Hi all,
I wan't to configure a more compley scenario to establish an IPSec-Tunnel
between the LAN of my company and the LAN of one of our customers. First a
short description:
We wan't to use two machines in our LAN to access several services in the LAN
of our customer. The customers policy forces us to use a network that we don't
use (as explained later). So we have to NAT the IPs of our two machines. We do
this on a firewall. After the firewall the traffic passes our VPN-Gateway which
has to protect the traffic with ESP. Here is a short graphic.
Internal LAN: 10.x.x.x/24
DMZ: 192.168.1.x/24
Enforced NAT Pool: 192.168.2.x/28
External LAN:x.x.x.x/x
+--------------+
| box01 |
| 10.x.x.25/24 |
+--------------+
|
+----------------+
|
+--------------+ |
| box02 | |
| 10.x.x.26/24 | |
+--------------+ |
| |
+----------------+
|
|eth0:10.x.x.27/24
+----------------+
| firewall |
+----------------+
|eth1:192.168.1.250/24
|eth1:1:192.168.2.65/28
|
|
|
|vr0:192.168.1.251/24
+----------------+
| VPN gateway |
+----------------+
|vr1:x.x.x.x/x
|
|
|
|x.x.x.x/x
+----------------+
| CiscoVPN |
+----------------+
|x.x.x.x/x
|
|
+---------------+
| |
| |
+---------------+ |
| box01 | |
| 217.x.x.26/24 | |
+---------------+ |
|
+---------------+ |
| box02 |-------+
| 217.x.x.27/24 |
+---------------+
I try to access 217.x.x.26 via SSH from 10.x.x.25. The source address is NATed
on our firewall to 192.168.2.65. On the VPN gateway I configured a policy to
protect every traffic from 192.168.2.x/28 to 217.x.x.26/24 with ESP via the
Cisco VPN appliance (remote gateway). The connection with this setup times out.
The log on our syslog-server has logged
Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
IPsec-SA request for x.x.x.x queued due to no phase1 found.
Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:808:isakmp_ph1begin_i():
initiate new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
Aggressive mode.
Sep 1 14:15:21 cvpndmz racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't
find the proper pskey, try to get one by the peer's address.
Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:2459:log_ph1established():
ISAKMP-SA established x.x.x.x[500]-x.x.x.x[500]
spi:ea64dfd3aa29dc62:121857c2df384193
Sep 1 14:15:22 cvpndmz racoon: INFO: isakmp.c:952:isakmp_ph2begin_i():
initiate new phase 2 negotiation: x.x.x.x[0]<=>x.x.x.x[0]
Sep 1 14:15:22 cvpndmz racoon: INFO: isakmp_inf.c:887:purge_isakmp_spi():
purged ISAKMP-SA proto_id=ISAKMP spi=ea64dfd3aa29dc62:121857c2df384193.
Sep 1 14:15:52 cvpndmz racoon: ERROR: pfkey.c:804:pfkey_timeover(): x.x.x.x
give up to get IPsec-SA due to time up to wait.
Sep 1 14:15:52 cvpndmz racoon: INFO: isakmp.c:1574:isakmp_ph1delete():
ISAKMP-SA deleted x.x.x.x[500]-x.x.x.x[500]
spi:ea64dfd3aa29dc62:121857c2df384193
As no error message above the time out is given here I'm a little bit confused
about what is going on here.
Perhaps someone has in idea.
Cheers
Jörg
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
