Re: ipsec-manual command

admin_2 · ‎04-17-2003

Looking for advice.

Having problems with an IP Sec tunnel that I have created between a Pix 515 and a Watchguard FB 1000. The tunnel will create properly between the two devices. Many times the key re-negotiating fails after the specified lifetime expires. The only way to get the tunnel back that I have found is to boot the PIX. The key renegotiation will work after the boot. I have been researching this and have a question regarding the ipsec-manual command. My idea is to set up a "non-expiring" tunnel using this command. Is this the proper use of the command. Does anyone have any expirience with this matter that they can share, such as syntax, advice, suggestions, etc.?

afakhan · ‎04-17-2003

Hi,

it sure will help with the re-keying issues at the Cost of less security.

Did you try 6.3.1 PIX OS?

Thx

Afaq

Report Inappropriate Content · ‎04-21-2003

Thanks for the answer. Since the PIX is actually owned by a business partner, I can only suggest the OS upgrade. As far as the syntax of the ipsec-manual command, is the command entered at the beginning of the isakmp policy? The config is as follows:

isakmp enable outside

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 3600

How would the syntax read? Sorry for the newbie questions.....my CISCO knowledge is very limited

gfullage · ‎04-21-2003

You don't need any ISAKMP commands at all since if you define manual keys, you don't use IKE/ISAKMP.

Check out the docs at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/sit2site.htm#1007447 for an example.

Report Inappropriate Content · ‎04-23-2003

Thanks for the help. I am looking at the doc now.