[vpn] cisco 7140 with a Nortel contivity
Joel M Snyder
Joel.Snyder at Opus1.COM
Fri May 17 14:13:17 EDT 2002
Nortel in most older versions doesn't offer a lot of help with regard to
phase 1. It will tend to propose DHG1/SHA for IKE. Try making sure
that you have matched proposals: for IKE, that would be correct
encryption algorithm, MAC, DH group, and lifetime. Nortel has a
parameter which is something like "log out remote user" which turns into
the IKE Phase 1 lifetime---this is well hidden on some other screen.
For Phase 2, you have all the flexibility you need. Again, make sure
things match: PFS DH group, lifetime, and of course encryption algorithm
and ICV.
It does look like Cisco are doing /32 host proposals, which might be
done as a single IP address or as a subnet with a mask of 32 bits.
What does the Nortel log say? It is usually very good in terms of
client IDs.
jms
"Watson, Travis" wrote:
>
> Anyone had success making this work from the cisco side? I've made a b2b with a 7140 before, but I'm on the Nortel side
> and I can't offer much help. The tests fail immediately.
>
> The parms are:
>
> IPSec
> 3DES
> SHA-1
> PSS
>
> This is what I have from the cisco sides logs (edited with x's):
>
> #######################################################
> Crypto Map "xxxx" 30 ipsec-isakmp
> Description: *** xxx ***
> Crypto Engine = (0)
> Peer = x.x.x.x (correct IP)
> Extended IP access list 110
> access-list 110 permit ip host x.x.x.x (cisco/local side) host x.x.x.x (nortel/remote side)
> access-list 110 permit ip host x.x.x.x (cisco/local side) host x.x.x.x (nortel/remote side)
> access-list 110 permit ip host x.x.x.x (cisco/local side) host x.x.x.x (nortel/remote side)
>
> Current peer: x.x.x.x ((nortel/remote side)
> Security association lifetime: 4608000 kilobytes/28800 seconds
> PFS (Y/N): N
> Transform sets={ xxxxx, }
> Interfaces using crypto map geshared:
> FastEthernet0/1
>
> #######################################################
>
> All IP address are correct and we've gone over the pre-shared several times. The transform and map look correct as
> well. Does the entry of 'host' mean that it is automagically masked off at /32?
>
> Any and all help much appreciated.
>
> Regards,
>
> Travis
>
> VPN is sponsored by SecurityFocus.com
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
jms at Opus1.COM http://www.opus1.com/jms Opus One
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2067 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20020517/31d25927/attachment.bin
More information about the VPN
mailing list