From owner-freebsd-security  Tue Nov 20 23:20:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
	by hub.freebsd.org (Postfix) with ESMTP id D207E37B41A
	for <freebsd-security@freebsd.org>; Tue, 20 Nov 2001 23:20:24 -0800 (PST)
Received: from localhost ([3ffe:501:4819:eeea::6])
	by mine.kame.net (8.11.1/3.7W) with ESMTP id fAL7Epa05348;
	Wed, 21 Nov 2001 16:14:51 +0900 (JST)
To: ns@BlueSkyFrog.COM
Cc: freebsd-security@freebsd.org
Subject: Re: KAME IPsec <--> cisco
In-Reply-To: Your message of "Wed, 21 Nov 2001 11:30:03 +1000"
	<20011121113003.A2610@BlueSkyFrog.COM>
References: <20011121113003.A2610@BlueSkyFrog.COM>
X-Mailer: Cue version 0.6 (011026-1440/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20011121162028G.sakane@kame.net>
Date: Wed, 21 Nov 2001 16:20:28 +0900
From: Shoichi Sakane <sakane@kame.net>
X-Dispatcher: imput version 20000228(IM140)
Lines: 30
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> As noted last week, phase 1 negotiation is not completing. However
> I can't see what the problem is; all looks like it is set up
> correctly to me.

> The Cisco's config is like this (203.2.2.1):

> crypto isakmp key **password** address 203.1.1.1
> 
> crypto map nolan 16 ipsec-isakmp
>  set peer 203.1.1.1
>  set transform-set vodafone
>  set pfs group1
>  match address 186
> 
> crypto ipsec transform-set vodafone esp-des esp-md5-hmac
> 
> access-list 186 permit ip 203.2.2.0 0.0.0.255 host 203.1.1.2

did you check the phase1 configuration on the cisco ?
i'm not sure the cisco configuration, but i think all of the above
things are probably for phase 2.  

> When I try to contact 203.2.2.2 from 203.1.1.2, racoon logs the
> following:

> 2001-11-20 10:39:46: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).
> 2001-11-20 10:40:18: ERROR: isakmp.c:1818:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 203.2.2.1->203.1.1.1 

the problem is that the cisco complained phase 1 proposal
which racoon sent.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message