1From 39925f090c21ab571ebc6ec250696f7f7093a2a6 Mon Sep 17 00:00:00 2001 2From: Will Page <Will.Page@ni.com> 3Date: Wed, 30 Aug 2017 18:14:00 -0700 4Subject: [PATCH 1/1] Reduce lifetime value to widely-compatible value 5 6Current proposed lifetime value (2147483 seconds, which equates to 7MAXINT ms, or ~25 days) is rejected by Fortigate vpn devices because 8"peer SA proposal does not match local policy". It seems default 9policy for these devices constrains lifetime where similar VPN devices 10don't. 11 12Reducing the lifetime from its current value to 28800 (exactly 8 hours) 13causes it to start working with fortigate devices. 14--- 15 vpnc.c | 4 ++-- 16 1 file changed, 2 insertions(+), 2 deletions(-) 17 18diff --git a/vpnc.c b/vpnc.c 19index 36dd0f3..3e0fcba 100644 20--- a/vpnc.c 21+++ b/vpnc.c 22@@ -1135,7 +1135,7 @@ static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int 23 a->af = isakmp_attr_lots; 24 a->u.lots.length = 4; 25 a->u.lots.data = xallocc(a->u.lots.length); 26- *((uint32_t *) a->u.lots.data) = htonl(2147483); 27+ *((uint32_t *) a->u.lots.data) = htonl(28800); 28 a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a); 29 a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a); 30 a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a); 31@@ -2561,7 +2561,7 @@ static struct isakmp_attribute *make_transform_ipsec(struct sa_block *s, int dh_ 32 a->af = isakmp_attr_lots; 33 a->u.lots.length = 4; 34 a->u.lots.data = xallocc(a->u.lots.length); 35- *((uint32_t *) a->u.lots.data) = htonl(2147483); 36+ *((uint32_t *) a->u.lots.data) = htonl(28800); 37 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a); 38 39 if (dh_group) 40-- 412.7.4 42 43