Did you try what Robyn suggested? == Quote ==
Hi Troopy, Does your Cisco router have the option to add: esp-md5-hmac To the transform-set? I think the absence of this may be why phase 2 is failing. The Vyatta side is not setup to negotiate AH: crypto ipsec transform-set t1 ah-md5-hmac esp-3des So, try either adding esp-md5-hmac or replacing ah-md5-hmac w/ esp- md5-hmac. Let me know how that works out. Thanks! Robyn == /Quote == ------------------ Aubrey Wells Senior Engineer Shelton | Johns Technology Group 404.478.2790 www.sheltonjohns.com On Sep 23, 2007, at 3:56 PM, Troopy . wrote: > > > Hello, > > I am sorry to insist but has any Vyatta users already tested > a Vyatta to Cisco IPSec tunnel successfully? > > If yes i would be interested to see the configs and the routes on > both devices. > > Thanks > Troopy > > ---------- Original Message ---------------------------------- > From: "Troopy ." <[EMAIL PROTECTED]> > Reply-To: <[EMAIL PROTECTED]> > Date: Wed, 19 Sep 2007 18:42:12 +0200 > >> >> >> Thanks for your answer. >> >> Why should I add this settings? there is already no NAT in my case >> study. >> >> NAT is not used and not needed. >> >> REgards >> >> TRoopy >> >> ---------- Original Message ---------------------------------- >> From: "virtualsystems-org" <[EMAIL PROTECTED]> >> Date: Wed, 19 Sep 2007 09:16:55 -0400 >> >>> >>> Do you also have a 'nonat (inside) 0 access-list 111' to prevent >>> the Cisco from NATing your VPN tunnel traffic? >>> >>> Paul >>> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] [mailto:vyatta- >>> [EMAIL PROTECTED] On Behalf Of Troopy . >>> Sent: Wednesday, September 19, 2007 4:30 AM >>> To: vyatta-users@mailman.vyatta.com >>> Subject: [Vyatta-users] Cisco - Vyatta VPN >>> >>> >>> Hello, I try to establish a VPN Cisco - Vyatta >>> >>>> Here the network picture >>>> >>>> switch 10.0.0.2 >>>> link >>>> Cisco VPN 10.0.0.1 - 50.0.0.1 >>>> link >>>> Cisco relay 50.0.0.2 100.0.0.2 >>>> link >>>> VYatta VPN BOX 100.0.0.1 & loopback 10.200.1.1 >>>> >>>> VPN between 50.0.0.1 and 100.0.0.1 >>>> >>>> 10.0.0.2 should ping successfully 10.200.1.1 which is not the case. >>>> >>>> The IKE phase only seems to be okay >>>> >>>> thanks already to Stig which provided me a precious help >>>> >>> REgards >>>> >>>> Troopy >>>> >>> >>> >>> ********** >>>> vyatta >>>> ********** >>>> >>>> >>>> protocols { >>>> static { >>>> route 50.0.0.1/32 { >>>> next-hop: 100.0.0.2 >>>> } >>> >>> (tried with and without the route above) >>> >>>> route 10.0.0.0/24 { >>>> next-hop: 50.0.0.1 >>>> } >>>> } >>>> } >>>> policy { >>>> } >>>> interfaces { >>>> loopback lo { >>>> address 10.200.1.1 { >>>> prefix-length: 32 >>>> } >>>> } >>>> ethernet eth0 { >>>> hw-id: 00:22:22:22:22:22 >>>> address 100.0.0.1 { >>>> prefix-length: 24 >>>> } >>>> } >>>> } >>>> service { >>>> telnet { >>>> } >>>> } >>>> firewall { >>>> } >>>> system { >>>> ntp-server "69.59.150.135" >>>> login { >>>> user root { >>>> authentication { >>>> encrypted-password: "$1$$Ht7gBYnxI1xCdO/ >>>> JOnodh." >>>> } >>>> } >>>> user vyatta { >>>> authentication { >>>> encrypted-password: "$1$$Ht7gBYnxI1xCdO/ >>>> JOnodh." >>>> } >>>> } >>>> } >>>> package { >>>> >>>> repository community { >>>> component: "main" >>>> url: "http://archive.vyatta.com/vyatta"; >>>> } >>>> } >>>> } >>>> vpn { >>>> ipsec { >>>> ipsec-interfaces { >>>> interface eth0 >>>> } >>>> ike-group IKE { >>>> proposal 1 { >>>> encryption: "3des" >>>> hash: "md5" >>>> dh-group: 2 >>>> } >>>> lifetime: 7200 >>>> } >>>> esp-group ESP { >>>> proposal 1 { >>>> encryption: "3des" >>>> hash: "md5" >>>> >>>> } >>>> lifetime: 1800 >>>> } >>>> site-to-site { >>>> peer 50.0.0.1 { >>>> authentication { >>>> pre-shared-secret: "eden" >>>> } >>>> ike-group: "IKE" >>>> local-ip: 100.0.0.1 >>>> tunnel 1 { >>>> local-subnet: 10.200.0.0/16 >>>> remote-subnet: 10.0.0.0/24 >>>> esp-group: "ESP" >>>> } >>>> } >>>> } >>>> } >>>> } >>>> rtrmgr { >>>> config-directory: "/opt/vyatta/etc/config" >>>> } >>>> >>>> ********* >>>> CISCO >>>> ********* >>>> >>>> crypto isakmp policy 1 >>>> encr 3des >>>> hash md5 >>>> authentication pre-share >>>> group 2 >>>> lifetime 7200 >>>> crypto isakmp key eden address 100.0.0.1 >>>> ! >>>> crypto ipsec security-association lifetime seconds 1800 >>>> ! >>>> crypto ipsec transform-set t1 ah-md5-hmac esp-3des >>>> ! >>>> crypto map m1 110 ipsec-isakmp >>>> set peer 100.0.0.1 >>>> set transform-set t1 >>>> match address 111 >>>> ! >>>> call rsvp-sync >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> interface FastEthernet0/0 >>>> ip address 10.0.0.1 255.255.255.0 >>>> duplex auto >>>> speed auto >>>> ! >>>> interface Serial0/0 >>>> no ip address >>>> shutdown >>>> ! >>>> interface FastEthernet0/1 >>>> ip address 50.0.0.1 255.255.255.0 >>>> duplex auto >>>> speed auto >>>> crypto map m1 >>>> ! >>>> ip classless >>>> ip route 10.200.1.1 255.255.255.255 100.0.0.1 >>>> ip route 100.0.0.1 255.255.255.255 50.0.0.2 >>>> no ip http server >>>> ! >>>> access-list 111 permit ip 10.0.0.0 0.0.0.255 10.200.0.0 0.0.255.255 >>>> ! >>>> dial-peer cor custom >>>> ! >>>> ! >>>> ! >>>> ! >>>> ! >>>> line con 0 >>>> line aux 0 >>>> line vty 0 4 >>>> no login >>>> ! >>>> end >>> >>> >>> Vyatta: >>> >>> >>> >>> show vpn ike sa >>> Local IP Peer IP Stats Encrypt HAsh Nat-t A-time L-time >>> ------ ------ ------ ------------------------------ >>> 100.0.0.1 50.0.0.1 up 3des md5 no 810 7200 >>> >>> >>> sh vpn ipsec sa: >>> peer ip Tunnel# Dir SPI Encrypt Hash NAT-T A- >>> TIME L-TIME >>> ------ ------ ------ ------ ------ ------ ------ >>> ------ ------ >>> 50.0.0.1 1 in n/a n/a n/a No >>> 0 1800 >>> 50.0.0.1 1 out n/a n/a n/a No >>> 0 1800 >>> >>> CISCO >>> >>> DEbug crypto ipsec >>> >>> 1:14:27: IPSEC(validate_proposal): transform proposal (prot 3, >>> trans 3, hmac_al >>> g 1) not supported >>> >>> Not related to debug command: >>> >>> 01:14:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode >>> failed with peer >>> at 100.0.0.1 >>> >>> DEbug crypto isakmp >>> >>> Cisco-VPN-Box#clear crypto isakmp >>> 01:17:44: ISAKMP (0:5): purging node 2097136625 >>> 01:17:45: ISAKMP (0:5): purging node -610509802 >>> 01:17:45: ISAKMP (0:5): received packet from 100.0.0.1 (R) QM_IDLE >>> 01:17:45: ISAKMP (0:5): processing HASH payload. message ID = >>> -1665810821 >>> 01:17:45: ISAKMP (0:5): processing SA payload. message ID = >>> -1665810821 >>> 01:17:45: ISAKMP (0:5): Checking IPSec proposal 0 >>> 01:17:45: ISAKMP: transform 0, ESP_3DES >>> 01:17:45: ISAKMP: attributes in transform: >>> 01:17:45: ISAKMP: group is 2 >>> 01:17:45: ISAKMP: encaps is 1 >>> 01:17:45: ISAKMP: SA life type in seconds >>> 01:17:45: ISAKMP: SA life duration (basic) of 1800 >>> 01:17:45: ISAKMP: authenticator is HMAC-MD5 >>> Cisco-VPN-Box# >>> 01:17:45: ISAKMP (0:5): atts not acceptable. Next payload is 0 >>> 01:17:45: ISAKMP (0:5): phase 2 SA not acceptable! >>> 01:17:45: ISAKMP (0:5): sending packet to 100.0.0.1 (R) QM_IDLE >>> 01:17:45: ISAKMP (0:5): purging node -1622096664 >>> 01:17:45: ISAKMP (0:5): deleting node -1665810821 error FALSE >>> reason "IKMP_NO_ERR_NO_TRANS" >>> 01:17:46: ISAKMP (0:5): peer does not do paranoid keepalives. >>> >>> 01:17:46: ISAKMP (0:5): deleting SA reason "death by tree-walk >>> node" state (R) QM_IDLE (peer 100.0.0.1) input queue 0 >>> 01:17:46: ISAKMP (0:5): sending packet to 100.0.0.1 (R) MM_NO_STATE >>> 01:17:46: ISAKMP (0:5): purging node 1155042555 >>> 01:17:46: ISAKMP (0:5): received packet from 100.0.0.1 (R) >>> MM_NO_STATE >>> 01:17:49: ISAKMP (0:5): received packet from 100.0.0.1 (R) >>> MM_NO_STATE >>> 01:17:50: ISAKMP (0:5): received packet from 100.0.0.1 (R) >>> MM_NO_STATE >>> 01:17:51: ISAKMP (0:0): received packet from 100.0.0.1 (N) NEW SA >>> 01:17:51: ISAKMP: local port 500, remote port 500 >>> 01:17:51: ISAKMP (0:6): processing SA payload. message ID = 0 >>> 01:17:51: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1 >>> 01:17:51: ISAKMP (0:6): Checking ISAKMP transform 0 against >>> priority 1 policy >>> 01:17:51: ISAKMP: life type in seconds >>> 01:17:51: ISAKMP: life duration (basic) of 7200 >>> 01:17:51: ISAKMP: encryption 3DES-CBC >>> 01:17:51: ISAKMP: hash MD5 >>> 01:17:51: ISAKMP: auth pre-share >>> 01:17:51: ISAKMP: default group 2 >>> 01:17:51: ISAKMP (0:6): atts are acceptable. Next payload is 0 >>> 01:17:51: ISAKMP (0:6): processing vendor id payload >>> 01:17:51: ISAKMP (0:6): processing vendor id payload >>> 01:17:51: ISAKMP (0:6): SA is doing pre-shared key authentication >>> using id type ID_IPV4_ADDR >>> 01:17:51: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_SA_SETUP >>> 01:17:51: ISAKMP (0:5): purging node 665211042 >>> 01:17:51: ISAKMP (0:6): received packet from 100.0.0.1 (R) >>> MM_SA_SETUP >>> 01:17:51: ISAKMP (0:6): processing KE payload. message ID = 0 >>> 01:17:52: ISAKMP (0:6): processing NONCE payload. message ID = 0 >>> 01:17:52: ISAKMP (0:6): found peer pre-shared key matching 100.0.0.1 >>> 01:17:52: ISAKMP (0:6): SKEYID state generated >>> 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) MM_KEY_EXCH >>> 01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) >>> MM_KEY_EXCH >>> 01:17:52: ISAKMP (0:6): processing ID payload. message ID = 0 >>> 01:17:52: ISAKMP (0:6): processing HASH payload. message ID = 0 >>> 01:17:52: ISAKMP (0:6): SA has been authenticated with 100.0.0.1 >>> 01:17:52: ISAKMP (6): ID payload >>> next-payload : 8 >>> type : 1 >>> protocol : 17 >>> port : 500 >>> length : 8 >>> 01:17:52: ISAKMP (6): Total payload length: 12 >>> 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE >>> 01:17:52: ISAKMP (0:6): received packet from 100.0.0.1 (R) QM_IDLE >>> 01:17:52: ISAKMP (0:6): processing HASH payload. message ID = >>> 720694001 >>> 01:17:52: ISAKMP (0:6): processing SA payload. message ID = >>> 720694001 >>> 01:17:52: ISAKMP (0:6): Checking IPSec proposal 0 >>> 01:17:52: ISAKMP: transform 0, ESP_3DES >>> 01:17:52: ISAKMP: attributes in transform: >>> 01:17:52: ISAKMP: group is 2 >>> 01:17:52: ISAKMP: encaps is 1 >>> 01:17:52: ISAKMP: SA life type in seconds >>> 01:17:52: ISAKMP: SA life duration (basic) of 1800 >>> 01:17:52: ISAKMP: authenticator is HMAC-MD5 >>> 01:17:52: ISAKMP (0:6): atts not acceptable. Next payload is 0 >>> 01:17:52: ISAKMP (0:6): phase 2 SA not acceptable! >>> 01:17:52: ISAKMP (0:6): sending packet to 100.0.0.1 (R) QM_IDLE >>> 01:17:52: ISAKMP (0:6): purging node 545635999 >>> 01:17:52: ISAKMP (0:6): deleting node 720694001 error FALSE >>> reason "IKMP_NO_ERR_NO_TRANS" >>> >>> sh crypto isakmp sa >>> >>> Cisco-VPN-Box#sh crypto isakmp sa >>> dst src state conn-id slot >>> 50.0.0.1 100.0.0.1 QM_IDLE 6 0 >>> >>> >>> >>> ______________________________________________________ >>> Désirez vous une adresse éléctronique @suisse.com? >>> Visitez la Suisse virtuelle sur http://www.suisse.com >>> >>> _______________________________________________ >>> Vyatta-users mailing list >>> Vyatta-users@mailman.vyatta.com >>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>> >> >> >> >> ______________________________________________________ >> Désirez vous une adresse éléctronique @suisse.com? >> Visitez la Suisse virtuelle sur http://www.suisse.com >> >> > > > > ______________________________________________________ > Désirez vous une adresse éléctronique @suisse.com? > Visitez la Suisse virtuelle sur http://www.suisse.com > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
