[c-nsp] Cisco - Netscreen VPN
Luan Nguyen
luan.nguyen at mci.com
Thu Oct 13 13:04:36 EDT 2005
You could try changing on ns side then
set ike p1-proposal "pre-g2-aes128-sha" Preshare Group2 aes128 SHA-1 86400
second
Then maybe set the kilobytes timeout to match as well...not sure if that
will help
set ike p2-proposal "nopfs-esp-aes128-sha" ESP aes128 SHA-1 second 3600
kbyte 4608000
Maybe a debug crypto ipsec?
-----Original Message-----
From: Ryan O'Connell [mailto:ryan at complicity.co.uk]
Sent: Thursday, October 13, 2005 12:10 PM
To: Luan Nguyen
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco - Netscreen VPN
On 13/10/2005 17:00, Luan Nguyen wrote:
>Cisco default is 3600 for ipsec which the same as NS. So yeah, try
>changing the lifetime of isakmp to 28800.
>
>
Unfortunately that just means it breaks a couple of times a day instead of
hourly...
More information about the cisco-nsp
mailing list