[vpn] cisco 7140 with a Nortel contivity

Joel M Snyder Joel.Snyder at Opus1.COM
Fri May 17 14:13:17 EDT 2002


Nortel in most older versions doesn't offer a lot of help with regard to
phase 1.  It will tend to propose DHG1/SHA for IKE.  Try making sure
that you have matched proposals: for IKE, that would be correct
encryption algorithm, MAC, DH group, and lifetime.  Nortel has a
parameter which is something like "log out remote user" which turns into
the IKE Phase 1 lifetime---this is well hidden on some other screen.  

For Phase 2, you have all the flexibility you need.  Again, make sure
things match: PFS DH group, lifetime, and of course encryption algorithm
and ICV.

It does look like Cisco are doing /32 host proposals, which might be
done as a single IP address or as a subnet with a mask of 32 bits.  

What does the Nortel log say?  It is usually very good in terms of
client IDs.

jms


"Watson, Travis" wrote:
> 
> Anyone had success making this work from the cisco side?  I've made a b2b with a 7140 before, but I'm on the Nortel side
> and I can't offer much help.  The tests fail immediately.
> 
> The parms are:
> 
> IPSec
> 3DES
> SHA-1
> PSS
> 
> This is what I have from the cisco sides logs (edited with x's):
> 
> #######################################################
> Crypto Map "xxxx" 30 ipsec-isakmp
>         Description: *** xxx ***
>         Crypto Engine =  (0)
>         Peer = x.x.x.x (correct IP)
>         Extended IP access list 110
>             access-list 110 permit ip host x.x.x.x (cisco/local side) host x.x.x.x (nortel/remote side)
>             access-list 110 permit ip host x.x.x.x (cisco/local side) host x.x.x.x (nortel/remote side)
>             access-list 110 permit ip host x.x.x.x (cisco/local side) host x.x.x.x (nortel/remote side)
> 
>         Current peer: x.x.x.x ((nortel/remote side)
>         Security association lifetime: 4608000 kilobytes/28800 seconds
>         PFS (Y/N): N
>         Transform sets={ xxxxx, }
>         Interfaces using crypto map geshared:
>                 FastEthernet0/1
> 
> #######################################################
> 
> All IP address are correct and we've gone over the pre-shared several times.  The transform and map look correct as
> well.  Does the entry of 'host' mean that it is automagically masked off at /32?
> 
> Any and all help much appreciated.
> 
> Regards,
> 
> Travis
> 
> VPN is sponsored by SecurityFocus.com

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms at Opus1.COM    http://www.opus1.com/jms    Opus One
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2067 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20020517/31d25927/attachment.bin 


More information about the VPN mailing list