Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN to nortel

    Scheduled Pinned Locked Moved
    IPsec
    2
    5
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cubsfan
      last edited by

      I've been given the following requirements for connecting to a vendor VPN.  Will any of them cause a problem that anyone can see?  phase1/2 stuff is pretty standard but some of the other stuff is not configurable in pf so I wanted to double check.

      Phase 1 encryption is Triple DES with Group 2
      Phase 2 encryption is Triple DES with either MD5 integrity or SHA1 integrity
      Vendor ID is disabled
      ISAKMP Aggressive Mode is disabled.
      Compression is disabled
      Perfect Forward Secrecy (PFS) is disabled.
      Rekey Timeout is two hours, or 7200 seconds.
      Rekey Data Count is disabled
      ISAKMP Retransmission Interval is 16
      ISAKMP Retransmission Max Attempts is 4
      Keepalive interval is one minute
      Keepalive for “On-Demand” connections is disabled
      Ipsec DFBit is clear

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        I don't see any problems at the first glance. There are just some options in the list that nortel has some options for but most of them seem to be disabled anyway from your paste and most of them shouldn't cause any problems even if enabled I think. Give it a shot.

        1 Reply Last reply Reply Quote 0
        • C
          cubsfan
          last edited by

          Scheduled in a couple weeks, I'll post back with notes one way or the other.

          1 Reply Last reply Reply Quote 0
          • C
            cubsfan
            last edited by

            Tunnel is up and working, no problems that I can tell so far. :)

            1 Reply Last reply Reply Quote 0
            • C
              cubsfan
              last edited by

              Well there seems to be some intermittent issue with phase two on this tunnel.  Logs are below.  The only thing I can think of is that the lifetime doesn't match correctly because I see a new phase 2 negotiation from them every two minutes when they are connected.  It sounded like they specify their lifetimes in hours instead of seconds and their lifetime is set to 2 hours, I've got my end configured at 7200s.  Not sure how pf is seeing that during the negotiation, are there any more detailed logs I can look to see any additional details?

              racoon: INFO: purged ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da.
              Mar 23 10:18:44 racoon: INFO: purging ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da.
              Mar 23 10:18:44 racoon: INFO: respond new phase 2 negotiation: me.me.me.me[500]<=>them.them.them.them[500]
              Mar 23 10:18:44 racoon: INFO: ISAKMP-SA established me.me.me.me[500]-them.them.them.them[500] spi:9564dbd685564852:333386a2d2c623da
              Mar 23 10:18:44 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
              Mar 23 10:18:43 racoon: INFO: begin Identity Protection mode.
              Mar 23 10:18:43 racoon: INFO: respond new phase 1 negotiation: me.me.me.me[500]<=>them.them.them.them[500]
              Mar 23 10:18:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

              1 Reply Last reply Reply Quote 0
              • First post
                Last post