[Ipsec-tools-devel] ipsec-tool Lnux and cisco 800

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi All

I have a Fedora version 4, I am configuring a VPN and I need a tunnel with
cisco 800, however I have problem when I want to do the tunnel, the message=
s
say:

2006-03-23 17:03:12: INFO: 127.0.0.1[500] used as isakmp port (fd=3D7)
2006-03-23 17:03:12: INFO: 127.0.0.1[500] used for NAT-T
2006-03-23 17:03:12: INFO: 165.98.224.82[500] used as isakmp port (fd=3D8)
2006-03-23 17:03:12: INFO: 165.98.224.82[500] used for NAT-T
2006-03-23 17:03:12: INFO: 172.16.1.1[500] used as isakmp port (fd=3D9)
2006-03-23 17:03:12: INFO: 172.16.1.1[500] used for NAT-T
2006-03-23 17:03:12: INFO: ::1[500] used as isakmp port (fd=3D10)
2006-03-23 17:03:12: INFO: fe80::20f:1fff:fe5f:fd83%eth0[500] used as isakm=
p
port (fd=3D11)
2006-03-23 17:03:12: INFO: fe80::208:54ff:fe19:9933%eth1[500] used as isakm=
p
port (fd=3D12)
2006-03-23 17:03:22: INFO: IPsec-SA request for 165.98.236.214 queued due t=
o
no phase1 found.
2006-03-23 17:03:22: INFO: initiate new phase 1 negotiation: 165.98.224.82
[500]<=3D>165.98.236.214[500]
2006-03-23 17:03:22: INFO: begin Identity Protection mode.
2006-03-23 17:03:53: ERROR: phase2 negotiation failed due to time up waitin=
g
for phase1. ESP 165.98.236.214->165.98.224.82
2006-03-23 17:03:53: INFO: delete phase 2 handler.
2006-03-23 17:05:22: ERROR: phase1 negotiation failed due to time up.
3784e1df1d505bb7:0000000000000000

I need you sugestions, I send my confguration file for linux and cisco.

psk.txt
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

165.98.236.214          secret

setkey.sh
=3D=3D=3D=3D=3D=3D=3D=3D

#!/sbin/setkey -f
#
# Vaciar SAD y SPD
flush;
spdflush;

# Crear politicas para racoon
spdadd 172.16.1.0/24 172.16.26.0/24 any -P out ipsec
esp/tunnel/165.98.224.82-165.98.236.214/require;

spdadd 172.16.26.0/24 172.16.1.0/24 any -P in ipsec
esp/tunnel/165.98.236.214-165.98.224.82/require;

racoon.conf
=3D=3D=3D=3D=3D=3D=3D=3D=3D

path include "/etc/racoon/racoon.conf";
path pre_shared_key "/etc/racoon/psk.txt";

# "padding" defines some parameter of padding.
# You should not touch these.

padding {

        maximum_length 20;  # maximum padding length.
        randomize off;      # enable randomize length.
        strict_check off;   # enable strict check.
        exclusive_tail off; # extract last one octet.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;       # maximum trying count to send.
        interval 20 sec; # maximum interval to resend.
        persend 1; # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

remote 165.98.236.214 {
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo address 172.16.1.0/24 any address 172.16.26.0/24 any {
        pfs_group 1;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

Mis iptables

#!/bin/sh

EXT_IF=3D"eth0"
INT_IF=3D"eth1"
LOCAL_LAN=3D"172.16.1.0/24"
REMOTE_LAN=3D"172.16.26.0/24"
IPTABLES=3D"/sbin/iptables"

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1
#VPN

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j
ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN -i $EXT_IF -m mark --mark 1 -=
j
ACCEPT
# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #SSH
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT
Cisco 800
=3D=3D=3D=3D=3D=3D=3D=3D

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key secret address 165.98.224.82
!
!
crypto ipsec transform-set DICE esp-3des esp-sha-hmac
!
crypto map DICE 10 ipsec-isakmp
 set peer 165.98.224.82
 set transform-set DICE
 match address 100

access-list 100 permit ip 172.16.26.0 0.0.0.255 172.16.1.0 0.0.0.255