Hi
I try to make tunnel IPSec between Cisco 1760 and StrongSwan
witj following parameters:
hash function for phase I: md5
encyption funcion for phase I: 3des
Diffie Hellman group for phase I: PFS2
LifeTime for phase I: 7200sec
hash function for phase II: md5
encyption funcion for phase II: 3des
Diffie Hellman group for phase II: PFS2
LifeTime for phase II: 7200sec
Unfortunately it fail in phase one.
show crypto isakmp sa
dst src state conn-id slot
193.9.121.y 80.50.94.x MM_NO_STATE 2 0
193.9.121.y 80.50.94.x MM_NO_STATE 1 0(dele
ted)
DEBUG:
Dec 6 07:53:57.678: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.50.94.x, remote= 193.9.121.y,
local_proxy= 80.50.241.x/255.255.255.255/0/0 (type=1),
remote_proxy= 193.9.121.y/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 7200s and 4608000kb,
spi= 0xD86B3A26(3630905894), conn_id= 0, keysize= 0, flags= 0x400B
Dec 6 07:53:57.678: ISAKMP: received ke message (1/1)
Dec 6 07:53:57.678: ISAKMP: local port 500, remote port 500
Dec 6 07:53:57.682: ISAKMP: set new node 0 to QM_IDLE
Dec 6 07:53:57.682: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Dec 6 07:53:57.682: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Dec 6 07:53:57.682: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Dec 6 07:53:57.682: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
Dec 6 07:53:57.682: ISAKMP (0:1): beginning Main Mode exchange
Dec 6 07:53:57.682: ISAKMP (0:1): sending packet to 193.9.121.y my_port 500 peer_port 500 (I) MM_NO_STATE
Dec 6 07:53:57.714: ISAKMP (0:1): received packet from 193.9.121.y dport 500 sport 500 (I) MM_NO_STATE
Dec 6 07:53:57.714: ISAKMP (0:1): Notify has no hash. Rejected.
Dec 6 07:53:57.714: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 6 07:53:57.714: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM1
Dec 6 07:54:27.679: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 80.50.94.x, remote= 193.9.121.y,
local_proxy= 80.50.241.x/255.255.255.255/0/0 (type=1),
remote_proxy= 193.9.121.y/255.255.255.255/0/0 (type=1)
CONFIGURATION:
ip access-list extended acc_b
permit ip host 80.50.241.x host 193.9.121.y log
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
hash md5
lifetime 7200
crypto isakmp key xxxxxxxxx address 193.9.121.y no-xauth
crypto ipsec transform-set ts_b esp-3des esp-md5-hmac
crypto map crypto_b 10 ipsec-isakmp
set peer 193.9.121.y
set security-association lifetime seconds 7200
set transform-set ts_b
set pfs group2
match address acc_b
interface Serial0/1.1 point-to-point
ip address 80.50.94.x 255.255.255.252
frame-relay interface-dlci 99
crypto map crypto_b
What can I do next ?
I try to make tunnel IPSec between Cisco 1760 and StrongSwan
witj following parameters:
hash function for phase I: md5
encyption funcion for phase I: 3des
Diffie Hellman group for phase I: PFS2
LifeTime for phase I: 7200sec
hash function for phase II: md5
encyption funcion for phase II: 3des
Diffie Hellman group for phase II: PFS2
LifeTime for phase II: 7200sec
Unfortunately it fail in phase one.
show crypto isakmp sa
dst src state conn-id slot
193.9.121.y 80.50.94.x MM_NO_STATE 2 0
193.9.121.y 80.50.94.x MM_NO_STATE 1 0(dele
ted)
DEBUG:
Dec 6 07:53:57.678: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.50.94.x, remote= 193.9.121.y,
local_proxy= 80.50.241.x/255.255.255.255/0/0 (type=1),
remote_proxy= 193.9.121.y/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 7200s and 4608000kb,
spi= 0xD86B3A26(3630905894), conn_id= 0, keysize= 0, flags= 0x400B
Dec 6 07:53:57.678: ISAKMP: received ke message (1/1)
Dec 6 07:53:57.678: ISAKMP: local port 500, remote port 500
Dec 6 07:53:57.682: ISAKMP: set new node 0 to QM_IDLE
Dec 6 07:53:57.682: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Dec 6 07:53:57.682: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Dec 6 07:53:57.682: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Dec 6 07:53:57.682: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
Dec 6 07:53:57.682: ISAKMP (0:1): beginning Main Mode exchange
Dec 6 07:53:57.682: ISAKMP (0:1): sending packet to 193.9.121.y my_port 500 peer_port 500 (I) MM_NO_STATE
Dec 6 07:53:57.714: ISAKMP (0:1): received packet from 193.9.121.y dport 500 sport 500 (I) MM_NO_STATE
Dec 6 07:53:57.714: ISAKMP (0:1): Notify has no hash. Rejected.
Dec 6 07:53:57.714: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 6 07:53:57.714: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM1
Dec 6 07:54:27.679: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 80.50.94.x, remote= 193.9.121.y,
local_proxy= 80.50.241.x/255.255.255.255/0/0 (type=1),
remote_proxy= 193.9.121.y/255.255.255.255/0/0 (type=1)
CONFIGURATION:
ip access-list extended acc_b
permit ip host 80.50.241.x host 193.9.121.y log
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
hash md5
lifetime 7200
crypto isakmp key xxxxxxxxx address 193.9.121.y no-xauth
crypto ipsec transform-set ts_b esp-3des esp-md5-hmac
crypto map crypto_b 10 ipsec-isakmp
set peer 193.9.121.y
set security-association lifetime seconds 7200
set transform-set ts_b
set pfs group2
match address acc_b
interface Serial0/1.1 point-to-point
ip address 80.50.94.x 255.255.255.252
frame-relay interface-dlci 99
crypto map crypto_b
What can I do next ?
