Menu
▾
▴
[Ipsec-tools-devel] racoon phase1 problem with Cisco
|
From: Yuriy Z. <yu...@fc...> - 2006-05-22 08:45:08
|
Hi.
I use Cisco 851 and ipsec-tools 0.5.2
Only version 0.5.2 work properly with Cisco DPD feature on my Linux server box (FC3, kernel 2.6.10)
From local net with Linux server tunnel work:
racoon: INFO: initiate new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>YYY.YYY.YYY.YYY[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: CISCO-UNITY
racoon: INFO: received Vendor ID: DPD
racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] spi:e575e726d2205ec9:2f8e9c0e69c2e2f1
racoon: INFO: initiate new phase 2 negotiation: XXX.XXX.XXX.XXX[0]<=>YYY.YYY.YYY.YYY[0]
racoon: WARNING: ignore RESPONDER-LIFETIME notification.
racoon: WARNING: attribute has been modified.
racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY->XXX.XXX.XXX.XXX spi=103441205(0x62a6335)
racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX->YYY.YYY.YYY.YYY spi=4275481469(0xfed6ab7d)
From remote net with Cisco i have error:
racoon: INFO: respond new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>YYY.YYY.YYY.YYY[500]
racoon: INFO: begin Identity Protection mode.
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:DES-CBC
racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = pre-shared key:RSA signatures
racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:768-bit MODP group
racoon: ERROR: no suitable proposal found.
racoon: ERROR: failed to get valid proposal.
racoon: ERROR: failed to process packet.
racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt" ;
path certificate "/etc/racoon/certs";
listen
{
isakmp XXX.XXX.XXX.XXX [500];
}
remote anonymous
{
exchange_mode aggressive,main,base;
dpd_delay 240;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
Cisco crypto policy:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key secretkey address XXX.XXX.XXX.XXX no-xauth
crypto isakmp keepalive 240 5 periodic
Yuriy Zveryanskyy,
FCH Group
|