• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

VPN to nortel

IPsec
2
5
3.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    cubsfan
    last edited by Mar 7, 2007, 2:45 PM

    I've been given the following requirements for connecting to a vendor VPN.  Will any of them cause a problem that anyone can see?  phase1/2 stuff is pretty standard but some of the other stuff is not configurable in pf so I wanted to double check.

    Phase 1 encryption is Triple DES with Group 2
    Phase 2 encryption is Triple DES with either MD5 integrity or SHA1 integrity
    Vendor ID is disabled
    ISAKMP Aggressive Mode is disabled.
    Compression is disabled
    Perfect Forward Secrecy (PFS) is disabled.
    Rekey Timeout is two hours, or 7200 seconds.
    Rekey Data Count is disabled
    ISAKMP Retransmission Interval is 16
    ISAKMP Retransmission Max Attempts is 4
    Keepalive interval is one minute
    Keepalive for “On-Demand” connections is disabled
    Ipsec DFBit is clear

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Mar 7, 2007, 4:02 PM

      I don't see any problems at the first glance. There are just some options in the list that nortel has some options for but most of them seem to be disabled anyway from your paste and most of them shouldn't cause any problems even if enabled I think. Give it a shot.

      1 Reply Last reply Reply Quote 0
      • C
        cubsfan
        last edited by Mar 8, 2007, 6:33 PM

        Scheduled in a couple weeks, I'll post back with notes one way or the other.

        1 Reply Last reply Reply Quote 0
        • C
          cubsfan
          last edited by Mar 22, 2007, 2:04 AM

          Tunnel is up and working, no problems that I can tell so far. :)

          1 Reply Last reply Reply Quote 0
          • C
            cubsfan
            last edited by Mar 23, 2007, 3:27 PM

            Well there seems to be some intermittent issue with phase two on this tunnel.  Logs are below.  The only thing I can think of is that the lifetime doesn't match correctly because I see a new phase 2 negotiation from them every two minutes when they are connected.  It sounded like they specify their lifetimes in hours instead of seconds and their lifetime is set to 2 hours, I've got my end configured at 7200s.  Not sure how pf is seeing that during the negotiation, are there any more detailed logs I can look to see any additional details?

            racoon: INFO: purged ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da.
            Mar 23 10:18:44 racoon: INFO: purging ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da.
            Mar 23 10:18:44 racoon: INFO: respond new phase 2 negotiation: me.me.me.me[500]<=>them.them.them.them[500]
            Mar 23 10:18:44 racoon: INFO: ISAKMP-SA established me.me.me.me[500]-them.them.them.them[500] spi:9564dbd685564852:333386a2d2c623da
            Mar 23 10:18:44 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
            Mar 23 10:18:43 racoon: INFO: begin Identity Protection mode.
            Mar 23 10:18:43 racoon: INFO: respond new phase 1 negotiation: me.me.me.me[500]<=>them.them.them.them[500]
            Mar 23 10:18:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.