04-17-2003 07:01 AM - edited 02-21-2020 12:29 PM
Looking for advice.
Having problems with an IP Sec tunnel that I have created between a Pix 515 and a Watchguard FB 1000. The tunnel will create properly between the two devices. Many times the key re-negotiating fails after the specified lifetime expires. The only way to get the tunnel back that I have found is to boot the PIX. The key renegotiation will work after the boot. I have been researching this and have a question regarding the ipsec-manual command. My idea is to set up a "non-expiring" tunnel using this command. Is this the proper use of the command. Does anyone have any expirience with this matter that they can share, such as syntax, advice, suggestions, etc.?
04-17-2003 11:18 AM
Hi,
it sure will help with the re-keying issues at the Cost of less security.
Did you try 6.3.1 PIX OS?
Thx
Afaq
04-21-2003 04:36 AM
Thanks for the answer. Since the PIX is actually owned by a business partner, I can only suggest the OS upgrade. As far as the syntax of the ipsec-manual command, is the command entered at the beginning of the isakmp policy? The config is as follows:
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 3600
How would the syntax read? Sorry for the newbie questions.....my CISCO knowledge is very limited
04-21-2003 08:52 PM
You don't need any ISAKMP commands at all since if you define manual keys, you don't use IKE/ISAKMP.
Check out the docs at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/sit2site.htm#1007447 for an example.
04-23-2003 07:05 AM
Thanks for the help. I am looking at the doc now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide