From: Hengesbach, J. <jrh...@as...> - 2008-05-02 16:50:17
|
I'm looking for some guidance on connecting a tunnel between an up-to-date CentOS 5 system and a Juniper SSG140. Network Info: CentOS System (under my control) Eth0 - Lan subnet 192.168.1.0/24 Eth1 - Internet IP on Business T1 circuit 1.2.3.4 Kernel: 2.6.18-53.1.14.el5 ipsec-tools-0.6.5-8.el5 (rpm) IP forwarding = 1 Iptables - no rules, completely open (temporary) Juniper SSG140 (I have no direct access - info provided by 3rd party) Internet IP: 1.2.4.5 Internal: 192.168.2.0/24 ESP 3des-cbc md5-hmac IKE: PSK PSK: top-secret CentOS configurations: Raccoon.conf: path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; sainfo anonymous { pfs_group 2; lifetime time 1 hour ; encryption_algorithm 3des, blowfish 448, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } remote 1.2.4.5 { exchange_mode aggressive, main; my_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2 ; } } ----------------------------------------- Psk.txt: 1.2.4.5 top-secret ----------------------------------------- Setkeys.sh: #!/sbin/setkey -f flush; spdflush; spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/1.2.3.4-1.2.4.5/require; spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/1.2.4.5-1.2.3.4/require; I run setkeys.sh, then start raccoon with "-F -d" Next I'll try to ping a host on 192.168.2.0 from 192.168.1.0. I can see racoon take action but the tunnel fails. Racoon displays lots of: DEBUG: resend phase1 packet ..... DEBUG: 264 bytes from 1.2.3.4[500] to 1.2.4.5[500] ERROR: phase1 negotiation failed due to time up. ..... ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 1.2.4.5[500]->1.2.3.4[500] Any advice would be greatly appreciated. Thanks, Jeff |