From: <an...@ho...> - 2007-02-13 16:48:51
|
I got some more info about the remote Cisco VPN concentrator I am trying to get a connection to. I even have access to another client's Cisco box, that has a same tunnel set up to the same remote VPN3005 that I want to connect to. That Cisco box DOES get a working connection up and running. It's config: crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map inside_dyn_map 1 set transform-set ESP-3DES-MD5 crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer B.B.B.B crypto map outside_map 1 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map crypto map inside_map interface inside crypto isakmp identity address crypto isakmp enable outside crypto isakmp enable inside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 86400 tunnel-group B.B.B.B type ipsec-l2l tunnel-group B.B.B.B ipsec-attributes pre-shared-key * So I set racoon to used 3DES and MD5 like it should, but still no go. I read something about a bug of the order in which SA's were deleted, so I wanted to try the latest version from CVS. After a day of work I was even able to get the latest version from CVS up and running (the automake and libtools thingy took me half a day to figure out as I'm an end user, not a developer.. :) Still no go.. [root@vpntest /home/angelo]# racoon -F Foreground mode. 2007-02-13 17:38:54: INFO: @(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net) 2007-02-13 17:38:54: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2007-02-13 17:38:54: INFO: Reading configuration from "/usr/local/etc/racoon.conf" 2007-02-13 17:38:54: INFO: A.A.A.A[500] used as isakmp port (fd=5) 2007-02-13 17:39:02: INFO: IPsec-SA request for B.B.B.B queued due to no phase1 found. 2007-02-13 17:39:02: INFO: initiate new phase 1 negotiation: A.A.A.A[500]<=>B.B.B.B[500] 2007-02-13 17:39:02: INFO: begin Identity Protection mode. 2007-02-13 17:39:03: INFO: received broken Microsoft ID: FRAGMENTATION 2007-02-13 17:39:03: INFO: received Vendor ID: CISCO-UNITY 2007-02-13 17:39:03: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 2007-02-13 17:39:03: INFO: received Vendor ID: DPD 2007-02-13 17:39:03: INFO: ISAKMP-SA established A.A.A.A[500]-B.B.B.B[500] spi:06901df3c70772ff:257cee275b7eec42 2007-02-13 17:39:04: INFO: initiate new phase 2 negotiation: A.A.A.A[0]<=>B.B.B.B[0] 2007-02-13 17:39:04: INFO: purging ISAKMP-SA spi=06901df3c70772ff:257cee275b7eec42. 2007-02-13 17:39:04: INFO: purged IPsec-SA spi=140585667. 2007-02-13 17:39:04: INFO: purged ISAKMP-SA spi=06901df3c70772ff:257cee275b7eec42. 2007-02-13 17:39:05: INFO: ISAKMP-SA deleted A.A.A.A[500]-B.B.B.B[500] spi:06901df3c70772ff:257cee275b7eec42 2007-02-13 17:39:16: INFO: IPsec-SA request for B.B.B.B queued due to no phase1 found. 2007-02-13 17:39:16: INFO: initiate new phase 1 negotiation: A.A.A.A[500]<=>B.B.B.B[500] 2007-02-13 17:39:16: INFO: begin Identity Protection mode. 2007-02-13 17:39:16: INFO: received broken Microsoft ID: FRAGMENTATION 2007-02-13 17:39:16: INFO: received Vendor ID: CISCO-UNITY 2007-02-13 17:39:16: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 2007-02-13 17:39:16: INFO: received Vendor ID: DPD 2007-02-13 17:39:16: INFO: ISAKMP-SA established A.A.A.A[500]-B.B.B.B[500] spi:0ab49413a206887a:dd3a52451e5c4650 2007-02-13 17:39:17: INFO: initiate new phase 2 negotiation: A.A.A.A[0]<=>B.B.B.B[0] 2007-02-13 17:39:17: INFO: purging ISAKMP-SA spi=0ab49413a206887a:dd3a52451e5c4650. 2007-02-13 17:39:17: INFO: purged IPsec-SA spi=79067466. 2007-02-13 17:39:17: INFO: purged ISAKMP-SA spi=0ab49413a206887a:dd3a52451e5c4650. ^C2007-02-13 17:39:18: INFO: caught signal 2 2007-02-13 17:39:18: INFO: ISAKMP-SA deleted A.A.A.A[500]-B.B.B.B[500] spi:0ab49413a206887a:dd3a52451e5c4650 2007-02-13 17:39:19: INFO: racoon shutdown After a while I cloned this machine, and set it up in the reverse order, so I could connect these two machines together. I had a working tunnel up in 5 minutes.. 2007-02-13 15:41:57: INFO: @(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net) 2007-02-13 15:41:57: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2007-02-13 15:41:57: INFO: Reading configuration from "/usr/local/etc/racoon.conf" 2007-02-13 15:41:57: INFO: A.A.A.A[500] used as isakmp port (fd=5) 2007-02-13 15:42:02: INFO: IPsec-SA request for C.C.C.C queued due to no phase1 found. 2007-02-13 15:42:02: INFO: initiate new phase 1 negotiation: A.A.A.A[500]<=>C.C.C.C[500] 2007-02-13 15:42:02: INFO: begin Identity Protection mode. 2007-02-13 15:42:02: INFO: received Vendor ID: DPD 2007-02-13 15:42:02: INFO: ISAKMP-SA established A.A.A.A[500]-C.C.C.C[500] spi:6474b6adf1ad6706:9e949335094 76961 2007-02-13 15:42:03: INFO: initiate new phase 2 negotiation: A.A.A.A[0]<=>C.C.C.C[0] 2007-02-13 15:42:03: INFO: IPsec-SA established: ESP/Tunnel C.C.C.C[0]->A.A.A.A[0] spi=89585281(0x556f681) 2007-02-13 15:42:03: INFO: IPsec-SA established: ESP/Tunnel A.A.A.A[0]->C.C.C.C[0] spi=107681071(0x66b152f) So I guess all I can do is look at the VPN Concentrator to which I don't have access, and has a non-cooperative admin :) Angelo Höngens wrote: > [..] > > 10.94.225.0/24 > +-------------+ > | > |10.94.225.70 > +-------------+ > | BSD router | > +-------------+ > |A.A.A.A > | > |B.B.B.B > +-------------+ > | VPN 3005 | > +-------------+ > |193.58.204.1 > | > +-------------+ > 172.16.0.0/12 > > [..] > |