1*4882a593SmuzhiyunFrom 39925f090c21ab571ebc6ec250696f7f7093a2a6 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Will Page <Will.Page@ni.com> 3*4882a593SmuzhiyunDate: Wed, 30 Aug 2017 18:14:00 -0700 4*4882a593SmuzhiyunSubject: [PATCH 1/1] Reduce lifetime value to widely-compatible value 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunCurrent proposed lifetime value (2147483 seconds, which equates to 7*4882a593SmuzhiyunMAXINT ms, or ~25 days) is rejected by Fortigate vpn devices because 8*4882a593Smuzhiyun"peer SA proposal does not match local policy". It seems default 9*4882a593Smuzhiyunpolicy for these devices constrains lifetime where similar VPN devices 10*4882a593Smuzhiyundon't. 11*4882a593Smuzhiyun 12*4882a593SmuzhiyunReducing the lifetime from its current value to 28800 (exactly 8 hours) 13*4882a593Smuzhiyuncauses it to start working with fortigate devices. 14*4882a593Smuzhiyun--- 15*4882a593Smuzhiyun vpnc.c | 4 ++-- 16*4882a593Smuzhiyun 1 file changed, 2 insertions(+), 2 deletions(-) 17*4882a593Smuzhiyun 18*4882a593Smuzhiyundiff --git a/vpnc.c b/vpnc.c 19*4882a593Smuzhiyunindex 36dd0f3..3e0fcba 100644 20*4882a593Smuzhiyun--- a/vpnc.c 21*4882a593Smuzhiyun+++ b/vpnc.c 22*4882a593Smuzhiyun@@ -1135,7 +1135,7 @@ static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int 23*4882a593Smuzhiyun a->af = isakmp_attr_lots; 24*4882a593Smuzhiyun a->u.lots.length = 4; 25*4882a593Smuzhiyun a->u.lots.data = xallocc(a->u.lots.length); 26*4882a593Smuzhiyun- *((uint32_t *) a->u.lots.data) = htonl(2147483); 27*4882a593Smuzhiyun+ *((uint32_t *) a->u.lots.data) = htonl(28800); 28*4882a593Smuzhiyun a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a); 29*4882a593Smuzhiyun a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a); 30*4882a593Smuzhiyun a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a); 31*4882a593Smuzhiyun@@ -2561,7 +2561,7 @@ static struct isakmp_attribute *make_transform_ipsec(struct sa_block *s, int dh_ 32*4882a593Smuzhiyun a->af = isakmp_attr_lots; 33*4882a593Smuzhiyun a->u.lots.length = 4; 34*4882a593Smuzhiyun a->u.lots.data = xallocc(a->u.lots.length); 35*4882a593Smuzhiyun- *((uint32_t *) a->u.lots.data) = htonl(2147483); 36*4882a593Smuzhiyun+ *((uint32_t *) a->u.lots.data) = htonl(28800); 37*4882a593Smuzhiyun a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a); 38*4882a593Smuzhiyun 39*4882a593Smuzhiyun if (dh_group) 40*4882a593Smuzhiyun-- 41*4882a593Smuzhiyun2.7.4 42*4882a593Smuzhiyun 43