From: Yuriy Z. <yu...@fc...> - 2006-05-22 08:45:08
|
Hi. I use Cisco 851 and ipsec-tools 0.5.2 Only version 0.5.2 work properly with Cisco DPD feature on my Linux server box (FC3, kernel 2.6.10) From local net with Linux server tunnel work: racoon: INFO: initiate new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>YYY.YYY.YYY.YYY[500] racoon: INFO: begin Aggressive mode. racoon: INFO: received Vendor ID: CISCO-UNITY racoon: INFO: received Vendor ID: DPD racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] spi:e575e726d2205ec9:2f8e9c0e69c2e2f1 racoon: INFO: initiate new phase 2 negotiation: XXX.XXX.XXX.XXX[0]<=>YYY.YYY.YYY.YYY[0] racoon: WARNING: ignore RESPONDER-LIFETIME notification. racoon: WARNING: attribute has been modified. racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY->XXX.XXX.XXX.XXX spi=103441205(0x62a6335) racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX->YYY.YYY.YYY.YYY spi=4275481469(0xfed6ab7d) From remote net with Cisco i have error: racoon: INFO: respond new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>YYY.YYY.YYY.YYY[500] racoon: INFO: begin Identity Protection mode. racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:DES-CBC racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = pre-shared key:RSA signatures racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:768-bit MODP group racoon: ERROR: no suitable proposal found. racoon: ERROR: failed to get valid proposal. racoon: ERROR: failed to process packet. racoon.conf: path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt" ; path certificate "/etc/racoon/certs"; listen { isakmp XXX.XXX.XXX.XXX [500]; } remote anonymous { exchange_mode aggressive,main,base; dpd_delay 240; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } Cisco crypto policy: crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key secretkey address XXX.XXX.XXX.XXX no-xauth crypto isakmp keepalive 240 5 periodic Yuriy Zveryanskyy, FCH Group |