Hi All ,
i am newbie to vyatta iPSEC VPN has setup an site - to -site VPN as per
config document of vyatta between 2 vyatta routers . Not able to
establish the VPN and /var/log/messages says
site 1
Feb 28 02:39:44 localhost pluto[3973]: "peer-Y.Y.Y.Y-tunnel-1" #691:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP to replace #690
{using isakmp#687}
Feb 28 02:39:44 localhost pluto[3973]: "peer-Y.Y.Y.Y-tunnel-1" #687:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Feb 28 02:39:44 localhost pluto[3973]: "peer-Y.Y.Y.Y-tunnel-1" #687:
received and ignored informational message
Feb 28 02:39:54 localhost pluto[3973]: "peer-Y.Y.Y.Y-tunnel-1" #687:
ignoring informational payload, type INVALID_MESSAGE_ID
Feb 28 02:39:54 localhost pluto[3973]: "peer-Y.Y.Y.Y-tunnel-1" #687:
received and ignored informational message
Feb 28 02:40:14 localhost pluto[3973]: "peer-Y.Y.Y.Y-tunnel-1" #687:
ignoring informational payload, type INVALID_MESSAGE_ID
Feb 28 02:40:14 localhost pluto[3973]: "peer-Y.Y.Y.Y-tunnel-1" #687:
received and ignored informational message
Site 2
IPsec Transform [ESP_AES (256), AUTH_ALGORITHM_HMAC_SHA1] refused due to
strict flag
Feb 28 02:31:33 localhost pluto[3983]: "peer-X.X.X.X-tunnel-1" #751: no
acceptable Proposal in IPsec SA
Feb 28 02:31:33 localhost pluto[3983]: "peer-X.X.X.X-tunnel-1" #751:
sending encrypted notification NO_PROPOSAL_CHOSEN to 202.91.74.130:500
Feb 28 02:31:40 localhost pluto[3983]: "peer-X.X.X.X-tunnel-1" #746:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x211f93c1 (perhaps this is a duplicated packet)
Feb 28 02:31:40 localhost pluto[3983]: "peer-X.X.X.X-tunnel-1" #746:
sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:500
Site 1 config
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
ike-group "IKE-1W" {
proposal 1 {
encryption: "aes256"
}
proposal 2 {
}
lifetime: 3600
}
esp-group "ESP-1W" {
proposal 1 {
encryption: "aes256"
}
proposal 2 {
encryption: "3des"
hash: "md5"
}
lifetime: 1800
}
site-to-site {
peer X.X.X.X {
authentication {
mode: "rsa"
pre-shared-secret: "test_key_1"
rsa-key-name: "CO-key"
}
ike-group: "IKE-1W"
local-ip: Y.Y.Y.Y
tunnel 1 {
local-subnet: 192.168.1.0/24
remote-subnet: 192.168.0.0/24
esp-group: "ESP-1W"
}
}
}
}
rsa-keys {
rsa-key-name "CO-key" {
rsa-key:
"0sAQOBguI8jQvYGCKf3KFP3sQHTTwP3AVokIXnoEyaNOEgqxPtITCEV4SJYkBk7//ZnBovZJJ8s0/qDGOPkjK4rAjTNEXCoGZBoHR3W6Sus40RU+33Cc/qwBzl5xHgU2iDdlESMWV8PVa1keVqU19KELpc3zLS0GdFaJKoJIeDSyyWoicAp9AQ8GG2OaaYDI+GvLKpf5V1DK6Rqfz5dLab+UIXcqLsqQ2a+VrL9Bbul/p8Z5vc7RgqS8GRjwzoPqUr+5HDw2HUxTXAhUek3HBu96lJ+H1LO63d28OV+B2cc0kWMuiEke1MGJtcWbyYtr6vKCQbGjOJjZqB+sq8ma9Zg8kAOIrPLIpQsXe/TjS4Cp0xbMgX"
}
}
}
Site 2 config is
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
ike-group "IKE-1E" {
proposal 1 {
encryption: "aes256"
}
}
esp-group "ESP-1E" {
proposal 2 {
encryption: "3des"
hash: "md5"
}
lifetime: 1800
}
site-to-site {
peer 202.91.74.130 {
authentication {
mode: "rsa"
pre-shared-secret: "test_key_1"
rsa-key-name: "NLD-key"
}
ike-group: "IKE-1E"
local-ip: 202.91.67.162
tunnel 1 {
local-subnet: 192.168.0.0/24
remote-subnet: 192.168.1.0/24
esp-group: "ESP-1E"
}
}
}
}
rsa-keys {
rsa-key-name "NLD-key" {
rsa-key:
"0sAQOOVx2lEQNsCqFU9M4bhovvC28mf7e1sYNaBC1FAaG5qyO2PnGic+anlVJYvjvHBj3wBYV+L6pMRsTv28Qn9wFGCXUR/aSM4+RdnHSTBy8sgWKpw9vCVMJ/J60x6/B7uc6a0e8+2jJ8PnfFDoPG7C9UHDUM1r+d2vSno8bb5MlzQ81ib1Gczfp/nnvvMqUi99DWnUqGcPOcPrS7hctCP0Za6YIvDd3/l9xRPC+a1I1ouEW8+8HcrhFEOLHL/SUc2Qoq+BPO0vxLRkuZZhhCvmOk3BvTRGh43E39ttyO2YHE3LqxbBTZvmYYZcWE9899iZkne0ffhSW6M4BzKL1WIhw8tupImP1+QTekmwglodAW72Bv"
}
}
}
Please help..
TIA
Regards
Ben
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
