[ previous ] [ next ] [ threads ]
 
 From:  "Claude Morin" <klodefactor at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPsec tunnel to Cisco VPN 3005 starts only when started from the m0n0wall, and fails when started from the Cisco
 Date:  Wed, 30 Aug 2006 19:36:29 -0400
This is my second time configuring an IPsec tunnel between a m0n0wall (v1.22)
and a Cisco VPN 3005 concentrator.  I'm having a problem where if I bring up
the tunnel by pinging from the m0n0wall LAN to the Cisco LAN, it comes up
fine.  If I try to bring up the tunnel by pinging from the Cisco LAN to the
m0n0wall LAN, it fails, until something is initiated from the m0n0wall
side.  Two additional notes:

   - Yes, my tunnel definition on the Cisco side is set to
   "Bi-directional" :-)
   - The tunnel also doesn't come up if I try to initiate it with a ping
   from the Cisco itself.

Details of the failure (i.e. with tunnel down, ping from Cisco LAN to
m0n0wall LAN):

   - the Cisco's logs just show repeated "New Phase 1" entries, as it
   tries to bring up the tunnel.
   - m0n0wall's Diagnostics->IPsec->SAD info shows no entries
   - Here are the m0n0wall log entries:

Aug 31 00:25:46     racoon: INFO: respond new phase 1 negotiation:
M0N0WALL-IP[500]<=>CISCOVPN-IP[500]
Aug 31 00:25:46     racoon: INFO: begin Identity Protection mode.
Aug 31 00:25:46     racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Aug 31 00:25:46     racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03
Aug 31 00:25:46     racoon: INFO: received broken Microsoft ID:
FRAGMENTATION
Aug 31 00:25:46     racoon: ERROR: rejected dh_group:
DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:768-bit MODP
group
Aug 31 00:25:46     racoon: ERROR: no suitable proposal found.
Aug 31 00:25:46     racoon: ERROR: failed to get valid proposal.
Aug 31 00:25:46     racoon: ERROR: failed to process packet.
The sixth line (in bold) looks suspicious, but I don't know enough to figure
out what it means :-(.  Any ideas?

   - Possibly relevant: if I then ping from the m0n0wall LAN to the Cisco
   LAN, the tunnel comes up, but the SAD shows duplicate entries.  I.e.
   instead of only one entry for each direction of the tunnel, there are two;
   each entry has a different SPI.
      - Note: if I bring up the tunnel from the m0n0wall side, then
      ping from the Cisco side, the m0n0wall SAD does not have
      duplicate entries.

I thought I'd include just this description in case someone has experienced
this and knows the answer.  If not, I can provide detailed configuration
info, logs, etc. to anyone who is interested.

Thanks in advance for any help with this.
-klode