Thanks for your answer.
Why should I add this settings? there is already no NAT in my case study. NAT is not used and not needed. REgards TRoopy ---------- Original Message ---------------------------------- From: "virtualsystems-org" <[EMAIL PROTECTED]> Date: Wed, 19 Sep 2007 09:16:55 -0400 > >Do you also have a 'nonat (inside) 0 access-list 111' to prevent the Cisco >from NATing your VPN tunnel traffic? > >Paul > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troopy . >Sent: Wednesday, September 19, 2007 4:30 AM >To: vyatta-users@mailman.vyatta.com >Subject: [Vyatta-users] Cisco - Vyatta VPN > > >Hello, I try to establish a VPN Cisco - Vyatta > >> Here the network picture >> >> switch 10.0.0.2 >> link >> Cisco VPN 10.0.0.1 - 50.0.0.1 >> link >> Cisco relay 50.0.0.2 100.0.0.2 >> link >> VYatta VPN BOX 100.0.0.1 & loopback 10.200.1.1 >> >> VPN between 50.0.0.1 and 100.0.0.1 >> >> 10.0.0.2 should ping successfully 10.200.1.1 which is not the case. >> >> The IKE phase only seems to be okay >> >>thanks already to Stig which provided me a precious help >> > REgards >> >> Troopy >> > > >********** >> vyatta >> ********** >> >> >> protocols { >> static { >> route 50.0.0.1/32 { >> next-hop: 100.0.0.2 >> } > >(tried with and without the route above) > >> route 10.0.0.0/24 { >> next-hop: 50.0.0.1 >> } >> } >> } >> policy { >> } >> interfaces { >> loopback lo { >> address 10.200.1.1 { >> prefix-length: 32 >> } >> } >> ethernet eth0 { >> hw-id: 00:22:22:22:22:22 >> address 100.0.0.1 { >> prefix-length: 24 >> } >> } >> } >> service { >> telnet { >> } >> } >> firewall { >> } >> system { >> ntp-server "69.59.150.135" >> login { >> user root { >> authentication { >> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh." >> } >> } >> user vyatta { >> authentication { >> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh." >> } >> } >> } >> package { >> >> repository community { >> component: "main" >> url: "http://archive.vyatta.com/vyatta" >> } >> } >> } >> vpn { >> ipsec { >> ipsec-interfaces { >> interface eth0 >> } >> ike-group IKE { >> proposal 1 { >> encryption: "3des" >> hash: "md5" >> dh-group: 2 >> } >> lifetime: 7200 >> } >> esp-group ESP { >> proposal 1 { >> encryption: "3des" >> hash: "md5" >> >> } >> lifetime: 1800 >> } >> site-to-site { >> peer 50.0.0.1 { >> authentication { >> pre-shared-secret: "eden" >> } >> ike-group: "IKE" >> local-ip: 100.0.0.1 >> tunnel 1 { >> local-subnet: 10.200.0.0/16 >> remote-subnet: 10.0.0.0/24 >> esp-group: "ESP" >> } >> } >> } >> } >> } >> rtrmgr { >> config-directory: "/opt/vyatta/etc/config" >> } >> >> ********* >> CISCO >> ********* >> >> crypto isakmp policy 1 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> lifetime 7200 >> crypto isakmp key eden address 100.0.0.1 >> ! >> crypto ipsec security-association lifetime seconds 1800 >> ! >> crypto ipsec transform-set t1 ah-md5-hmac esp-3des >> ! >> crypto map m1 110 ipsec-isakmp >> set peer 100.0.0.1 >> set transform-set t1 >> match address 111 >> ! >> call rsvp-sync >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> ! >> interface FastEthernet0/0 >> ip address 10.0.0.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> interface Serial0/0 >> no ip address >> shutdown >> ! >> interface FastEthernet0/1 >> ip address 50.0.0.1 255.255.255.0 >> duplex auto >> speed auto >> crypto map m1 >> ! >> ip classless >> ip route 10.200.1.1 255.255.255.255 100.0.0.1 >> ip route 100.0.0.1 255.255.255.255 50.0.0.2 >> no ip http server >> ! >> access-list 111 permit ip 10.0.0.0 0.0.0.255 10.200.0.0 0.0.255.255 >> ! >> dial-peer cor custom >> ! >> ! >> ! >> ! >> ! >> line con 0 >> line aux 0 >> line vty 0 4 >> no login >> ! >> end > > >Vyatta: > > > >show vpn ike sa >Local IP Peer IP Stats Encrypt HAsh Nat-t A-time L-time >------ ------ ------ ------------------------------ >100.0.0.1 50.0.0.1 up 3des md5 no 810 7200 > > >sh vpn ipsec sa: >peer ip Tunnel# Dir SPI Encrypt Hash NAT-T A-TIME L-TIME >------ ------ ------ ------ ------ ------ ------ ------ ------ >50.0.0.1 1 in n/a n/a n/a No 0 1800 >50.0.0.1 1 out n/a n/a n/a No 0 1800 > >CISCO > >DEbug crypto ipsec > >1:14:27: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_al >g 1) not supported > >Not related to debug command: > >01:14:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with >peer >at 100.0.0.1 > >DEbug crypto isakmp > >Cisco-VPN-Box#clear crypto isakmp >01:17:44: ISAKMP (0:5): purging node 2097136625 >01:17:45: ISAKMP (0:5): purging node -610509802 >01:17:45: ISAKMP (0:5): received packet from 100.0.0.1 (R) QM_IDLE >01:17:45: ISAKMP (0:5): processing HASH payload. message ID = -1665810821 >01:17:45: ISAKMP (0:5): processing SA payload. message ID = -1665810821 >01:17:45: ISAKMP (0:5): Checking IPSec proposal 0 >01:17:45: ISAKMP: transform 0, ESP_3DES >01:17:45: ISAKMP: attributes in transform: >01:17:45: ISAKMP: group is 2 >01:17:45: ISAKMP: encaps is 1 >01:17:45: ISAKMP: SA life type in seconds >01:17:45: ISAKMP: SA life duration (basic) of 1800 >01:17:45: ISAKMP: authenticator is HMAC-MD5 >Cisco-VPN-Box# >01:17:45: ISAKMP (0:5): atts not acceptable. Next payload is 0 >01:17:45: ISAKMP (0:5): phase 2 SA not acceptable! >01:17:45: ISAKMP (0:5): sending packet to 100.0.0.1 (R) QM_IDLE >01:17:45: ISAKMP (0:5): purging node -1622096664 >01:17:45: ISAKMP (0:5): deleting node -1665810821 error FALSE reason >"IKMP_NO_ERR_NO_TRANS" >01:17:46: ISAKMP (0:5): peer does not do paranoid keepalives. > >01:17:46: ISAKMP (0:5): deleting SA reason "death by tree-walk node" state (R) >QM_IDLE (peer 100.0.0.1) input queue 0 >01:17:46: ISAKMP (0:5): sending packet to 100.0.0.1 (R) MM_NO_STATE >01:17:46: ISAKMP (0:5): purging node 1155042555 >01:17:46: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE >01:17:49: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE >01:17:50: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE >01:17:51: ISAKMP (0:0): received packet from 100.0.0.1 (N) NEW SA >01:17:51: ISAKMP: local port 500, remote port 500 >01:17:51: ISAKMP (0:6): processing SA payload. message ID = 0 >01:17:51: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1 >01:17:51: ISAKMP (0:6): Checking ISAKMP transform 0 against priority 1 policy >01:17:51: ISAKMP: life type in seconds >01:17:51: ISAKMP: life duration (basic) of 7200 >01:17:51: ISAKMP: encryption 3DES-CBC >01:17:51: ISAKMP: hash MD5 >01:17:51: ISAKMP: auth pre-share >01:17:51: ISAKMP: default group 2 >01:17:51: ISAKMP (0:6): atts are acceptable. Next payload is 0 >01:17:51: ISAKMP (0:6): processing vendor id payload >01:17:51: ISAKMP (0:6): processing vendor id payload >01:17:51: ISAKMP (0:6): SA is doing pre-shared key authentication using id >type ID_IPV4_ADDR >01:17:51: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_SA_SETUP >01:17:51: ISAKMP (0:5): purging node 665211042 >01:17:51: ISAKMP (0:6): received packet from 100.0.0.1 (R) MM_SA_SETUP >01:17:51: ISAKMP (0:6): processing KE payload. message ID = 0 >01:17:52: ISAKMP (0:6): processing NONCE payload. message ID = 0 >01:17:52: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1 >01:17:52: ISAKMP (0:6): SKEYID state generated >01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_KEY_EXCH >01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) MM_KEY_EXCH >01:17:52: ISAKMP (0:6): processing ID payload. message ID = 0 >01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 0 >01:17:52: ISAKMP (0:6): SA has been authenticated with 100.0.0.1 >01:17:52: ISAKMP (6): ID payload >next-payload : 8 >type : 1 >protocol : 17 >port : 500 >length : 8 >01:17:52: ISAKMP (6): Total payload length: 12 >01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE >01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) QM_IDLE >01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 720694001 >01:17:52: ISAKMP (0:6): processing SA payload. message ID = 720694001 >01:17:52: ISAKMP (0:6): Checking IPSec proposal 0 >01:17:52: ISAKMP: transform 0, ESP_3DES >01:17:52: ISAKMP: attributes in transform: >01:17:52: ISAKMP: group is 2 >01:17:52: ISAKMP: encaps is 1 >01:17:52: ISAKMP: SA life type in seconds >01:17:52: ISAKMP: SA life duration (basic) of 1800 >01:17:52: ISAKMP: authenticator is HMAC-MD5 >01:17:52: ISAKMP (0:6): atts not acceptable. Next payload is 0 >01:17:52: ISAKMP (0:6): phase 2 SA not acceptable! >01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE >01:17:52: ISAKMP (0:6): purging node 545635999 >01:17:52: ISAKMP (0:6): deleting node 720694001 error FALSE reason >"IKMP_NO_ERR_NO_TRANS" > >sh crypto isakmp sa > >Cisco-VPN-Box#sh crypto isakmp sa >dst src state conn-id slot >50.0.0.1 100.0.0.1 QM_IDLE 6 0 > > > >______________________________________________________ >Désirez vous une adresse éléctronique @suisse.com? >Visitez la Suisse virtuelle sur http://www.suisse.com > >_______________________________________________ >Vyatta-users mailing list >Vyatta-users@mailman.vyatta.com >http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ______________________________________________________ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users