Coincidentally I have exactly same symptoms connecting 4.1-stable (using

isakmpd.conf and AES SHA1) to an unknown remote Firebox VPN gateway running

"firebox software 8.3" (very sketchy information because I had to prie it

out of the IT people at the remote end).
Rekeying occasionaly fails, Phase 2 is down but Phase 1 SA remains active.

The Firebox side does not reply to my Phase 2 proposals until I manually

kill the Phase 1 SA on my end and reestablish everything. 
I'm inclined to assume the problem lies at Firebox's end. But I have no

access to Watchguard's support pages to see if it is a known problem.
Mitja
> -----Original Message-----

quoted text
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]

> On Behalf Of mailinglists@jameslepthien.de

> Sent: Thursday, July 26, 2007 10:05 AM

> To: misc@openbsd.org

> Subject: IPSec Keylifetime using ipsecctl and ipsec.conf?

>

> Hi,

>

> I am using ipsecctl and /etc/ipsec.conf to create an IPSec

> tunnel to a

> WatchGuard Firebox X700 in my company. It works fine, but the

> re-keying always makes some trouble, it does not always work. My

> question now is, how can I set the keylifetimes for phase 1 and 2 in

> /etc/ipsec.conf? Is there a way to do this? The manpage does

> not give

> any more info...

>

> I am running an OpenBSD 4.1 current. My ipsec.conf file looks

> like this:

>

> ike esp from 10.240.1.0/24 to 192.168.128.0/24 \

>    peer 1.2.3.4 \

>    main auth hmac-sha1 enc 3des group modp1024 \

>    quick auth hmac-sha1 enc 3des group none \

>    psk "XXXX"

>

> Regards,

> James