Do you also have a 'nonat (inside) 0 access-list 111' to prevent the Cisco from NATing your VPN tunnel traffic?
Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troopy . Sent: Wednesday, September 19, 2007 4:30 AM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] Cisco - Vyatta VPN Hello, I try to establish a VPN Cisco - Vyatta > Here the network picture > > switch 10.0.0.2 > link > Cisco VPN 10.0.0.1 - 50.0.0.1 > link > Cisco relay 50.0.0.2 100.0.0.2 > link > VYatta VPN BOX 100.0.0.1 & loopback 10.200.1.1 > > VPN between 50.0.0.1 and 100.0.0.1 > > 10.0.0.2 should ping successfully 10.200.1.1 which is not the case. > > The IKE phase only seems to be okay > >thanks already to Stig which provided me a precious help > REgards > > Troopy > ********** > vyatta > ********** > > > protocols { > static { > route 50.0.0.1/32 { > next-hop: 100.0.0.2 > } (tried with and without the route above) > route 10.0.0.0/24 { > next-hop: 50.0.0.1 > } > } > } > policy { > } > interfaces { > loopback lo { > address 10.200.1.1 { > prefix-length: 32 > } > } > ethernet eth0 { > hw-id: 00:22:22:22:22:22 > address 100.0.0.1 { > prefix-length: 24 > } > } > } > service { > telnet { > } > } > firewall { > } > system { > ntp-server "69.59.150.135" > login { > user root { > authentication { > encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh." > } > } > user vyatta { > authentication { > encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh." > } > } > } > package { > > repository community { > component: "main" > url: "http://archive.vyatta.com/vyatta"; > } > } > } > vpn { > ipsec { > ipsec-interfaces { > interface eth0 > } > ike-group IKE { > proposal 1 { > encryption: "3des" > hash: "md5" > dh-group: 2 > } > lifetime: 7200 > } > esp-group ESP { > proposal 1 { > encryption: "3des" > hash: "md5" > > } > lifetime: 1800 > } > site-to-site { > peer 50.0.0.1 { > authentication { > pre-shared-secret: "eden" > } > ike-group: "IKE" > local-ip: 100.0.0.1 > tunnel 1 { > local-subnet: 10.200.0.0/16 > remote-subnet: 10.0.0.0/24 > esp-group: "ESP" > } > } > } > } > } > rtrmgr { > config-directory: "/opt/vyatta/etc/config" > } > > ********* > CISCO > ********* > > crypto isakmp policy 1 > encr 3des > hash md5 > authentication pre-share > group 2 > lifetime 7200 > crypto isakmp key eden address 100.0.0.1 > ! > crypto ipsec security-association lifetime seconds 1800 > ! > crypto ipsec transform-set t1 ah-md5-hmac esp-3des > ! > crypto map m1 110 ipsec-isakmp > set peer 100.0.0.1 > set transform-set t1 > match address 111 > ! > call rsvp-sync > ! > ! > ! > ! > ! > ! > ! > ! > interface FastEthernet0/0 > ip address 10.0.0.1 255.255.255.0 > duplex auto > speed auto > ! > interface Serial0/0 > no ip address > shutdown > ! > interface FastEthernet0/1 > ip address 50.0.0.1 255.255.255.0 > duplex auto > speed auto > crypto map m1 > ! > ip classless > ip route 10.200.1.1 255.255.255.255 100.0.0.1 > ip route 100.0.0.1 255.255.255.255 50.0.0.2 > no ip http server > ! > access-list 111 permit ip 10.0.0.0 0.0.0.255 10.200.0.0 0.0.255.255 > ! > dial-peer cor custom > ! > ! > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > no login > ! > end Vyatta: show vpn ike sa Local IP Peer IP Stats Encrypt HAsh Nat-t A-time L-time ------ ------ ------ ------------------------------ 100.0.0.1 50.0.0.1 up 3des md5 no 810 7200 sh vpn ipsec sa: peer ip Tunnel# Dir SPI Encrypt Hash NAT-T A-TIME L-TIME ------ ------ ------ ------ ------ ------ ------ ------ ------ 50.0.0.1 1 in n/a n/a n/a No 0 1800 50.0.0.1 1 out n/a n/a n/a No 0 1800 CISCO DEbug crypto ipsec 1:14:27: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_al g 1) not supported Not related to debug command: 01:14:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 100.0.0.1 DEbug crypto isakmp Cisco-VPN-Box#clear crypto isakmp 01:17:44: ISAKMP (0:5): purging node 2097136625 01:17:45: ISAKMP (0:5): purging node -610509802 01:17:45: ISAKMP (0:5): received packet from 100.0.0.1 (R) QM_IDLE 01:17:45: ISAKMP (0:5): processing HASH payload. message ID = -1665810821 01:17:45: ISAKMP (0:5): processing SA payload. message ID = -1665810821 01:17:45: ISAKMP (0:5): Checking IPSec proposal 0 01:17:45: ISAKMP: transform 0, ESP_3DES 01:17:45: ISAKMP: attributes in transform: 01:17:45: ISAKMP: group is 2 01:17:45: ISAKMP: encaps is 1 01:17:45: ISAKMP: SA life type in seconds 01:17:45: ISAKMP: SA life duration (basic) of 1800 01:17:45: ISAKMP: authenticator is HMAC-MD5 Cisco-VPN-Box# 01:17:45: ISAKMP (0:5): atts not acceptable. Next payload is 0 01:17:45: ISAKMP (0:5): phase 2 SA not acceptable! 01:17:45: ISAKMP (0:5): sending packet to 100.0.0.1 (R) QM_IDLE 01:17:45: ISAKMP (0:5): purging node -1622096664 01:17:45: ISAKMP (0:5): deleting node -1665810821 error FALSE reason "IKMP_NO_ERR_NO_TRANS" 01:17:46: ISAKMP (0:5): peer does not do paranoid keepalives. 01:17:46: ISAKMP (0:5): deleting SA reason "death by tree-walk node" state (R) QM_IDLE (peer 100.0.0.1) input queue 0 01:17:46: ISAKMP (0:5): sending packet to 100.0.0.1 (R) MM_NO_STATE 01:17:46: ISAKMP (0:5): purging node 1155042555 01:17:46: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE 01:17:49: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE 01:17:50: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE 01:17:51: ISAKMP (0:0): received packet from 100.0.0.1 (N) NEW SA 01:17:51: ISAKMP: local port 500, remote port 500 01:17:51: ISAKMP (0:6): processing SA payload. message ID = 0 01:17:51: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1 01:17:51: ISAKMP (0:6): Checking ISAKMP transform 0 against priority 1 policy 01:17:51: ISAKMP: life type in seconds 01:17:51: ISAKMP: life duration (basic) of 7200 01:17:51: ISAKMP: encryption 3DES-CBC 01:17:51: ISAKMP: hash MD5 01:17:51: ISAKMP: auth pre-share 01:17:51: ISAKMP: default group 2 01:17:51: ISAKMP (0:6): atts are acceptable. Next payload is 0 01:17:51: ISAKMP (0:6): processing vendor id payload 01:17:51: ISAKMP (0:6): processing vendor id payload 01:17:51: ISAKMP (0:6): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 01:17:51: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_SA_SETUP 01:17:51: ISAKMP (0:5): purging node 665211042 01:17:51: ISAKMP (0:6): received packet from 100.0.0.1 (R) MM_SA_SETUP 01:17:51: ISAKMP (0:6): processing KE payload. message ID = 0 01:17:52: ISAKMP (0:6): processing NONCE payload. message ID = 0 01:17:52: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1 01:17:52: ISAKMP (0:6): SKEYID state generated 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_KEY_EXCH 01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) MM_KEY_EXCH 01:17:52: ISAKMP (0:6): processing ID payload. message ID = 0 01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 0 01:17:52: ISAKMP (0:6): SA has been authenticated with 100.0.0.1 01:17:52: ISAKMP (6): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 01:17:52: ISAKMP (6): Total payload length: 12 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE 01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) QM_IDLE 01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 720694001 01:17:52: ISAKMP (0:6): processing SA payload. message ID = 720694001 01:17:52: ISAKMP (0:6): Checking IPSec proposal 0 01:17:52: ISAKMP: transform 0, ESP_3DES 01:17:52: ISAKMP: attributes in transform: 01:17:52: ISAKMP: group is 2 01:17:52: ISAKMP: encaps is 1 01:17:52: ISAKMP: SA life type in seconds 01:17:52: ISAKMP: SA life duration (basic) of 1800 01:17:52: ISAKMP: authenticator is HMAC-MD5 01:17:52: ISAKMP (0:6): atts not acceptable. Next payload is 0 01:17:52: ISAKMP (0:6): phase 2 SA not acceptable! 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE 01:17:52: ISAKMP (0:6): purging node 545635999 01:17:52: ISAKMP (0:6): deleting node 720694001 error FALSE reason "IKMP_NO_ERR_NO_TRANS" sh crypto isakmp sa Cisco-VPN-Box#sh crypto isakmp sa dst src state conn-id slot 50.0.0.1 100.0.0.1 QM_IDLE 6 0 ______________________________________________________ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
