Do you have the prefer newer SA option checked in System -> Advanced? Scott
On 9/8/05, Joerg Horchler <[EMAIL PROTECTED]> wrote: > Hi all, > > I wan't to configure a more compley scenario to establish an IPSec-Tunnel > between the LAN of my company and the LAN of one of our customers. First a > short description: > > We wan't to use two machines in our LAN to access several services in the LAN > of our customer. The customers policy forces us to use a network that we > don't use (as explained later). So we have to NAT the IPs of our two > machines. We do this on a firewall. After the firewall the traffic passes our > VPN-Gateway which has to protect the traffic with ESP. Here is a short > graphic. > > Internal LAN: 10.x.x.x/24 > DMZ: 192.168.1.x/24 > Enforced NAT Pool: 192.168.2.x/28 > External LAN:x.x.x.x/x > > +--------------+ > | box01 | > | 10.x.x.25/24 | > +--------------+ > | > +----------------+ > | > +--------------+ | > | box02 | | > | 10.x.x.26/24 | | > +--------------+ | > | | > +----------------+ > | > |eth0:10.x.x.27/24 > +----------------+ > | firewall | > +----------------+ > |eth1:192.168.1.250/24 > |eth1:1:192.168.2.65/28 > | > | > | > |vr0:192.168.1.251/24 > +----------------+ > | VPN gateway | > +----------------+ > |vr1:x.x.x.x/x > | > | > | > |x.x.x.x/x > +----------------+ > | CiscoVPN | > +----------------+ > |x.x.x.x/x > | > | > +---------------+ > | | > | | > +---------------+ | > | box01 | | > | 217.x.x.26/24 | | > +---------------+ | > | > +---------------+ | > | box02 |-------+ > | 217.x.x.27/24 | > +---------------+ > > I try to access 217.x.x.26 via SSH from 10.x.x.25. The source address is > NATed on our firewall to 192.168.2.65. On the VPN gateway I configured a > policy to protect every traffic from 192.168.2.x/28 to 217.x.x.26/24 with ESP > via the Cisco VPN appliance (remote gateway). The connection with this setup > times out. The log on our syslog-server has logged > > Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): > IPsec-SA request for x.x.x.x queued due to no phase1 found. > Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): > initiate new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[500] > Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin > Aggressive mode. > Sep 1 14:15:21 cvpndmz racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): > couldn't find the proper pskey, try to get one by the peer's address. > Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:2459:log_ph1established(): > ISAKMP-SA established x.x.x.x[500]-x.x.x.x[500] > spi:ea64dfd3aa29dc62:121857c2df384193 > Sep 1 14:15:22 cvpndmz racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): > initiate new phase 2 negotiation: x.x.x.x[0]<=>x.x.x.x[0] > Sep 1 14:15:22 cvpndmz racoon: INFO: isakmp_inf.c:887:purge_isakmp_spi(): > purged ISAKMP-SA proto_id=ISAKMP spi=ea64dfd3aa29dc62:121857c2df384193. > Sep 1 14:15:52 cvpndmz racoon: ERROR: pfkey.c:804:pfkey_timeover(): x.x.x.x > give up to get IPsec-SA due to time up to wait. > Sep 1 14:15:52 cvpndmz racoon: INFO: isakmp.c:1574:isakmp_ph1delete(): > ISAKMP-SA deleted x.x.x.x[500]-x.x.x.x[500] > spi:ea64dfd3aa29dc62:121857c2df384193 > > As no error message above the time out is given here I'm a little bit > confused about what is going on here. > > Perhaps someone has in idea. > > Cheers > Jörg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
