[rlug] IPsec(x?) problem

Stefan Laudat Wed, 26 Sep 2001 07:42:44 -0700

Problema e si de linux si de cisco asa ca imi cer scuze extremistilor
listelor :)
incerc sa conectez un cisco cu un freeswan intre ele prin ipsec.
freeswan e ultimul snapshot, cisco e un c3660 cu IOS 12.2(2)T1.
daca cineva are idee unde o dau in bara sau daca are o configuratie
functionala (cu/fara PFS, cu/fara autentificare cu secret etc) il
rog sa imi dea o idee. Documentatia de pe freeswan.org e outdated...

pe cisco am asa:

crypto isakmp policy 1
 encr 3des
 hash md5 
 authentication pre-share
 lifetime 600
crypto isakmp key secretkeyxxxyyy  address 192.168.1.170
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac 
crypto map TEST 1 ipsec-isakmp   
 set peer 192.168.1.170
 set transform-set 3DES-MD5 
 match address 101
interface FastEthernet0/1
 ip address 192.168.0.254 255.255.0.0
 ip directed-broadcast
 duplex auto
 speed auto
 fair-queue
 crypto map TEST
access-list 101 permit ip 172.16.251.0 0.0.0.255 host 192.168.1.170

pe linux :

/etc/ipsec.conf:
# Automatically generated, useless editing
config setup
        klipsdebug=none
        plutodebug=all
        manualstart=
        plutoload=%search
        plutostart=%search
        plutowait=no
        interfaces="ipsec0=eth0 ipsec1=eth1"
        
        
conn %default
        type=tunnel
        auto=start
        keyexchange=ike
        auth=esp
        pfs=yes
        keylife=8h
        rekeymargin=10m
        rekeyfuzz=100%
        keyingtries=0
        ikelifetime=1h
        
conn cisco_1
        left=192.168.1.170
        leftsubnet=172.16.251.0/255.255.0.0
        right=192.168.0.254
        rightsubnet=0.0.0.0/0.0.0.0
        pfs=no
        auto=start
        authby=secret

iar in /etc/ipsec.secrets:

192.168.1.170 192.168.0.254: PSK "secretkeyxxxyyy"

cisco tot zice:
01:06:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 
192.168.1.170  

insa :
PeeWee#sh crypto isakmp sa
    dst           src          state        conn-id   slot
192.168.0.254  192.168.1.170  MM_NO_STATE       1       0   (deleted)
192.168.0.254  192.168.1.170  MM_NO_STATE       2       0

ceva-ceva ar incerca el insa nu ma prind de ce nu merge mai departe... :((
Stie cineva unde gresesc? 


-- 
Stefan Laudat
CCNA & CCAI
-------------
It's better to be quotable than to be honest.
                -- Tom Stoppard
---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to 
unsubscribe from this list.
[rlug] IPsec(x?) problem

Raspunde prin e-mail lui
