Re: [Vyatta-users] IPSec Termination
All, Thanks for your input. I got the tunnel up and running. After taking several suggestions I decided to switch to main mode and set the right side to dynamic. Also when using dynamic even as a termination point auto is set to add. version 2.0 config setup interfaces=ipsec0=eth0 hidetos=yes conn clear auto=ignore conn clear-or-private auto=ignore conn private-or-clear auto=ignore conn private auto=ignore conn block auto=ignore conn packetdefault auto=ignore conn peer-0.0.0.0-tunnel-1 left=1.1.1.1 right=%any rekey=no leftsubnet=192.168.12.0/24 rightsubnet=192.168.10.0/24 ike=3des-md5,3des-sha1 ikelifetime=28800s aggrmode=no esp=3des-md5,3des-sha1 keylife=1800s rekeymargin=540s type=tunnel pfs=yes compress=no authby=secret auto=add Carlos Dunmoodie Network Engineer Engineering Office: (301) 944-2896 Cell: (443) 864-9822 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix Sent: Thursday, February 07, 2008 5:21 PM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] IPSec Termination My take, the remote peer is not recognized. Do you have an appropiate PSK key in the ipsec.secrets file ? fwiw: I would create a default setting and apply all of your setting for things like this in the default profile conn %default left=aaa.bbb.ccc.dd leftnexthop=aaa.bbb.ccc.eee dpddelay=5 dpdtimeout=5 dpdaction=hold pfs=no auth=esp authby=secret compress=yes aggrmode=yes etc. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
Here's my config conn peer-0.0.0.0-tunnel-1 left=1.1.1.1 right=%any leftsubnet=192.168.12.0/24 rightsubnet=192.168.10.0/24 rekey=no ike=3des-sha1,3des-sha1 ike=3des-sha1,3des-sha1 ikelifetime=3600s aggrmode=yes esp=3des-md5,3des-sha1 keylife=1800s rekeymargin=540s type=tunnel pfs=yes compress=no authby=secret auto=add From the initiator I get an error message INVALID_ID INFORMATION How do you configure the user id to match the userid from the initiator, or does that matter? Also does the above config look accurate for an aggressive mode. When I configure auto=ignore I see no IPSEC information When I change auto=add, I see the IPSEC negotiations, and it doesn't initiate, which is good. But tunnel not established Carlos Dunmoodie Network Engineer Engineering Office: (301) 944-2896 Cell: (443) 864-9822 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix Sent: Monday, February 04, 2008 7:32 PM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] IPSec Termination Couldn't you get the same thing with the VPN dead peer-detect set to HOLD? Under strongswan for example, their's a setting that would allow you to auto=start or auto=ignore, if you could add this, you should be okay. Here's how my vyatta ipsec.conf looks; If the last line was set to auto=ignore, than I would think ipsec would be started and the host would wait for the far-end ( right ) to initiated the session. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
Let me add in, that I'm using aggressive mode. The initiating stations are dynamic. Will this change your answer? -Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix Sent: Monday, February 04, 2008 7:32 PM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] IPSec Termination Couldn't you get the same thing with the VPN dead peer-detect set to HOLD? Under strongswan for example, their's a setting that would allow you to auto=start or auto=ignore, if you could add this, you should be okay. Here's how my vyatta ipsec.conf looks; conn peer-1.1.1.1-tunnel-1 left=1.1.1.1. right=2.2.2.2 leftsubnet=192.168.254.0/24 rightsubnet=192.168.255.0/24 ike=3des-md5-modp1024 ikelifetime=28800s aggrmode=no dpddelay=30s dpdtimeout=60s dpdaction=restart esp=3des-md5 keylife=3000s rekeymargin=540s type=tunnel pfs=no compress=yes authby=secret auto=start If the last line was set to auto=ignore, than I would think ipsec would be started and the host would wait for the far-end ( right ) to initiated the session. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users