From owner-freebsd-questions@FreeBSD.ORG Thu Apr 15 08:44:47 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8E1616A4F1 for ; Thu, 15 Apr 2004 08:44:47 -0700 (PDT) Received: from mail.cpro.fr (mail.cpro.fr [81.255.81.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id A92A243D58 for ; Thu, 15 Apr 2004 08:44:46 -0700 (PDT) (envelope-from w.barnavon@cpro.fr) Received: from localhost (mail [127.0.0.1]) by mail.cpro.fr (Postfix) with ESMTP id 1FED63C53D; Thu, 15 Apr 2004 17:41:48 +0200 (CEST) Received: from mail.cpro.fr ([127.0.0.1]) by localhost (mail.cpro.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04301-07; Thu, 15 Apr 2004 17:41:48 +0200 (CEST) Received: from IFECGTRPI (unknown [192.168.1.246]) by mail.cpro.fr (Postfix) with ESMTP id D76BA3C1B6; Thu, 15 Apr 2004 17:41:47 +0200 (CEST) Message-ID: <014f01c42300$1fc65400$f601a8c0@IFECGTRPI> From: "Wilfried BARNAVON RPi" To: Date: Thu, 15 Apr 2004 17:41:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by amavisd-new at cpro.fr cc: freebsd-questions@FreeBSD.ORG Subject: Racoon + PIX 515 .... unsuccessful story! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 15:44:47 -0000 Hi ! I found your mail on this website: http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm .... where you said being "positive" so ..... I intend to connect from a Cisco pix515 to a Linux box. My Linux box is built on a 2.6.5 kernel and I use ipsec-tools version 0.3. It is very similar to a BSD config ! Well here is the racoon debug: INFO: initiate new phase 2 negotiation: 81.255.81.44[0]<=>81.255.86.117[0] 2004-04-15 05:28:58: ERROR: unknown notify message, no phase2 handle found. In fact I suspect the PIX 515 not understanding IPCOMP. However I don't know howto deactivate the compression in the SA through Racoon. I can't put other argument that "DEFLATE / LZS / OUI". I give your my racoon's configuration: [root@localhost ipsec-tools-0.3]# cat /etc/racoon.conf path pre_shared_key "/etc/psk.txt"; remote I.J.K.L { exchange_mode main,base; doi ipsec_doi; situation identity_only; my_identifier address "A.B.C.D"; send_cert off; send_cr off; verify_cert off; support_proxy on; initial_contact on; proposal_check obey; lifetime time 24 hour; proposal { hash_algorithm md5; encryption_algorithm 3des; authentication_method pre_shared_key; dh_group 2; } } # Net to Net sainfo address 192.168.1.0/24 any address 192.168.2.0/24 any { authentication_algorithm hmac_md5; encryption_algorithm 3des; compression_algorithm deflate; pfs_group 2; } Really I need a little help from you :) Regards Wilfried BARNAVON – Ingénieur Réseau Solutions Linux - R.H.C.E. (808003698808020) w.barnavon@cpro.fr Tel : 04 75 78 45 45 Fax : 04 75 56 05 07