Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec and lifetime byte problem

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    4 Posts 2 Posters 6.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ideanet
      last edited by

      Hi, I need to connect 1 pfsense firewall to 1 watchguard with an IPsec VPN.
      On the  pfsense I have installed the following version
      2.0-RC3 (i386) built on Tue Aug 16 20:24:26 EDT 2011
      I have configured on the 2 firewall the phase 1 and 2, apparently it's correct, but I receive the following error…

      Aug 17 10:15:04 racoon: [Enterprise SA]: INFO: initiate new phase 2 negotiation: ccc.xxx.zzz.yyy[500]<=>ccc.xxx.zzz.www[500]
      Aug 17 10:15:04 racoon: INFO: received RESPONDER-LIFETIME: 28800 seconds
      Aug 17 10:15:04 racoon: INFO: received RESPONDER-LIFETIME: 128000 kbytes
      Aug 17 10:15:04 racoon: ERROR: lifebyte mismatched: my:2147483647 peer:0
      Aug 17 10:15:04 racoon: ERROR: not matched
      Aug 17 10:15:04 racoon: ERROR: no suitable policy found.
      Aug 17 10:15:04 racoon: [Enterprise SA]: [ccc.xxx.zzz.www] ERROR: proposal check failed.
      Aug 17 10:15:04 racoon: [Enterprise SA]: [ccc.xxx.zzz.www] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 0, status 5).
      Aug 17 10:15:04 racoon: [Enterprise SA]: [ccc.xxx.zzz.www] ERROR: phase2 negotiation failed.

      Problem: on wathcguard is defined the "lifetime byte", but on the pfsense isn't possibile to define
      I tried to add on racoon.conf the following line "lifetime byte 128000 KB", but's ignored.

      It's a bug ?
      How I can resolve it ?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        We don't have a way in the GUI to set a data lifetime. Try one of the other options in the phase 1 proposal checking drop-down, it may at least allow you to bypass that restriction if you can't remove it on the watchguard side.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • I
          ideanet
          last edited by

          Hi Jiimp, thank you !
          On the Watchguard can't remove it… I try another options in the phase 1.
          Just for information: the "data lifetime" field is planned on the final version of pfsense 2.0 or next versions ?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Probably not going to be in 2.0, we're trying not to make any unnecessary changes at this point.

            It was discussed earlier this week, so probably for 2.1 if racoon supports it properly.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.