Subject: MPLS vpn / FR vpn - msg#00025

Previous Message by Date:

Re: racoon error

Thank you for the reply what type of device are you trying to connect with using this enterprise linux box? I am going to make host to host connection. when I ping one box to another I have error connect: Resource temporarily unavailable do you think, is this error have relation with racoon error. From: Jeremy Oliver <jermwoliver@xxxxxxxxx> To: hasitha perera <hpvpn@xxxxxxxxxxx>, vpn@xxxxxxxxxxxxxxx Subject: Re: [VPN] racoon error Date: Mon, 23 Feb 2004 11:16:03 -0800 (PST) what type of device are you trying to connect with using this enterprise linux box? hasitha perera <hpvpn@xxxxxxxxxxx> wrote:Dear Sir/Madam I am going to build VPN using IPsec. I use Enterprise Linux 3 WS. Still I have problems with VPN. When I up the vpn connection, i had racoon err given bellow. this is the log file of racoon. 2004-02-20 11:46:59: INFO: main.c:174:main(): @(#)racoon 20001216 20001216 sakane@xxxxxxxx 2004-02-20 11:46:59: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) 2004-02-20 11:46:59: INFO: isakmp.c:1362:isakmp_open(): 100.100.100.100[500]used as isakmp port (fd=6) 2004-02-20 11:46:59: INFO: isakmp.c:1362:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=7) 2004-02-20 11:47:11: ERROR: cftoken.l:445:yyerror(): /etc/racoon/racoon.conf:16: "}" duplicated sainfo: anonymous 2004-02-20 11:47:11: ERROR: cfparse.y:1334:cfparse(): fatal parse failure (1 errors) 2004-02-20 11:47:11: ERROR: session.c:291:check_sigreq(): configuration read failed /etc/racoon/racoon.conf is like bellow. 1. 2. # Racoon IKE daemon configuration file. 3. # See 'man racoon.conf' for a description of the format and entries. 4. 5. path include "/etc/racoon"; 6. path pre_shared_key "/etc/racoon/psk.txt"; 7. path certificate "/etc/racoon/certs"; 8. 9. sainfo anonymous 10.{ 11. pfs_group 2; 12. lifetime time 12 hour ; 13. encryption_algorithm 3des, blowfish 448, rijndael ; 14. authentication_algorithm hmac_sha1, hmac_md5 ; 15. compression_algorithm deflate ; 16.} 17.include "/etc/racoon/100.100.100.100.conf" ~ any one can suggest how should i can solve this problem. thanks in advance. _________________________________________________________________ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail _______________________________________________ VPN mailing list VPN@xxxxxxxxxxxxxxx http://lists.shmoo.com/mailman/listinfo/vpn --------------------------------- Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. _______________________________________________ VPN mailing list VPN@xxxxxxxxxxxxxxx http://lists.shmoo.com/mailman/listinfo/vpn _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Next Message by Date:

A problem in a Cisco VPN client connection to a Cisco Pix using X509 certificates

Hi,   I have a cisco Pix 515. The wan interface is connected behind an internet Link. When I try to connect with a cisco VPN client 3.6.3 to the PIX using certificate. The ISAKMP authentication blocks. The IPSEC log viewer shows that the message SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77, has no response from the PIX. Does someone have a diagnostic for this problem?   Thank you by advance Youssef   Those are the whole logs of the VPN client.       1      11:58:33.134  02/24/04  Sev=Info/6           DIALER/0x63300002 Initiating connection.   2      11:58:33.134  02/24/04  Sev=Info/4           CM/0x63100002 Begin connection process   3      11:58:33.144  02/24/04  Sev=Info/4           CM/0x63100004 Establish secure connection using Ethernet   4      11:58:33.144  02/24/04  Sev=Info/4           CM/0x63100026 Attempt connection with server "217.128.150.77"   5      11:58:33.144  02/24/04  Sev=Info/6           IKE/0x6300003B Attempting to establish a connection with 217.128.150.77.   6      11:58:33.204  02/24/04  Sev=Info/4           IKE/0x63000013 SENDING >>> ISAKMP OAK MM (SA, VID, VID, VID, VID, VID) to 217.128.150.77   7      11:58:34.035  02/24/04  Sev=Info/4           IPSEC/0x63700014 Deleted all keys   8      11:58:38.241  02/24/04  Sev=Info/4           IKE/0x63000013 SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77   9      11:58:43.248  02/24/04  Sev=Info/4           IKE/0x63000013 SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77   10     11:58:48.256  02/24/04  Sev=Info/4          IKE/0x63000013 SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77   11     11:58:48.306  02/24/04  Sev=Info/5          IKE/0x6300002F Received ISAKMP packet: peer = 217.128.150.77   12     11:58:48.306  02/24/04  Sev=Info/4          IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (SA, VID, VID) from 217.128.150.77   13     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = 7D9419A65310CA6F2C179D9215529D56   14     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = 90CB80913EBB696E086381B5EC427B1F   15     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000001 Peer supports NAT-T   16     11:58:48.316  02/24/04  Sev=Info/4          IKE/0x63000013 SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D) to 217.128.150.77   17     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x6300002F Received ISAKMP packet: peer = 217.128.150.77   18     11:58:48.416  02/24/04  Sev=Info/4          IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID, VID, VID, VID, NAT-D, NAT-D) from 217.128.150.77   19     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = 09002689DFD6B712   20     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001 Peer supports XAUTH   21     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100   22     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001 Peer supports DPD   23     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100   24     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001 Peer is a Cisco-Unity compliant peer   25     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = B11B2FEEE3184CADFA563C07828BFA2F   26     11:58:48.506  02/24/04  Sev=Info/4          IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77   27     11:58:53.513  02/24/04  Sev=Warning/2   IKE/0xE300007C Exceeded 3 IKE SA negotiation retransmits... peer is not responding   28     11:58:53.513  02/24/04  Sev=Info/4          CM/0x63100014 Unable to establish Phase 1 SA with server "217.128.150.77" because of "DEL_REASON_PEER_NOT_RESPONDING"   29     11:58:53.513  02/24/04  Sev=Info/5          CM/0x63100029 Initializing CVPNDrv   30     11:58:53.563  02/24/04  Sev=Warning/3   DIALER/0xE3300008 GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).   31     11:58:54.575  02/24/04  Sev=Info/4          IPSEC/0x63700014 Deleted all keys   Config_Pix.txt Description: Text document _______________________________________________ VPN mailing list VPN@xxxxxxxxxxxxxxx http://lists.shmoo.com/mailman/listinfo/vpn

Previous Message by Thread:

Contivity 2700 to Nokia Checkpoint

All,   I have a Contivity 2700 (v4.80.124) connecting to a vendor's Nokia IP 330 running Check Point 4.1.  We can establish a site-to-site tunnel.  He can pretty much get into our network with no problems from his side (ping, PCAny, etc.) but I'm not seeing round trip traffic initiated from my side to his using any protocol.   I see packets leaving my CES2700 and he says he sees them coming in "unencrypted"?  I don't know what's happening on his end afterwards or where to go with this one.  Subnets (encryption domains) appear to be OK and I have the firewall wide open on my side at this point.  We also have various other vendors connecting fine (none running Check Point).   Here is some additional info:   - ESP - Triple DES with MD5 Integrity: Enabled IKE Encryption and Diffie-Hellman Group: Triple DES with Group 2 (1024-bit prime) Vendor ID: Enabled Aggressive Mode ISAKMP Initial Contact Payload: Enabled Perfect Forward Secrecy: Disabled Compression: Disabled Rekey Timeout: 08:00:00 Rekey Data Count:  (None)  ISAKMP Retransmission Interval: 1440 ISAKMP Retransmission Max Attempts: 4 Keepalive interval: 00:01:00 Keepalive (On-Demand connections): DISABLED Anti Replay: DISABLED   As usual, any information that might help is appreciated.   Thanks,   Mike Little Network Services Baptist Healthcare System   _______________________________________________ VPN mailing list VPN@xxxxxxxxxxxxxxx http://lists.shmoo.com/mailman/listinfo/vpn

Next Message by Thread:

A problem in a Cisco VPN client connection to a Cisco Pix using X509 certificates

Hi,   I have a cisco Pix 515. The wan interface is connected behind an internet Link. When I try to connect with a cisco VPN client 3.6.3 to the PIX using certificate. The ISAKMP authentication blocks. The IPSEC log viewer shows that the message SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77, has no response from the PIX. Does someone have a diagnostic for this problem?   Thank you by advance Youssef   Those are the whole logs of the VPN client.       1      11:58:33.134  02/24/04  Sev=Info/6           DIALER/0x63300002 Initiating connection.   2      11:58:33.134  02/24/04  Sev=Info/4           CM/0x63100002 Begin connection process   3      11:58:33.144  02/24/04  Sev=Info/4           CM/0x63100004 Establish secure connection using Ethernet   4      11:58:33.144  02/24/04  Sev=Info/4           CM/0x63100026 Attempt connection with server "217.128.150.77"   5      11:58:33.144  02/24/04  Sev=Info/6           IKE/0x6300003B Attempting to establish a connection with 217.128.150.77.   6      11:58:33.204  02/24/04  Sev=Info/4           IKE/0x63000013 SENDING >>> ISAKMP OAK MM (SA, VID, VID, VID, VID, VID) to 217.128.150.77   7      11:58:34.035  02/24/04  Sev=Info/4           IPSEC/0x63700014 Deleted all keys   8      11:58:38.241  02/24/04  Sev=Info/4           IKE/0x63000013 SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77   9      11:58:43.248  02/24/04  Sev=Info/4           IKE/0x63000013 SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77   10     11:58:48.256  02/24/04  Sev=Info/4          IKE/0x63000013 SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77   11     11:58:48.306  02/24/04  Sev=Info/5          IKE/0x6300002F Received ISAKMP packet: peer = 217.128.150.77   12     11:58:48.306  02/24/04  Sev=Info/4          IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (SA, VID, VID) from 217.128.150.77   13     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = 7D9419A65310CA6F2C179D9215529D56   14     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = 90CB80913EBB696E086381B5EC427B1F   15     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000001 Peer supports NAT-T   16     11:58:48.316  02/24/04  Sev=Info/4          IKE/0x63000013 SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D) to 217.128.150.77   17     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x6300002F Received ISAKMP packet: peer = 217.128.150.77   18     11:58:48.416  02/24/04  Sev=Info/4          IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID, VID, VID, VID, NAT-D, NAT-D) from 217.128.150.77   19     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = 09002689DFD6B712   20     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001 Peer supports XAUTH   21     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100   22     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001 Peer supports DPD   23     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100   24     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001 Peer is a Cisco-Unity compliant peer   25     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059 Vendor ID payload = B11B2FEEE3184CADFA563C07828BFA2F   26     11:58:48.506  02/24/04  Sev=Info/4          IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77   27     11:58:53.513  02/24/04  Sev=Warning/2   IKE/0xE300007C Exceeded 3 IKE SA negotiation retransmits... peer is not responding   28     11:58:53.513  02/24/04  Sev=Info/4          CM/0x63100014 Unable to establish Phase 1 SA with server "217.128.150.77" because of "DEL_REASON_PEER_NOT_RESPONDING"   29     11:58:53.513  02/24/04  Sev=Info/5          CM/0x63100029 Initializing CVPNDrv   30     11:58:53.563  02/24/04  Sev=Warning/3   DIALER/0xE3300008 GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).   31     11:58:54.575  02/24/04  Sev=Info/4          IPSEC/0x63700014 Deleted all keys   Config_Pix.txt Description: Text document _______________________________________________ VPN mailing list VPN@xxxxxxxxxxxxxxx http://lists.shmoo.com/mailman/listinfo/vpn