TU for answer,

No VPN not raised at that time,

Here are the settings from FW GlobalProperties:

life_sign_timeout:40sec

life_sign_transmitter_interval:10sec

life_sign_retransmission_count:0

life_sign_retransmission_interval:10sec

cluster_count_polling_interval:2

Rekeying Parameters:

Renegotiate IKE (PHASE1) Security associations every 1440 minutes

Renegotiate IPSEC (IKE PHASE 2)Security associations every 3600 sec.

all routers is configured to default

TU

Hi,

IKE and IPSEC lifetimes are wrong.

Manually modify them on both machines to match. IKE should be about 8h. IPSEC can be 1h.

Please rate if this helped.

Regards,

Daniel

TU,

I change the IKE liftime to 8h and IPSEC to 1h,but still recieving message of quick mode has failed and another one:

CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of X.X.X.X (type 1) and certificate addr with X.X.X.X

TU,

Regards,

Dan

Hi Dan,

On the Cisco, you need to specify "isakmp identity address" in order to use the IP address of the machine for site-to-site.

As well, you need to configure the IPSEC options since now they appear to be on the defaults, that require certificates, instead of preshared-key.

You should configure under isakmp:

authentication: preshared

hash: md5

encryption: 3DES or DES

group (DH): 1 or 2

Same configs should be on the other machine.

Check the link for PIX VPN configs:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html#anchor6

Please rate if this helped.

Regards,

Daniel

Daniel TU,

all routers are enrolled with "Entrus" CA so I alredy have this configurations that you offer

I have living with this messeges over monthes!!!

do you have another suggestion?

TU very much,

Regards,

Dan