[AusNOG] Restarting IPSEC
Ben Dale
bdale at comlinx.com.au
Wed Jul 11 09:33:48 EST 2012
Hi Yuri,
> I’ve tried Netcomm NTC-6908 and Cisco SRP 541W. Netcomm drops out every 30 minutes, Cisco dropouts every hour.
>
Probably not the right list for technical support, but what you are seeing is normal Phase 2 re-keying. I'm not all that familiar with Fortigate, but a quick google shows that the default P2 key lifetime is 1800 seconds [1], which is ties in nicely with your logs (and seems awfully short IMHO).
You generally always see a small blip during a re-key, but on some kit phase 2 is re-negotiated prior to the previous key expiring in order to minimise this disruption.
I would increase the Fortigate's P2 lifetime up to 28800 or something similar:
config vpn ipsec phase2
edit <tunnel_name>
set keylifeseconds 28800
and then do the same on your spoke devices (Netcomm/Cisco).
[1] http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-cli-40-mr3.pdf
Cheers,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120711/aed397ae/attachment.html>
More information about the AusNOG
mailing list