Hi All ,
i am newbie to vyatta iPSEC VPN has setup an site - to -site VPN as per
config document of vyatta between 2 vyatta routers . Not able to
establish the VPN and /var/log/messages says
site 1
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #691:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP to replace #690
{using isakmp#687}
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Feb 28 02:39:54 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type INVALID_MESSAGE_ID
Feb 28 02:39:54 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Feb 28 02:40:14 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type INVALID_MESSAGE_ID
Feb 28 02:40:14 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Site 2
IPsec Transform [ESP_AES (256), AUTH_ALGORITHM_HMAC_SHA1] refused due to
strict flag
Feb 28 02:31:33 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #751: no
acceptable Proposal in IPsec SA
Feb 28 02:31:33 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #751:
sending encrypted notification NO_PROPOSAL_CHOSEN to 202.91.74.130:500
Feb 28 02:31:40 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #746:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x211f93c1 (perhaps this is a duplicated packet)
Feb 28 02:31:40 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #746:
sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:500
Site 1 config
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
ike-group IKE-1W {
proposal 1 {
encryption: aes256
}
proposal 2 {
}
lifetime: 3600
}
esp-group ESP-1W {
proposal 1 {
encryption: aes256
}
proposal 2 {
encryption: 3des
hash: md5
}
lifetime: 1800
}
site-to-site {
peer X.X.X.X {
authentication {
mode: rsa
pre-shared-secret: test_key_1
rsa-key-name: CO-key
}
ike-group: IKE-1W
local-ip: Y.Y.Y.Y
tunnel 1 {
local-subnet: 192.168.1.0/24
remote-subnet: 192.168.0.0/24
esp-group: ESP-1W
}
}
}
}
rsa-keys {
rsa-key-name CO-key {
rsa-key:
0sAQOBguI8jQvYGCKf3KFP3sQHTTwP3AVokIXnoEyaNOEgqxPtITCEV4SJYkBk7//ZnBovZJJ8s0/qDGOPkjK4rAjTNEXCoGZBoHR3W6Sus40RU+33Cc/qwBzl5xHgU2iDdlESMWV8PVa1keVqU19KELpc3zLS0GdFaJKoJIeDSyyWoicAp9AQ8GG2OaaYDI+GvLKpf5V1DK6Rqfz5dLab+UIXcqLsqQ2a+VrL9Bbul/p8Z5vc7RgqS8GRjwzoPqUr+5HDw2HUxTXAhUek3HBu96lJ+H1LO63d28OV+B2cc0kWMuiEke1MGJtcWbyYtr6vKCQbGjOJjZqB+sq8ma9Zg8kAOIrPLIpQsXe/TjS4Cp0xbMgX
}
}
}
Site 2 config is
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
ike-group IKE-1E {
proposal 1 {
encryption: aes256
}
}
esp-group ESP-1E {
proposal 2 {
encryption: 3des
hash: md5
}
lifetime: 1800
}
site-to-site {
peer 202.91.74.130 {
authentication {
mode: rsa
pre-shared-secret: test_key_1
rsa-key-name: NLD-key
}
ike-group: IKE-1E
local-ip: 202.91.67.162
tunnel 1 {
local-subnet: 192.168.0.0/24
remote-subnet: 192.168.1.0/24
esp-group: ESP-1E
}
}
}
}
rsa-keys {
rsa-key-name NLD-key {
rsa-key:
0sAQOOVx2lEQNsCqFU9M4bhovvC28mf7e1sYNaBC1FAaG5qyO2PnGic+anlVJYvjvHBj3wBYV+L6pMRsTv28Qn9wFGCXUR/aSM4+RdnHSTBy8sgWKpw9vCVMJ/J60x6/B7uc6a0e8+2jJ8PnfFDoPG7C9UHDUM1r+d2vSno8bb5MlzQ81ib1Gczfp/nnvvMqUi99DWnUqGcPOcPrS7hctCP0Za6YIvDd3/l9xRPC+a1I1ouEW8+8HcrhFEOLHL/SUc2Qoq+BPO0vxLRkuZZhhCvmOk3BvTRGh43E39ttyO2YHE3LqxbBTZvmYYZcWE9899iZkne0ffhSW6M4BzKL1WIhw8tupImP1+QTekmwglodAW72Bv
}
}
}
Please help..
TIA
Regards
Ben
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
