)
> for the 4.2 implementation of isakmp?
It's unchanged, and mentioned in isakmpd.conf(5);
[General]
Default-phase-1-lifetime= 3600,60:86400
Default-phase-2-lifetime= 1200,60:86400
The Main Mode lifetime currently defaults to one hour (minimum 60 sec-
onds, maximum 1 day). The Quick Mode lifetime defaults to 20 minutes
(minimum 60 seconds, maximum 1 day).
(note that ipsec.conf is parsed into isakmpd.conf configuration
sections, so this still applies; you can see this happening with
ipsecctl -nvf /etc/ipsec.conf).
> - Is there a modifier in 4.2 ipsec.conf to use automatic keying with a
> specified key lifetime? I can't find it for the life of me.
It is currently only "documented" in the ipsecctl regression tests,
you can use this format:
ike esp from 10.1.1.0/24 to 10.1.2.0/24 \
peer 192.168.3.2 \
main life 12345 quick life 23456 \
srcid me.mylan.net dstid the.others.net
