ipsec-racoon and a cisco pix 515e

Mark Busby redtick at sbcglobal.net
Tue Apr 8 15:24:45 UTC 2008 

Having trouble getting my first connection setup.
  I am must use the 3des md5 encryption.
   
  This is from the error log.
  : DEBUG: hash validated.
: DEBUG: begin.
: DEBUG: seen nptype=8(hash)
: DEBUG: seen nptype=11(notify)
: DEBUG: succeed.
: ERROR: unknown notify message, no phase2 handle found.
: DEBUG: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0fddcb32(size=4).
: ERROR: 72.164.229.178 give up to get IPsec-SA due to time up to wait.
: DEBUG: an undead schedule has been deleted.
: DEBUG: msg 1 not interesting
: DEBUG: msg 1 not interesting

   setkey -D -P
192.168.75.101/0[any] 192.168.1.203/0[any] ip4
        in ipsec
        esp/tunnel/72.164.229.178-75.41.234.82/require
        created: Apr  8 09:59:05 2008  lastused: Apr  8 09:59:05 2008
        lifetime: 0(s) validtime: 0(s)
        spid=16389 seq=1 pid=896
        refcnt=1
192.168.1.203/0[any] 192.168.75.101/0[any] ip4
        out ipsec
        esp/tunnel/75.41.234.82-72.164.229.178/require
        created: Apr  8 09:59:05 2008  lastused: Apr  8 10:09:04 2008
        lifetime: 0(s) validtime: 0(s)
        spid=16388 seq=0 pid=896
        refcnt=1

  racoon.conf
  path pre_shared_key "/usr/local/etc/racoon/psk.txt";
  path certificate "@sysconfdir_x@/cert";
  log debug2;
  padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
  listen
{
              isakmp 75.41.234.82 [500];
 }
  timer
{
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per send.
          phase1 30 sec;
        phase2 15 sec;
}
       remote 72.164.229.178
     {
             exchange_mode aggressive,main,base;
             lifetime time 24 hour;
             proposal {
                     encryption_algorithm 3des;
                     hash_algorithm md5 ;
                     authentication_method pre_shared_key;
                     dh_group 2;
             }
     }
       sainfo anonymous
     {
             pfs_group 2;
             lifetime time 12 hour ;
             encryption_algorithm 3des ;
             authentication_algorithm hmac_md5 ;
                 compression_algorithm deflate ;
}

More information about the freebsd-questions mailing list