Re: Cisco PIX/PF VPN

[Jason Opperisano <opie_(_at_)_817west_(_dot_)_com>]

On Thu, Oct 28, 2004 at 06:23:44PM -0700, Derrick wrote:
> I am trying to get a VPN working tween these two devices. I found a
> webpage that had some info:
> http://www.packetslave.com/docs/vpn-pix-openbsd.txt
> 
> And I've got my config like that example. When I run isakmpd -L, tcpdump
> shows what you see at teh endof this message.
> 
> I am just wondering where I can start debging this, what does this message
> mean, and how can I go about correcting this?
> 
> 17:56:06.506731 209.17.131.89.500 > 209.17.131.91.500:  [udp sum ok]
> isakmp v1.0 exchange ID_PROT
>         cookie: c185ac12493b34ee->0000000000000000 msgid: 00000000 len: 80
>         payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>             payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 1
>                 payload: TRANSFORM len: 32
>                     transform: 0 ID: ISAKMP
>                         attribute ENCRYPTION_ALGORITHM = 3DES_CBC
>                         attribute HASH_ALGORITHM = SHA
>                         attribute AUTHENTICATION_METHOD = PRE_SHARED
>                         attribute GROUP_DESCRIPTION = MODP_1024
>                         attribute LIFE_TYPE = SECONDS
>                         attribute LIFE_DURATION = 3600 [ttl 0] (id 1)

i'm guessing that 209.17.131.89 is the OpenBSD box?  the default phase
1 lifetime on a cisco PIX is 86400 seconds, i believe.  this may be
what's causing it to fail.

-j

-- 
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
"The whole world is about three drinks behind."
                -- Humphrey Bogart
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~