VPN to nortel



  • I've been given the following requirements for connecting to a vendor VPN.  Will any of them cause a problem that anyone can see?  phase1/2 stuff is pretty standard but some of the other stuff is not configurable in pf so I wanted to double check.

    Phase 1 encryption is Triple DES with Group 2
    Phase 2 encryption is Triple DES with either MD5 integrity or SHA1 integrity
    Vendor ID is disabled
    ISAKMP Aggressive Mode is disabled.
    Compression is disabled
    Perfect Forward Secrecy (PFS) is disabled.
    Rekey Timeout is two hours, or 7200 seconds.
    Rekey Data Count is disabled
    ISAKMP Retransmission Interval is 16
    ISAKMP Retransmission Max Attempts is 4
    Keepalive interval is one minute
    Keepalive for “On-Demand” connections is disabled
    Ipsec DFBit is clear



  • I don't see any problems at the first glance. There are just some options in the list that nortel has some options for but most of them seem to be disabled anyway from your paste and most of them shouldn't cause any problems even if enabled I think. Give it a shot.



  • Scheduled in a couple weeks, I'll post back with notes one way or the other.



  • Tunnel is up and working, no problems that I can tell so far. :)



  • Well there seems to be some intermittent issue with phase two on this tunnel.  Logs are below.  The only thing I can think of is that the lifetime doesn't match correctly because I see a new phase 2 negotiation from them every two minutes when they are connected.  It sounded like they specify their lifetimes in hours instead of seconds and their lifetime is set to 2 hours, I've got my end configured at 7200s.  Not sure how pf is seeing that during the negotiation, are there any more detailed logs I can look to see any additional details?

    racoon: INFO: purged ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da.
    Mar 23 10:18:44 racoon: INFO: purging ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da.
    Mar 23 10:18:44 racoon: INFO: respond new phase 2 negotiation: me.me.me.me[500]<=>them.them.them.them[500]
    Mar 23 10:18:44 racoon: INFO: ISAKMP-SA established me.me.me.me[500]-them.them.them.them[500] spi:9564dbd685564852:333386a2d2c623da
    Mar 23 10:18:44 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Mar 23 10:18:43 racoon: INFO: begin Identity Protection mode.
    Mar 23 10:18:43 racoon: INFO: respond new phase 1 negotiation: me.me.me.me[500]<=>them.them.them.them[500]
    Mar 23 10:18:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument


Log in to reply