IPsec and lifetime byte problem
-
Hi, I need to connect 1 pfsense firewall to 1 watchguard with an IPsec VPN.
On the pfsense I have installed the following version
2.0-RC3 (i386) built on Tue Aug 16 20:24:26 EDT 2011
I have configured on the 2 firewall the phase 1 and 2, apparently it's correct, but I receive the following error…Aug 17 10:15:04 racoon: [Enterprise SA]: INFO: initiate new phase 2 negotiation: ccc.xxx.zzz.yyy[500]<=>ccc.xxx.zzz.www[500]
Aug 17 10:15:04 racoon: INFO: received RESPONDER-LIFETIME: 28800 seconds
Aug 17 10:15:04 racoon: INFO: received RESPONDER-LIFETIME: 128000 kbytes
Aug 17 10:15:04 racoon: ERROR: lifebyte mismatched: my:2147483647 peer:0
Aug 17 10:15:04 racoon: ERROR: not matched
Aug 17 10:15:04 racoon: ERROR: no suitable policy found.
Aug 17 10:15:04 racoon: [Enterprise SA]: [ccc.xxx.zzz.www] ERROR: proposal check failed.
Aug 17 10:15:04 racoon: [Enterprise SA]: [ccc.xxx.zzz.www] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 0, status 5).
Aug 17 10:15:04 racoon: [Enterprise SA]: [ccc.xxx.zzz.www] ERROR: phase2 negotiation failed.Problem: on wathcguard is defined the "lifetime byte", but on the pfsense isn't possibile to define
I tried to add on racoon.conf the following line "lifetime byte 128000 KB", but's ignored.It's a bug ?
How I can resolve it ?
-
We don't have a way in the GUI to set a data lifetime. Try one of the other options in the phase 1 proposal checking drop-down, it may at least allow you to bypass that restriction if you can't remove it on the watchguard side.
-
Hi Jiimp, thank you !
On the Watchguard can't remove it… I try another options in the phase 1.
Just for information: the "data lifetime" field is planned on the final version of pfsense 2.0 or next versions ?
-
Probably not going to be in 2.0, we're trying not to make any unnecessary changes at this point.
It was discussed earlier this week, so probably for 2.1 if racoon supports it properly.
