[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMPD and Vigor2200 IKE



On Mon, 1 Jul 2002, Andy Fripp wrote:

> Hi,
>
> I have been trying to get an IPSec tunnel set-up using
> ISAKMPD on an OpenBSD3.1 server and the built in IKE
> daemon in a Vigor2200 series router. I have spent several days
> on it but have now run out of ideas / configuration options.

First, as far as I can tell, your configuration is ok. In fact, when
isakmpd initiates the connection it even goes through quick mode ok.

Then, for some weird reason, the Vigor2200 box doesn't like something and
sends DELETE notifications (which removes the SAs we just negotiated in
quick mode). Which means you don't see any such SAs, unless you happen to
check at exactly(!) the right moment.

In the other case, when the Vigor2200 initiaties, everything works
smoothly, although in this case the Vigor sends the DELETES before isakmpd
actually writes the finished quick mode SAs down to the kernel. Same
result as above.

The other packets are various retransmissions (as the wanted SAs did not
complete successfully), so they can be considered normal.

Why this happens is very hard to tell from this. Possibly they do some
"late checking" of the VPN parameters? (ciphers, key lengths, groups,
lifetimes, etc)

> Unfortunately the configuration options at the Vigor router
> end are rather minimal.  Is it possible that the two IKE
> daemons are simply not compatible in their current versions ?

No idea. I haven't heard of Vigor previously. Do they interoperate with
anything else? (isakmpd interoperates with most (all?) other vendors).

Sorry I couldn't help more.

/H

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB