|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Aaron M. Segura (aaron
nichcom.com)Date: Mon Feb 19 2001 - 08:10:31 CST
Hello,
I'm trying to set up a vpn using isakmpd between two systems acting
as firewalls for private networks...
((192.168.1.x)) <-> [(204.248.22.179)] --(internet)-- [(204.248.21.26)]
<-> ((10.x.x.x))
your basic vpn setup, from what I gather...
I have set up isakmpd according to the directions in 'man isakmpd'. I
set up a CA on each host, and followed through the entire man page on
each machine...i'm not sure if this was correct or not.
I also set up isakmpd.conf (and can attach both if necessary).
when i run 'isakmpd' on each side, 'tcpdump -v -s1500 port 500' shows:
-------------clip-------------
20:02:17.236686 204.248.21.26.isakmp > nichcom.neonramp.com.isakmp:
[udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 7c59e3b97843891c->0000000000000000 msgid: 00000000 len: 80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: 1(ISAKMP) spisz:
0 xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: 1
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 (ttl 62, id 22075)
20:02:19.446516 nichcom.neonramp.com.isakmp > 204.248.21.26.isakmp:
[udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: f1a79db09deafe48->0000000000000000 msgid: 00000000 len: 80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: 1(ISAKMP) spisz:
0 xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: 1
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 (ttl 64, id 35803)
20:02:19.457154 204.248.21.26.isakmp > nichcom.neonramp.com.isakmp:
[udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: f1a79db09deafe48->55c3a5103c89bc96 msgid: 00000000 len: 80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: 1(ISAKMP) spisz:
0 xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: 1
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 (ttl 62, id 1912)
20:02:19.631907 nichcom.neonramp.com.isakmp > 204.248.21.26.isakmp:
[udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: f1a79db09deafe48->55c3a5103c89bc96 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132 <KE payload data (not shown)> len: 132
payload: NONCE len: 20 (ttl 64, id 38769)
20:02:19.865513 204.248.21.26.isakmp > nichcom.neonramp.com.isakmp:
[udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: f1a79db09deafe48->55c3a5103c89bc96 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132 <KE payload data (not shown)> len: 132
payload: NONCE len: 20 (ttl 62, id 17749)
20:02:20.037471 nichcom.neonramp.com.isakmp > 204.248.21.26.isakmp:
[udp sum ok] isakmp v1.0 exchange ID_PROT encrypted
cookie: f1a79db09deafe48->55c3a5103c89bc96 msgid: 00000000 len:
92 (ttl 64, id 65320)
20:02:20.084609 204.248.21.26.isakmp > nichcom.neonramp.com.isakmp:
[udp sum ok] isakmp v1.0 exchange ID_PROT encrypted
cookie: f1a79db09deafe48->55c3a5103c89bc96 msgid: 00000000 len:
92 (ttl 62, id 20920)
20:02:20.257090 nichcom.neonramp.com.isakmp > 204.248.21.26.isakmp:
[udp sum ok] isakmp v1.0 exchange QUICK_MODE encrypted
cookie: f1a79db09deafe48->55c3a5103c89bc96 msgid: 4a643e84 len:
292 (ttl 64, id 42690)
20:02:20.501907 204.248.21.26.isakmp > nichcom.neonramp.com.isakmp:
[udp sum ok] isakmp v1.0 exchange QUICK_MODE encrypted
cookie: f1a79db09deafe48->55c3a5103c89bc96 msgid: 4a643e84 len:
292 (ttl 62, id 21998)
20:02:20.504490 nichcom.neonramp.com.isakmp > 204.248.21.26.isakmp:
[udp sum ok] isakmp v1.0 exchange QUICK_MODE encrypted
cookie: f1a79db09deafe48->55c3a5103c89bc96 msgid: 4a643e84 len:
52 (ttl 64, id 57691)
-------------clip---------------------
this happens twice...and my routes look like:Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
10/8 0 192.168.1/24 0 0
204.248.21.26/50/require/in
204.248.21.26/32 0 192.168.1/24 0 0
204.248.21.26/50/require/in
204.248.21.26/32 0 204.248.22.179/32 0 0
204.248.21.26/50/require/in
192.168.1/24 0 10/8 0 0
204.248.21.26/50/require/out
which looks right, based on what i've seen...
I can't send traffic across the pipe. It appears that phase one
completes OK, but...I'm just guessing here...
ANY help anyone can offer would be greatly appreciated. I've been
banging my head on this for three days, now.
Aaron Segura
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]