Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] isakmp/ike negotiation problems

From: Richard Welty (rwelty_at_averillpark.net)
Date: Sun Apr 21 2002 - 23:34:53 CEST

Next message: Northeastflags.com: "[Users] $29.95 American Flag with Embroidered Stars and Sewn Stripes, pole and Bracket"
Previous message: Graham Wood: "Re: [Users] Damn worm"
Next in thread: Richard Welty: "Re: [Users] isakmp/ike negotiation problems"
Reply: Richard Welty: "Re: [Users] isakmp/ike negotiation problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

i'm somewhat new to frees/wan, although i have some prior experience with a
commercial ipsec product.

i'm working for a client, trying to set up a connection between an ibm
AS/400 system at a 3rd party site, and a redhat linux system at the client
site. i'm having some difficulties getting this thing going.

the software on my clients end is redhat 7.2, kernel 2.4.9-31, frees/wan
1.96. there are two intervening network devices with the potential to munge
traffic. one is a bridging firewall i set up, redhat 7.2, kernel 2.4.9-31,
with the bridge-nf stuff (http://bridge.sourceforge.net/). the other is an
efficient networks dsl router. the firewall is configured to pass esp, ah,
and udp port 500. the efficent router normally does port nat, but i've
installed a 1-to-1 address nat mapping for the linux server, so that ESP
will work (i am well aware that AH won't work through any kind of nat.)

because the ibm implementation and frees/wan differ over proposal numbers,
we're resigned to having the ibm end initiate all connections. there is
a note in the interop.html web page on the AS/400, but the patch given has
no context and the relevant file has changed since september 2001. since
the third party with the AS/400 has several frees/wan 1.91 users who are
connecting with the AS/400 initiating the connction, we're simply going to
do the same thing.

the current problem is as follows:

if i ignore the problems that arise when frees/wan initiates the connection
and issue ipsec auto --up <connectionname>, i see phase 1 initiator and
respondor packets, and the expected error indication that follows from the
proposal # mismatch. this observation was made by issuing the following
command on the bridging firewall:

tcpdump -i br0 | grep isakmp

if the third party with the AS/400 initiates the connection, i see the
phase 1 initiator packets coming from the AS/400, but no responder packets
going back from the linux/Frees/wan system.

does anyone have any suggestions? i'll post the configs and some
information on the topology if anyone wants to see them.

thanks in advance,
richard

-- Richard Welty rwelty_at_averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security

_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

Next message: Northeastflags.com: "[Users] $29.95 American Flag with Embroidered Stars and Sewn Stripes, pole and Bracket"
Previous message: Graham Wood: "Re: [Users] Damn worm"
Next in thread: Richard Welty: "Re: [Users] isakmp/ike negotiation problems"
Reply: Richard Welty: "Re: [Users] isakmp/ike negotiation problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:52 CEST