This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco 3030 VPN Con <--> ASL in a NET 2 NET Help!

I have a Cisco 3030 VPN Concentrator in my office and a ASL in a remote office, we are trying to get a NET 2 NET IPSEC link running, to no avail, tried almost every setting choice.

The logs are pointing to an authentication problem, the cisco has the following options

ESP/SHA/HMAC-160
ESP/MD5/HMAC-128

and Astaro Has

MD5-160
SHA1-192
SHA2-256
SHA2-512

There isn't a compatible pair! Anyone else have this working?

thanks!

Justin.

This thread was automatically locked due to age.

Parents

0 Grinthock over 22 years ago

Anyone?
Cancel
Vote Up 0 Vote Down

Cancel
0 Gert Hansen over 22 years ago in reply to Grinthock

Hi there ,

ESP/SHA/HMAC-160 -> SHA1-192
ESP/MD5/HMAC-128 -> MD5-160

thats it

kind regards
Gert
Cancel
Vote Up 0 Vote Down

Cancel
0 Grinthock over 22 years ago in reply to Gert Hansen

I'll work on that, does Astaro automagically step down to the 128 MD5 that the cisco is using even though it's set to 160?
Cancel
Vote Up 0 Vote Down

Cancel
0 Grinthock over 22 years ago in reply to Grinthock

Not working the other side is seeing a failure, it's something in the IKE... i'm seeing this error in the live log (the ip's have been changed to protect the innocent!)

"LOCAL__TO__WORK_1" #36: peer requested 86400 seconds which exceeds our limit 28800 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Apr 24 19:28:03 (none) pluto[4709]: "LOCAL__TO__WORK_1" #36: no acceptable Oakley Transform
Apr 24 19:28:03 (none) pluto[4709]: "LOCAL__TO__WORK_1" #36: sending notification NO_PROPOSAL_CHOSEN to xx.xxx.102.229:500
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Grinthock over 22 years ago in reply to Grinthock

Not working the other side is seeing a failure, it's something in the IKE... i'm seeing this error in the live log (the ip's have been changed to protect the innocent!)

"LOCAL__TO__WORK_1" #36: peer requested 86400 seconds which exceeds our limit 28800 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Apr 24 19:28:03 (none) pluto[4709]: "LOCAL__TO__WORK_1" #36: no acceptable Oakley Transform
Apr 24 19:28:03 (none) pluto[4709]: "LOCAL__TO__WORK_1" #36: sending notification NO_PROPOSAL_CHOSEN to xx.xxx.102.229:500
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Grinthock over 22 years ago in reply to Grinthock

i'd like to also add this error. if you want a FULL Trace I can post

NO_PROPOSAL_CHOSEN
Cancel
Vote Up 0 Vote Down

Cancel
0 Grinthock over 22 years ago in reply to Grinthock

Ok i've got a little more now....  BUT...  i'm seeing this error in the LIVE LOG

cannot respond to IPsec SA request because no connection is known

Here is a complete dump of the status window

000
000 "LOCAL__TO__WORK_1": 192.168.2.254/32===134.22.70.251...64.119.102.229===172.16.1.0/24
000 "LOCAL__TO__WORK_1":   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "LOCAL__TO__WORK_1":   policy: PSK+ENCRYPT+TUNNEL; interface: ppp0; unrouted
000 "LOCAL__TO__WORK_1":   newest ISAKMP SA: #4; newest IPsec SA: #0; eroute owner: #0
000 "LOCAL__TO__WORK_1":   IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "LOCAL__TO__WORK_1":   IKE algorithms found:  5_192-1_128-5,
000 "LOCAL__TO__WORK_1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536 (extension)
000 "LOCAL__TO__WORK_1":   ESP algorithms wanted: 12_128-1, flags=-strict
000 "LOCAL__TO__WORK_1":   ESP algorithms loaded: 12_128-1_128,
000
000 #99: "LOCAL__TO__WORK_1" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 17s
000 #4: "LOCAL__TO__WORK_1" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 893s; newest ISAKMP
000
Cancel
Vote Up 0 Vote Down

Cancel