Hello list,
I'm trying to get a site-to-site tunnel running between a 4.0 box and a
cisco 3000 concentrator.
Here's the networks... (ip's changed to protect the innocent)
192.168.1.x [OpenBSD 4.0] 1.1.1.1 <-> internet <-> 2.2.2.2 [cisco
3000] 10.10.x.x
My ipsec.conf looks like this....
ike esp from 192.168.1.0/24 to 10.10.0.0/16 peer 2.2.2.2 \
main auth hmac-sha1 enc 3des group modp768 psk openbsdrules
ike esp from 1.1.1.1 to 10.10.0.0/16 peer 2.2.2.2 \
main auth hmac-sha1 enc 3des group modp768 psk openbsdrules
ike esp from 1.1.1.1 to 2.2.2.2 \
main auth hmac-sha1 enc 3des group modp768 psk openbsdrules
On the cisco I've created IKE proposals, defined a LAN-to-LAN connection,
and SAs like this...
IKE proposal
authentication - presharedkeys
encryption - 3DES-168
DH Group - 1 768-bits
Lifetime - 3600seconds
Lan-to-Lan connection
interface - external(2.2.2.2)
connection type - bi-directional
peer - 1.1.1.1
presharedkey - openbsdrules
authentication - esp/sha/hmac160
local network - 10.10.0.0 (wildcard mask 0.0.255.255)
remote network - 192.168.1.0 (wildcard mask 0.0.0.255)
SA
authentication - esp/sha/hmac160
encryption - 3DES-168
mode - tunnel
Lifetime - 1200seconds
On the OpenBSD box I start isakmpd with 'isakmpd -K', then ipsecctl -f
/etc/ipsec.conf
After a bit of time I see this in /var/log/messages
isakmpd[18700]: ipsec_validate_id_information: dubious ID information
accepted
And the cisco log shows this....
2 02/25/2007 10:37:16.280 SEV=5 IKE/172 RPT=7394 1.1.1.1
Group [1.1.1.1]
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
6 02/25/2007 10:37:16.380 SEV=4 IKE/119 RPT=6680 1.1.1.1
Group [1.1.1.1]
PHASE 1 COMPLETED
7 02/25/2007 10:37:16.380 SEV=4 AUTH/22 RPT=6575 1.1.1.1
User [1.1.1.1] Group [1.1.1.1] connected, Session Type: IPSec/LAN-to
-LAN
9 02/25/2007 10:37:16.380 SEV=4 AUTH/84 RPT=52
LAN-to-LAN tunnel to headend device 1.1.1.1 connected
10 02/25/2007 10:37:16.500 SEV=5 IKE/25 RPT=9162 1.1.1.1
Group [1.1.1.1]
Received remote Proxy Host data in ID Payload:
Address 1.1.1.1, Protocol 0, Port 0
13 02/25/2007 10:37:16.500 SEV=5 IKE/24 RPT=27 1.1.1.1
Group [1.1.1.1]
Received local Proxy Host data in ID Payload:
Address 2.2.2.2, Protocol 0, Port 0
16 02/25/2007 10:37:16.500 SEV=4 IKE/61 RPT=27 1.1.1.1
Group [1.1.1.1]
Tunnel rejected: Policy not found for Src:1.1.1.1, Dst: 2.2.2.2!
18 02/25/2007 10:37:16.500 SEV=4 IKEDBG/97 RPT=52 1.1.1.1
Group [1.1.1.1]
QM FSM error (P2 struct &0xe7ed120, mess id 0xac462db5)!
&0xe7ed120, mess id 0xac462db5)!
Any ideas why I'm getting the "tunnel rejected" error? Does anyone see any
glaring mistakes? After searching the archives and google'ing, I gather
other folks are doing this without issue.
I have complete control over both devices so if there's any other info I can
provide let me know.
I realize this isn't a cisco support list so if it's the cisco's fault I'll
go bother someone else.
I appreciate your time, thank you.
please cc me as I'm not subscribed to the list.
_________________________________________________________________
With tax season right around the corner, make sure to follow these few
simple tips.
http://articles.moneycentral.msn.com/Taxes/PreparationTips/PreparationTips.aspx?icid=HMFebtagline
