Hello,
I am sorry to insist but has any Vyatta users already tested a Vyatta to Cisco IPSec tunnel successfully? If yes i would be interested to see the configs and the routes on both devices. Thanks Troopy ---------- Original Message ---------------------------------- From: "Troopy ." <[EMAIL PROTECTED]> Reply-To: <[EMAIL PROTECTED]> Date: Wed, 19 Sep 2007 18:42:12 +0200 > > >Thanks for your answer. > >Why should I add this settings? there is already no NAT in my case study. > >NAT is not used and not needed. > >REgards > >TRoopy > >---------- Original Message ---------------------------------- >From: "virtualsystems-org" <[EMAIL PROTECTED]> >Date: Wed, 19 Sep 2007 09:16:55 -0400 > >> >>Do you also have a 'nonat (inside) 0 access-list 111' to prevent the Cisco >>from NATing your VPN tunnel traffic? >> >>Paul >> >>-----Original Message----- >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troopy . >>Sent: Wednesday, September 19, 2007 4:30 AM >>To: vyatta-users@mailman.vyatta.com >>Subject: [Vyatta-users] Cisco - Vyatta VPN >> >> >>Hello, I try to establish a VPN Cisco - Vyatta >> >>> Here the network picture >>> >>> switch 10.0.0.2 >>> link >>> Cisco VPN 10.0.0.1 - 50.0.0.1 >>> link >>> Cisco relay 50.0.0.2 100.0.0.2 >>> link >>> VYatta VPN BOX 100.0.0.1 & loopback 10.200.1.1 >>> >>> VPN between 50.0.0.1 and 100.0.0.1 >>> >>> 10.0.0.2 should ping successfully 10.200.1.1 which is not the case. >>> >>> The IKE phase only seems to be okay >>> >>>thanks already to Stig which provided me a precious help >>> >> REgards >>> >>> Troopy >>> >> >> >>********** >>> vyatta >>> ********** >>> >>> >>> protocols { >>> static { >>> route 50.0.0.1/32 { >>> next-hop: 100.0.0.2 >>> } >> >>(tried with and without the route above) >> >>> route 10.0.0.0/24 { >>> next-hop: 50.0.0.1 >>> } >>> } >>> } >>> policy { >>> } >>> interfaces { >>> loopback lo { >>> address 10.200.1.1 { >>> prefix-length: 32 >>> } >>> } >>> ethernet eth0 { >>> hw-id: 00:22:22:22:22:22 >>> address 100.0.0.1 { >>> prefix-length: 24 >>> } >>> } >>> } >>> service { >>> telnet { >>> } >>> } >>> firewall { >>> } >>> system { >>> ntp-server "69.59.150.135" >>> login { >>> user root { >>> authentication { >>> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh." >>> } >>> } >>> user vyatta { >>> authentication { >>> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh." >>> } >>> } >>> } >>> package { >>> >>> repository community { >>> component: "main" >>> url: "http://archive.vyatta.com/vyatta"; >>> } >>> } >>> } >>> vpn { >>> ipsec { >>> ipsec-interfaces { >>> interface eth0 >>> } >>> ike-group IKE { >>> proposal 1 { >>> encryption: "3des" >>> hash: "md5" >>> dh-group: 2 >>> } >>> lifetime: 7200 >>> } >>> esp-group ESP { >>> proposal 1 { >>> encryption: "3des" >>> hash: "md5" >>> >>> } >>> lifetime: 1800 >>> } >>> site-to-site { >>> peer 50.0.0.1 { >>> authentication { >>> pre-shared-secret: "eden" >>> } >>> ike-group: "IKE" >>> local-ip: 100.0.0.1 >>> tunnel 1 { >>> local-subnet: 10.200.0.0/16 >>> remote-subnet: 10.0.0.0/24 >>> esp-group: "ESP" >>> } >>> } >>> } >>> } >>> } >>> rtrmgr { >>> config-directory: "/opt/vyatta/etc/config" >>> } >>> >>> ********* >>> CISCO >>> ********* >>> >>> crypto isakmp policy 1 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> lifetime 7200 >>> crypto isakmp key eden address 100.0.0.1 >>> ! >>> crypto ipsec security-association lifetime seconds 1800 >>> ! >>> crypto ipsec transform-set t1 ah-md5-hmac esp-3des >>> ! >>> crypto map m1 110 ipsec-isakmp >>> set peer 100.0.0.1 >>> set transform-set t1 >>> match address 111 >>> ! >>> call rsvp-sync >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> ! >>> interface FastEthernet0/0 >>> ip address 10.0.0.1 255.255.255.0 >>> duplex auto >>> speed auto >>> ! >>> interface Serial0/0 >>> no ip address >>> shutdown >>> ! >>> interface FastEthernet0/1 >>> ip address 50.0.0.1 255.255.255.0 >>> duplex auto >>> speed auto >>> crypto map m1 >>> ! >>> ip classless >>> ip route 10.200.1.1 255.255.255.255 100.0.0.1 >>> ip route 100.0.0.1 255.255.255.255 50.0.0.2 >>> no ip http server >>> ! >>> access-list 111 permit ip 10.0.0.0 0.0.0.255 10.200.0.0 0.0.255.255 >>> ! >>> dial-peer cor custom >>> ! >>> ! >>> ! >>> ! >>> ! >>> line con 0 >>> line aux 0 >>> line vty 0 4 >>> no login >>> ! >>> end >> >> >>Vyatta: >> >> >> >>show vpn ike sa >>Local IP Peer IP Stats Encrypt HAsh Nat-t A-time L-time >>------ ------ ------ ------------------------------ >>100.0.0.1 50.0.0.1 up 3des md5 no 810 7200 >> >> >>sh vpn ipsec sa: >>peer ip Tunnel# Dir SPI Encrypt Hash NAT-T A-TIME L-TIME >>------ ------ ------ ------ ------ ------ ------ ------ ------ >>50.0.0.1 1 in n/a n/a n/a No 0 1800 >>50.0.0.1 1 out n/a n/a n/a No 0 1800 >> >>CISCO >> >>DEbug crypto ipsec >> >>1:14:27: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, >>hmac_al >>g 1) not supported >> >>Not related to debug command: >> >>01:14:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with >>peer >>at 100.0.0.1 >> >>DEbug crypto isakmp >> >>Cisco-VPN-Box#clear crypto isakmp >>01:17:44: ISAKMP (0:5): purging node 2097136625 >>01:17:45: ISAKMP (0:5): purging node -610509802 >>01:17:45: ISAKMP (0:5): received packet from 100.0.0.1 (R) QM_IDLE >>01:17:45: ISAKMP (0:5): processing HASH payload. message ID = -1665810821 >>01:17:45: ISAKMP (0:5): processing SA payload. message ID = -1665810821 >>01:17:45: ISAKMP (0:5): Checking IPSec proposal 0 >>01:17:45: ISAKMP: transform 0, ESP_3DES >>01:17:45: ISAKMP: attributes in transform: >>01:17:45: ISAKMP: group is 2 >>01:17:45: ISAKMP: encaps is 1 >>01:17:45: ISAKMP: SA life type in seconds >>01:17:45: ISAKMP: SA life duration (basic) of 1800 >>01:17:45: ISAKMP: authenticator is HMAC-MD5 >>Cisco-VPN-Box# >>01:17:45: ISAKMP (0:5): atts not acceptable. Next payload is 0 >>01:17:45: ISAKMP (0:5): phase 2 SA not acceptable! >>01:17:45: ISAKMP (0:5): sending packet to 100.0.0.1 (R) QM_IDLE >>01:17:45: ISAKMP (0:5): purging node -1622096664 >>01:17:45: ISAKMP (0:5): deleting node -1665810821 error FALSE reason >>"IKMP_NO_ERR_NO_TRANS" >>01:17:46: ISAKMP (0:5): peer does not do paranoid keepalives. >> >>01:17:46: ISAKMP (0:5): deleting SA reason "death by tree-walk node" state >>(R) QM_IDLE (peer 100.0.0.1) input queue 0 >>01:17:46: ISAKMP (0:5): sending packet to 100.0.0.1 (R) MM_NO_STATE >>01:17:46: ISAKMP (0:5): purging node 1155042555 >>01:17:46: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE >>01:17:49: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE >>01:17:50: ISAKMP (0:5): received packet from 100.0.0.1 (R) MM_NO_STATE >>01:17:51: ISAKMP (0:0): received packet from 100.0.0.1 (N) NEW SA >>01:17:51: ISAKMP: local port 500, remote port 500 >>01:17:51: ISAKMP (0:6): processing SA payload. message ID = 0 >>01:17:51: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1 >>01:17:51: ISAKMP (0:6): Checking ISAKMP transform 0 against priority 1 policy >>01:17:51: ISAKMP: life type in seconds >>01:17:51: ISAKMP: life duration (basic) of 7200 >>01:17:51: ISAKMP: encryption 3DES-CBC >>01:17:51: ISAKMP: hash MD5 >>01:17:51: ISAKMP: auth pre-share >>01:17:51: ISAKMP: default group 2 >>01:17:51: ISAKMP (0:6): atts are acceptable. Next payload is 0 >>01:17:51: ISAKMP (0:6): processing vendor id payload >>01:17:51: ISAKMP (0:6): processing vendor id payload >>01:17:51: ISAKMP (0:6): SA is doing pre-shared key authentication using id >>type ID_IPV4_ADDR >>01:17:51: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_SA_SETUP >>01:17:51: ISAKMP (0:5): purging node 665211042 >>01:17:51: ISAKMP (0:6): received packet from 100.0.0.1 (R) MM_SA_SETUP >>01:17:51: ISAKMP (0:6): processing KE payload. message ID = 0 >>01:17:52: ISAKMP (0:6): processing NONCE payload. message ID = 0 >>01:17:52: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1 >>01:17:52: ISAKMP (0:6): SKEYID state generated >>01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_KEY_EXCH >>01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) MM_KEY_EXCH >>01:17:52: ISAKMP (0:6): processing ID payload. message ID = 0 >>01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 0 >>01:17:52: ISAKMP (0:6): SA has been authenticated with 100.0.0.1 >>01:17:52: ISAKMP (6): ID payload >>next-payload : 8 >>type : 1 >>protocol : 17 >>port : 500 >>length : 8 >>01:17:52: ISAKMP (6): Total payload length: 12 >>01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE >>01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) QM_IDLE >>01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 720694001 >>01:17:52: ISAKMP (0:6): processing SA payload. message ID = 720694001 >>01:17:52: ISAKMP (0:6): Checking IPSec proposal 0 >>01:17:52: ISAKMP: transform 0, ESP_3DES >>01:17:52: ISAKMP: attributes in transform: >>01:17:52: ISAKMP: group is 2 >>01:17:52: ISAKMP: encaps is 1 >>01:17:52: ISAKMP: SA life type in seconds >>01:17:52: ISAKMP: SA life duration (basic) of 1800 >>01:17:52: ISAKMP: authenticator is HMAC-MD5 >>01:17:52: ISAKMP (0:6): atts not acceptable. Next payload is 0 >>01:17:52: ISAKMP (0:6): phase 2 SA not acceptable! >>01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE >>01:17:52: ISAKMP (0:6): purging node 545635999 >>01:17:52: ISAKMP (0:6): deleting node 720694001 error FALSE reason >>"IKMP_NO_ERR_NO_TRANS" >> >>sh crypto isakmp sa >> >>Cisco-VPN-Box#sh crypto isakmp sa >>dst src state conn-id slot >>50.0.0.1 100.0.0.1 QM_IDLE 6 0 >> >> >> >>______________________________________________________ >>Désirez vous une adresse éléctronique @suisse.com? >>Visitez la Suisse virtuelle sur http://www.suisse.com >> >>_______________________________________________ >>Vyatta-users mailing list >>Vyatta-users@mailman.vyatta.com >>http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> > > > >______________________________________________________ >Désirez vous une adresse éléctronique @suisse.com? >Visitez la Suisse virtuelle sur http://www.suisse.com > > ______________________________________________________ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
