VPN with racoon Phase 2 issue - Networking

This is a discussion on VPN with racoon Phase 2 issue - Networking ; Hi, I want to established an Ipsec site to site vpn between redhat server and Juniper Netscreen. I know how to do it on netscreen. 172.30.99.0/24 IPSEC 172.30.98.0/24 Redhat>10.2.120.3/22========10.2.121.100/22 My proposal on netscreen side is : Phase 1:PreSharedKey, DH_G2, 3des, ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: VPN with racoon Phase 2 issue

  1. VPN with racoon Phase 2 issue

    Hi,
    I want to established an Ipsec site to site vpn between redhat server
    and Juniper Netscreen.
    I know how to do it on netscreen.

    172.30.99.0/24
    IPSEC 172.30.98.0/24
    Redhat>10.2.120.3/22========10.2.121.100/22
    My proposal on netscreen side is :
    Phase 1:PreSharedKey, DH_G2, 3des, Sha1
    Phase 2:nopfs, esp, des, md5, liftetime 3600s

    Here is the configuration file of racoon :

    path include "/etc/racoon";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";
    sainfo anonymous
    {
    lifetime time 3600 seconds;
    encryption_algorithm des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    }
    remote 10.2.121.100
    {
    exchange_mode aggressive, main;
    my_identifier address;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
    }
    }

    and here is my ifcfg-ipsec0
    TYPE=IPSEC
    ONBOOT=no
    IKE_METHOD=PSK
    AH_PROTO=none
    SRCGW=172.30.99.1
    DSTGW=172.30.98.1
    SRCNET=172.30.99.0/24
    DSTNET=172.30.98.0/24
    DST=10.2.121.100

    On netscreen, I have the following debug message :
    IKE<10.2.120.3> SA life type = seconds
    IKE<0.0.0.0 > SA life duration (TV) = 3600
    IKE<0.0.0.0 > encap mode from peer = 1.
    IKE<0.0.0.0 > encap mode after converting it to private value
    = 1.
    IKE<10.2.120.3> Phase 2 received:
    IKE<10.2.120.3> atts<00000002 00000002 00000000 00000001 00000001
    00000000>
    IKE<10.2.120.3> proto(2), ah(2), auth(1),
    encap(1), group(0)
    IKE<10.2.120.3> expect [0]:
    IKE<10.2.120.3> atts<00000003 00000000 00000002 00000001 00000001
    00000000>
    IKE<10.2.120.3> proto(3), esp(2), auth(1),
    encap(1), group(0)
    IKE<10.2.120.3> proposal not acceptable, but no more proposal in
    payload.
    IKE<10.2.120.3> Phase 2: Rejected proposals from peer. Negotiations
    failed.

    As you can see, there is no acceptable proposal, but normally it
    should.
    It seems that racoon send proposal with AH, MD5 but Netscreen expect
    only ESP des...

    I must missed something in racoon configuration, so if someone can
    tell me where to look.

  2. Re: VPN with racoon Phase 2 issue

    With Redhat ES4, does I have to deal with setkey and ipsec.conf
    (ipsec.conf doesn't exist on the server) ?
    At the moment, I only configured ifcfg-ipsec0 and racoon.conf...

  3. Re: VPN with racoon Phase 2 issue

    xscream@gmail.com wrote:
    > With Redhat ES4, does I have to deal with setkey and ipsec.conf
    > (ipsec.conf doesn't exist on the server) ?
    > At the moment, I only configured ifcfg-ipsec0 and racoon.conf...

    Use setkey for the policies. That's the proposal that is missing.

  4. Re: VPN with racoon Phase 2 issue

    On 1 mar, 05:30, Joe Beasley wrote:
    > xscr...@gmail.com wrote:
    > > With Redhat ES4, does I have to deal with setkey and ipsec.conf
    > > (ipsec.conf doesn't exist on the server) ?
    > > At the moment, I only configured ifcfg-ipsec0 and racoon.conf...

    >
    > Use setkey for the policies. That's the proposal that is missing.


    Ok Joe,
    but are you sure that in redhat 4 update 4 we have to deal with
    setkey ???

  5. Re: VPN with racoon Phase 2 issue

    On 1 mar, 05:30, Joe Beasley wrote:
    > xscr...@gmail.com wrote:
    > > With Redhat ES4, does I have to deal with setkey and ipsec.conf
    > > (ipsec.conf doesn't exist on the server) ?
    > > At the moment, I only configured ifcfg-ipsec0 and racoon.conf...

    >
    > Use setkey for the policies. That's the proposal that is missing.


    Hello again,
    tried everything, but I still have only one proposal :
    proto(2), ah(2), auth(1), encap(1), group(2)
    And I would like
    proto(3), esp(3), auth(2), encap(1),
    group(2)

    Where can I set ESP and not AH ???

  6. Re: VPN with racoon Phase 2 issue

    xscream@gmail.com wrote:
    > On 1 mar, 05:30, Joe Beasley wrote:
    >> xscr...@gmail.com wrote:
    >>> With Redhat ES4, does I have to deal with setkey and ipsec.conf
    >>> (ipsec.conf doesn't exist on the server) ?
    >>> At the moment, I only configured ifcfg-ipsec0 and racoon.conf...

    >> Use setkey for the policies. That's the proposal that is missing.

    >
    > Hello again,
    > tried everything, but I still have only one proposal :
    > proto(2), ah(2), auth(1), encap(1), group(2)
    > And I would like
    > proto(3), esp(3), auth(2), encap(1),
    > group(2)
    >
    > Where can I set ESP and not AH ???

    Not sure about the RHES4. I use ubuntu server and freebsd to make
    connections to cisco routers and pixs. Both use setkey.

  7. Re: VPN with racoon Phase 2 issue

    On 4 mar, 05:14, Joe Beasley wrote:
    > xscr...@gmail.com wrote:
    > > On 1 mar, 05:30, Joe Beasley wrote:
    > >> xscr...@gmail.com wrote:
    > >>> With Redhat ES4, does I have to deal with setkey and ipsec.conf
    > >>> (ipsec.conf doesn't exist on the server) ?
    > >>> At the moment, I only configured ifcfg-ipsec0 and racoon.conf...
    > >> Use setkey for the policies. That's the proposal that is missing.

    >
    > > Hello again,
    > > tried everything, but I still have only one proposal :
    > > proto(2), ah(2), auth(1), encap(1), group(2)
    > > And I would like
    > > proto(3), esp(3), auth(2), encap(1),
    > > group(2)

    >
    > > Where can I set ESP and not AH ???

    >
    > Not sure about the RHES4. I use ubuntu server and freebsd to make
    > connections to cisco routers and pixs. Both use setkey.


    Ok thank you Joe, actually, you're right, I have to use setkey, so I
    use this :

    flush;
    spdflush;
    spdadd 172.30.97.0/24 172.30.96.0/24 any -P out ipsec esp/tunnel/
    10.2.120.4-10.2.121.100/require;
    spdadd 172.30.96.0/24 172.30.97.0/24 any -P in ipsec esp/tunnel/
    10.2.121.100-10.2.120.4/require;

    and everything is find now.

+ Reply to Thread