Configuring lifebyte parameter

  • Hi everybody.

    I have the typical problem with a tunnel from a pfSense 1.2.3 to a Cisco Router.

    In the Cisco side they have configured a lifetime of 4608000 bytes, but I can not configure this parameter in the originating pfSense. Phase 1 and Phase 2 lifetimes in seconds are correctly configured in both ends.

    The result is as expected, the tunnel works for 30-40 minutes until the encripted data reachs 4608000 bytes. In that moment the cisco sends a delete messages and the pfSense ignores it, sending data with the old SA that is discarted in the Cisco side.

    Can I manually introduce this lifebyte parameter in my pfSense?

    Thanks in advance.

    Juan Diego.

  • Hi again.

    After inspection of racoon.conf definition, I find out that there is not a lifetime in bytes. I suppose this is a compatibility issue with Cisco and other versions of IPsec.

    Best regards.

  • Yeah, you have to disable lifetimes in bytes or set it so high you'll never reach it in the lifetime in seconds.

  • Thanks a lot cmb.

    So you can manually introduce lifetime in bytes in pfsense 1.2.3?

    I suppose the grammar is like 'lifetime byte 50000 KB;' but I dont know how to introduce it in racoon.conf. Seems like it is an automatically generated file and I cant do it from the http interface.

  • Oh, by the way,

    I have no access to the Cisco side, as is configured by the technical staff of a customer, and they will not attend me if I ask them to change any parameter of their server.

    Im trying to set a value for dpd as low a 2 seconds, so the tunnel is renegotiated as soon as the peer is dead, but it does not seem to work.

    Thanks in advance for any sugestion.

    Juan Diego.

Log in to reply