I
am trying to set up a VPN using a Nokia CC 500 and FW1. I'm using IKE and
pre-shared secrets. The tunnel works in one direction, from the network
behind the Nokia to the network behind the FW1 machine, but when I attempt
to access the network behind the Nokia CC 500 from the network behind the FW1,
it fails and I get the following on the CC 500 console (some IPs changed to
protect the innocent):
Thu Feb 15 15:16:18
2001 (IPSEC)-ERR: key_find_responder_policy: matching outbound selector not
found
Thu Feb 15 15:16:18 2001 (IKE)-ERR: receive: failed to locate QM responder policy
Thu Feb 15 15:16:18 2001 (IKE)-ERR: receive: failed to locate QM responder policy
then:
Thu Feb 15 15:16:43
2001 (IKE)-AUDIT: IKE SA deleted for 123.123.123.66 (123.123.123.66)
Thu Feb 15 15:16:43 2001 (IKE)-NOTICE: process_sa: no proposal chosen
Thu Feb 15 15:16:43 2001 (IKE)-NOTICE: process_sa: no proposal chosen
Then the tunnel goes
down and does not come back up until traffic goes from the network behind the
Nokia CC 500 to the network behind the FW1 box.
When it is up, IPSEC
looks like this:
IPSec Security
Associations:
spi:
ffff3c00 <- ffff1d87
source address: 123.123.123.66
destination address: 123.123.123.80
client identity: 10.10/24
type: esp
integrity algorithm: md5 (128 bits)
secrecy algorithm: 3des (192 bits)
flags: inbound,initiator,tunnel
lifetime: 60 minutes
time-to-live: 59 minutes
traffic: 848 bytes
source address: 123.123.123.66
destination address: 123.123.123.80
client identity: 10.10/24
type: esp
integrity algorithm: md5 (128 bits)
secrecy algorithm: 3des (192 bits)
flags: inbound,initiator,tunnel
lifetime: 60 minutes
time-to-live: 59 minutes
traffic: 848 bytes
spi:
ffff1d87 -> ffff3c00 (1)
source address: 123.123.123.80
destination address: 123.123.123.66
client identity: 10/24
type: esp
integrity algorithm: md5 (128 bits)
secrecy algorithm: 3des (192 bits)
flags: outbound,initiator,tunnel
lifetime: 60 minutes
time-to-live: 59 minutes
traffic: 632 bytes
source address: 123.123.123.80
destination address: 123.123.123.66
client identity: 10/24
type: esp
integrity algorithm: md5 (128 bits)
secrecy algorithm: 3des (192 bits)
flags: outbound,initiator,tunnel
lifetime: 60 minutes
time-to-live: 59 minutes
traffic: 632 bytes
and IKE looks like
this:
IKE Security
Associations:
sequence:
2b
state: MM_IDLE
flags: outbound,valid
source: 123.123.123.80
destination: 123.123.123.66
peer identity: fqdn.domain.com
oakley group: modp-768
encryption algorithm: 3des
hash algorithm: md5
authentication method: pre-shared key
associations: 2
lifetime: 8 hours
time-to-live: 7 hours
state: MM_IDLE
flags: outbound,valid
source: 123.123.123.80
destination: 123.123.123.66
peer identity: fqdn.domain.com
oakley group: modp-768
encryption algorithm: 3des
hash algorithm: md5
authentication method: pre-shared key
associations: 2
lifetime: 8 hours
time-to-live: 7 hours
It's also really
slow. Anyone out there have any experience with the Nokia CC 500 that they
would like to share?
Scott
