Hi Troopy,
Does your Cisco router have the option to add:
esp-md5-hmac
To the transform-set?
I think the absence of this may be why phase 2 is failing. The Vyatta
side is not setup to negotiate AH:
crypto ipsec transform-set t1 ah-md5-hmac esp-3des
So, try either adding esp-md5-hmac or replacing ah-md5-hmac w/ esp-md5-hmac.
Let me know how that works out.
Thanks!
Robyn
Troopy . wrote:
> Hello, I try to establish a VPN Cisco - Vyatta
>
>
>> Here the network picture
>>
>> switch 10.0.0.2
>> link
>> Cisco VPN 10.0.0.1 - 50.0.0.1
>> link
>> Cisco relay 50.0.0.2 100.0.0.2
>> link
>> VYatta VPN BOX 100.0.0.1 & loopback 10.200.1.1
>>
>> VPN between 50.0.0.1 and 100.0.0.1
>>
>> 10.0.0.2 should ping successfully 10.200.1.1 which is not the case.
>>
>> The IKE phase only seems to be okay
>>
>> thanks already to Stig which provided me a precious help
>>
>>
> REgards
>
>> Troopy
>>
>>
>
>
> **********
>
>> vyatta
>> **********
>>
>>
>> protocols {
>> static {
>> route 50.0.0.1/32 {
>> next-hop: 100.0.0.2
>> }
>>
>
> (tried with and without the route above)
>
>
>> route 10.0.0.0/24 {
>> next-hop: 50.0.0.1
>> }
>> }
>> }
>> policy {
>> }
>> interfaces {
>> loopback lo {
>> address 10.200.1.1 {
>> prefix-length: 32
>> }
>> }
>> ethernet eth0 {
>> hw-id: 00:22:22:22:22:22
>> address 100.0.0.1 {
>> prefix-length: 24
>> }
>> }
>> }
>> service {
>> telnet {
>> }
>> }
>> firewall {
>> }
>> system {
>> ntp-server "69.59.150.135"
>> login {
>> user root {
>> authentication {
>> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
>> }
>> }
>> user vyatta {
>> authentication {
>> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
>> }
>> }
>> }
>> package {
>>
>> repository community {
>> component: "main"
>> url: "http://archive.vyatta.com/vyatta";
>> }
>> }
>> }
>> vpn {
>> ipsec {
>> ipsec-interfaces {
>> interface eth0
>> }
>> ike-group IKE {
>> proposal 1 {
>> encryption: "3des"
>> hash: "md5"
>> dh-group: 2
>> }
>> lifetime: 7200
>> }
>> esp-group ESP {
>> proposal 1 {
>> encryption: "3des"
>> hash: "md5"
>>
>> }
>> lifetime: 1800
>> }
>> site-to-site {
>> peer 50.0.0.1 {
>> authentication {
>> pre-shared-secret: "eden"
>> }
>> ike-group: "IKE"
>> local-ip: 100.0.0.1
>> tunnel 1 {
>> local-subnet: 10.200.0.0/16
>> remote-subnet: 10.0.0.0/24
>> esp-group: "ESP"
>> }
>> }
>> }
>> }
>> }
>> rtrmgr {
>> config-directory: "/opt/vyatta/etc/config"
>> }
>>
>> *********
>> CISCO
>> *********
>>
>> crypto isakmp policy 1
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> lifetime 7200
>> crypto isakmp key eden address 100.0.0.1
>> !
>> crypto ipsec security-association lifetime seconds 1800
>> !
>> crypto ipsec transform-set t1 ah-md5-hmac esp-3des
>> !
>> crypto map m1 110 ipsec-isakmp
>> set peer 100.0.0.1
>> set transform-set t1
>> match address 111
>> !
>> call rsvp-sync
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> interface FastEthernet0/0
>> ip address 10.0.0.1 255.255.255.0
>> duplex auto
>> speed auto
>> !
>> interface Serial0/0
>> no ip address
>> shutdown
>> !
>> interface FastEthernet0/1
>> ip address 50.0.0.1 255.255.255.0
>> duplex auto
>> speed auto
>> crypto map m1
>> !
>> ip classless
>> ip route 10.200.1.1 255.255.255.255 100.0.0.1
>> ip route 100.0.0.1 255.255.255.255 50.0.0.2
>> no ip http server
>> !
>> access-list 111 permit ip 10.0.0.0 0.0.0.255 10.200.0.0 0.0.255.255
>> !
>> dial-peer cor custom
>> !
>> !
>> !
>> !
>> !
>> line con 0
>> line aux 0
>> line vty 0 4
>> no login
>> !
>> end
>>
>
>
> Vyatta:
>
>
>
> show vpn ike sa
> Local IP Peer IP Stats Encrypt HAsh Nat-t A-time L-time
> ------ ------ ------ ------------------------------
> 100.0.0.1 50.0.0.1 up 3des md5 no 810 7200
>
>
> sh vpn ipsec sa:
> peer ip Tunnel# Dir SPI Encrypt Hash NAT-T A-TIME L-TIME
> ------ ------ ------ ------ ------ ------ ------ ------ ------
> 50.0.0.1 1 in n/a n/a n/a No 0 1800
> 50.0.0.1 1 out n/a n/a n/a No 0 1800
>
> CISCO
>
> DEbug crypto ipsec
>
> 1:14:27: IPSEC(validate_proposal): transform proposal (prot 3, trans 3,
> hmac_al
> g 1) not supported
>
> Not related to debug command:
>
> 01:14:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with
> peer
> at 100.0.0.1
>
> DEbug crypto isakmp
>
> Cisco-VPN-Box#clear crypto isakmp
> 01:17:44: ISAKMP (0:5): purging node 2097136625
> 01:17:45: ISAKMP (0:5): purging node -610509802
> 01:17:45: ISAKMP (0:5): received packet from 100.0.0.1 (R) QM_IDLE
> 01:17:45: ISAKMP (0:5): processing HASH payload. message ID = -1665810821
> 01:17:45: ISAKMP (0:5): processing SA payload. message ID = -1665810821
> 01:17:45: ISAKMP (0:5): Checking IPSec proposal 0
> 01:17:45: ISAKMP: transform 0, ESP_3DES
> 01:17:45: ISAKMP: attributes in transform:
> 01:17:45: ISAKMP: group is 2
> 01:17:45: ISAKMP: encaps is 1
> 01:17:45: ISAKMP: SA life type in seconds
> 01:17:45: ISAKMP: SA life duration (basic) of 1800
> 01:17:45: ISAKMP: authenticator is HMAC-MD5
> Cisco-VPN-Box#
> 01:17:45: ISAKMP (0:5): atts not acceptable. Next payload is 0
> 01:17:45: ISAKMP (0:5): phase 2 SA not acceptable!
> 01:17:45: ISAKMP (0:5): sending packet to 100.0.0.1 (R) QM_IDLE
> 01:17:45: ISAKMP (0:5): purging node -1622096664
> 01:17:45: ISAKMP (0:5): deleting node -1665810821 error FALSE reason
> "IKMP_NO_ERR_NO_TRANS"
> 01:17:46: ISAKMP (0:5): peer does not do paranoid keepalives.
>
> 01:17:46: ISAKMP (0:5): deleting SA reason "death by tree-walk node" state
> (R) QM_IDLE (peer 100.0.0.1) input queue 0
> 01:17:46: ISAKMP (0:5): sending packet to 100.0.0.1 (R) MM_NO_STATE
> 01:17:46: ISAKMP (0:5): purging node 1155042555
> 01:17:46: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE
> 01:17:49: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE
> 01:17:50: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE
> 01:17:51: ISAKMP (0:0): received packet from 100.0.0.1 (N) NEW SA
> 01:17:51: ISAKMP: local port 500, remote port 500
> 01:17:51: ISAKMP (0:6): processing SA payload. message ID = 0
> 01:17:51: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1
> 01:17:51: ISAKMP (0:6): Checking ISAKMP transform 0 against priority 1 policy
> 01:17:51: ISAKMP: life type in seconds
> 01:17:51: ISAKMP: life duration (basic) of 7200
> 01:17:51: ISAKMP: encryption 3DES-CBC
> 01:17:51: ISAKMP: hash MD5
> 01:17:51: ISAKMP: auth pre-share
> 01:17:51: ISAKMP: default group 2
> 01:17:51: ISAKMP (0:6): atts are acceptable. Next payload is 0
> 01:17:51: ISAKMP (0:6): processing vendor id payload
> 01:17:51: ISAKMP (0:6): processing vendor id payload
> 01:17:51: ISAKMP (0:6): SA is doing pre-shared key authentication using id
> type ID_IPV4_ADDR
> 01:17:51: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_SA_SETUP
> 01:17:51: ISAKMP (0:5): purging node 665211042
> 01:17:51: ISAKMP (0:6): received packet from 100.0.0.1 (R) MM_SA_SETUP
> 01:17:51: ISAKMP (0:6): processing KE payload. message ID = 0
> 01:17:52: ISAKMP (0:6): processing NONCE payload. message ID = 0
> 01:17:52: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1
> 01:17:52: ISAKMP (0:6): SKEYID state generated
> 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_KEY_EXCH
> 01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) MM_KEY_EXCH
> 01:17:52: ISAKMP (0:6): processing ID payload. message ID = 0
> 01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 0
> 01:17:52: ISAKMP (0:6): SA has been authenticated with 100.0.0.1
> 01:17:52: ISAKMP (6): ID payload
> next-payload : 8
> type : 1
> protocol : 17
> port : 500
> length : 8
> 01:17:52: ISAKMP (6): Total payload length: 12
> 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE
> 01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) QM_IDLE
> 01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 720694001
> 01:17:52: ISAKMP (0:6): processing SA payload. message ID = 720694001
> 01:17:52: ISAKMP (0:6): Checking IPSec proposal 0
> 01:17:52: ISAKMP: transform 0, ESP_3DES
> 01:17:52: ISAKMP: attributes in transform:
> 01:17:52: ISAKMP: group is 2
> 01:17:52: ISAKMP: encaps is 1
> 01:17:52: ISAKMP: SA life type in seconds
> 01:17:52: ISAKMP: SA life duration (basic) of 1800
> 01:17:52: ISAKMP: authenticator is HMAC-MD5
> 01:17:52: ISAKMP (0:6): atts not acceptable. Next payload is 0
> 01:17:52: ISAKMP (0:6): phase 2 SA not acceptable!
> 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE
> 01:17:52: ISAKMP (0:6): purging node 545635999
> 01:17:52: ISAKMP (0:6): deleting node 720694001 error FALSE reason
> "IKMP_NO_ERR_NO_TRANS"
>
> sh crypto isakmp sa
>
> Cisco-VPN-Box#sh crypto isakmp sa
> dst src state conn-id slot
> 50.0.0.1 100.0.0.1 QM_IDLE 6 0
>
>
>
> ______________________________________________________
> Désirez vous une adresse éléctronique @suisse.com?
> Visitez la Suisse virtuelle sur http://www.suisse.com
>
> _______________________________________________
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
