|
message from discussion view parsed - show only message text path: g2news1.google.com!news3.google.com!news.glorb.com!tiscali!newsfeed1.ip.tiscali.net!news.cid.net!bofh.it!news.nic.it!robomod from: sean mcavoy <sean.mca...@pbsdrive.com> newsgroups: linux.debian.maint.firewall subject: re: kernel 2.6 racoon <--> sonicwall vpn date: tue, 22 nov 2005 18:25:20 +0100 message-id: <5bk3m-6ci-499@gated-at.bofh.it> references: <5bk2v-6ci-437@gated-at.bofh.it> x-original-to: james crow <ja...@ultratans.com> old-return-path: <sean.mca...@pbsdrive.com> mime-version: 1.0 (apple message framework v746.2) content-type: text/plain; charset=us-ascii; delsp=yes; format=flowed content-transfer-encoding: 7bit x-mailer: apple mail (2.746.2) x-rc-virus: 2005-11-10_01 x-rc-spam: 2005-09-11_01 x-mailing-list: <debian-firewall@lists.debian.org> archive/latest/7419 list-id: <debian-firewall.lists.debian.org> approved: robo...@news.nic.it lines: 186 organization: linux.* mail to news gateway sender: robo...@news.nic.it x-original-cc: debian-firew...@lists.debian.org x-original-date: tue, 22 nov 2005 11:39:42 -0500 x-original-message-id: <561c716b-c424-4dbe-bda7-fabc95e62726@pbsdrive.com> x-original-references: <200511221022.17154.ja...@ultratans.com> it seems to me that the cipher one side is proposing is not being accepted by the other. i have connected freeswan 1.99 to a sonicwall using: esp = 3des-sha1 ike = 3des-sha-modp1024 hope that helps. on 22-nov-05, at 10:22 am, james crow wrote: > greetings all, > > if this is the wrong list for this question please advise where i > should go. > > i have a debian stable box running kernel 2.4 with the freeswan > patches. > this configuration has been working for quite some time. i now have > a need to > move to kernel 2.6 and would like to use the native ipsec stack and > racoon > ike daemon. > > i installed 2.6.12-1-k7, ipsec-tools, and racoon. i created a > config that > matched my freeswan config using shared keys. i am unable to get > the tunnels > up. > > my racoon log shows the connection fails at phase 1. here is a > snippet: > 005-11-22 10:03:02: info: request for establishing ipsec-sa was > queued due to > no phase1 found. > 2005-11-22 10:03:06: info: respond new phase 1 negotiation: > 11.22.33.11 > [500]<=>11.22.33.182[500] > 2005-11-22 10:03:06: info: begin identity protection mode. > 2005-11-22 10:03:06: info: received vendor id: draft-ietf-ipsec-nat- > t-ike-00 > 2005-11-22 10:03:06: error: no suitable proposal found. > 2005-11-22 10:03:06: error: failed to get valid proposal. > 2005-11-22 10:03:06: error: failed to process packet. > > my ipsec-tools.conf: > #!/usr/sbin/setkey -f > > # note: do not use this file if you use racoon with racoon-tool > # utility. racoon-tool will setup sas and spds automatically using > # /etc/racoon/racoon-tool.conf configuration. > # > > ## flush the sad and spd > # > flush; > spdflush; > > #cherrydale > spdadd 10.1.1.0/25 192.168.105.0/24 any -p out ipsec > esp/tunnel/11.22.33.11-11.22.33.182/require; > spdadd 192.168.105.0/24 10.1.1.0/25 any -p in ipsec > esp/tunnel/11.22.33.182-11.22.33.11/require; > > > my racoon.conf: > # > # note: this file will not be used if you use racoon-tool(8) to > manage your > # ipsec connections. racoon-tool will process racoon-tool.conf(5) and > # generate a configuration (/var/lib/racoon/racoon.conf) and use > it, instead > # of this file. > # > # simple racoon.conf > # > # > # please look in /usr/share/doc/racoon/examples for > # examples that come with the source. > # > # please read racoon.conf(5) for details, and alsoread setkey(8). > # > # > # also read the linux ipsec howto up at > # > # > > path pre_shared_key "/etc/racoon/psk.txt"; > path certificate "/etc/racoon/certs"; > > log notify; # or notify,debug,debug2 > # "padding" defines some parameter of padding. you should not > touch these. > padding > { > maximum_length 20; # maximum padding length. > randomize off; # enable randomize length. > strict_check off; # enable strict check. > exclusive_tail off; # extract last one octet. > } > > # if no listen directive is specified, racoon will listen to all > # available interface addresses. > listen > { > isakmp 11.22.33.11 [500]; > strict_address; > } > > # specification of default various timer. > timer > { > # these value can be changed per remote node. > counter 5; # maximum trying count to send. > interval 20 sec; # maximum interval to resend. > persend 1; # the number of packets per a send. > > # timer for waiting to complete each phase. > phase1 30 sec; > phase2 15 sec; > } > > # cherrydale to corp > remote 11.22.33.182 > { > lifetime time 24 hours; > exchange_mode main; > send_cr off; > send_cert off; > proposal { > #encryption_algorithm blowfish; > encryption_algorithm 3des; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > lifetime time 300 seconds; > } > } > > # local net to remote net > sainfo address 10.1.1.0/25 any address 192.168.105.0/24 any { > lifetime time 12 hours; > pfs_group 2; > encryption_algorithm 3des; > authentication_algorithm hmac_sha1, hmac_md5; > compression_algorithm deflate; > } > # end cherrydale to corp > > my sonincwall config: > phase 1: > exchange: main mode > dh group: group 2 > encryption: 3des > authentication: sha1 > > phase 2 > protocol: esp > encryption: 3des > authentication: sha1 > > > any idea what i am missing? > > thanks, > james > > > > > > -- > james crow > ultratan, inc. > > > -- > to unsubscribe, email to debian-firewall-requ...@lists.debian.org > with a subject of "unsubscribe". trouble? contact > listmas...@lists.debian.org > > -- to unsubscribe, email to debian-firewall-requ...@lists.debian.org with a subject of "unsubscribe". trouble? contact listmas...@lists.debian.org (责任编辑:admin) |
