VPN with racoon Phase 2 issue
- From: xscream@xxxxxxxxx
- Date: Fri, 29 Feb 2008 05:44:58 -0800 (PST)
Hi,
I want to established an Ipsec site to site vpn between redhat server
and Juniper Netscreen.
I know how to do it on netscreen.
172.30.99.0/24
IPSEC 172.30.98.0/24
Redhat>10.2.120.3/22========10.2.121.100/22<Juniper
My proposal on netscreen side is :
Phase 1:PreSharedKey, DH_G2, 3des, Sha1
Phase 2:nopfs, esp, des, md5, liftetime 3600s
Here is the configuration file of racoon :
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
remote 10.2.121.100
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
and here is my ifcfg-ipsec0
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
AH_PROTO=none
SRCGW=172.30.99.1
DSTGW=172.30.98.1
SRCNET=172.30.99.0/24
DSTNET=172.30.98.0/24
DST=10.2.121.100
On netscreen, I have the following debug message :
IKE<10.2.120.3> SA life type = seconds
IKE<0.0.0.0 > SA life duration (TV) = 3600
IKE<0.0.0.0 > encap mode from peer = 1.
IKE<0.0.0.0 > encap mode after converting it to private value
= 1.
IKE<10.2.120.3> Phase 2 received:
IKE<10.2.120.3> atts<00000002 00000002 00000000 00000001 00000001
00000000>
IKE<10.2.120.3> proto(2)<AH>, ah(2)<AH_MD5>, auth(1)<MD5>,
encap(1)<TUNNEL>, group(0)
IKE<10.2.120.3> expect [0]:
IKE<10.2.120.3> atts<00000003 00000000 00000002 00000001 00000001
00000000>
IKE<10.2.120.3> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>,
encap(1)<TUNNEL>, group(0)
IKE<10.2.120.3> proposal not acceptable, but no more proposal in
payload.
IKE<10.2.120.3> Phase 2: Rejected proposals from peer. Negotiations
failed.
As you can see, there is no acceptable proposal, but normally it
should.
It seems that racoon send proposal with AH, MD5 but Netscreen expect
only ESP des...
I must missed something in racoon configuration, so if someone can
tell me where to look.
.
- Follow-Ups:
- Re: VPN with racoon Phase 2 issue
- From: xscream
- Re: VPN with racoon Phase 2 issue
- Prev by Date: Re: source based routing help needed
- Next by Date: Re: VPN with racoon Phase 2 issue
- Previous by thread: ipv6 routing and neighbour discovery
- Next by thread: Re: VPN with racoon Phase 2 issue
- Index(es):
