PIX vs. Nokia Mobile VPN Client
in [Cisco]
|
From: sebaaaat on 14 Dec 2006 05:13 I'm trying to get a Nokia E60 Mobile VPN Client (Symbian 3rd) connected to a Cisco PIX, but it doesn' work yet. The PIX-Policy has the lifetime 86400 sec. In the "debug crypto isakmp" I get the following line: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable.... When I connect with a Cisco VPN Client, I get: ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 ISAKMP (0): atts are acceptable.... What do these hexadecimal numbers mean? What do I have to change in the Policy of my Nokia VPN Client to get accepted like the Cisco Client? Here is my Nokia VPN Policy: SECURITY_FILE_VERSION: 3 [INFO] VPN-Policy for Nokia Mobile VPN Client v3.0. [POLICY] sa ipsec_1 = { esp encrypt_alg 3 auth_alg 3 identity_remote 0.0.0.0/0 src_specific hard_lifetime_bytes 0 hard_lifetime_addtime 3600 hard_lifetime_usetime 3600 soft_lifetime_bytes 0 soft_lifetime_addtime 3600 soft_lifetime_usetime 3600 } remote 0.0.0.0 0.0.0.0 = { ipsec_1(195.226.32.136) } inbound = { } outbound = { } [IKE] ADDR: 195.226.32.136 255.255.255.255 MODE: Aggressive SEND_NOTIFICATION: TRUE ID_TYPE: 11 FQDN: testgroup GROUP_DESCRIPTION_II: MODP_1024 USE_COMMIT: FALSE IPSEC_EXPIRE: FALSE SEND_CERT: FALSE INITIAL_CONTACT: FALSE RESPONDER_LIFETIME: TRUE REPLAY_STATUS: TRUE USE_INTERNAL_ADDR: TRUE USE_NAT_PROBE: FALSE ESP_UDP_PORT: 0 NAT_KEEPALIVE: 60 USE_XAUTH: TRUE USE_MODE_CFG: TRUE REKEYING_THRESHOLD: 90 PROPOSALS: 1 ENC_ALG: 3DES-CBC AUTH_METHOD: PRE-SHARED HASH_ALG: SHA1 GROUP_DESCRIPTION: MODP_1024 GROUP_TYPE: DEFAULT LIFETIME_KBYTES: 0 LIFETIME_SECONDS: 86400 PRF: NONE PRESHARED_KEYS: FORMAT: STRING_FORMAT KEY: 7 testkey
From: Walter Roberson on 14 Dec 2006 05:35 In article <1166091211.474967.9000(a)f1g2000cwa.googlegroups.com>, sebaaaat <sebastian.lemke(a)t-systems.com> wrote: >I'm trying to get a Nokia E60 Mobile VPN Client (Symbian 3rd) connected >to a Cisco PIX, but it doesn' work yet. The PIX-Policy has the lifetime >86400 sec. In the "debug crypto isakmp" I get the following line: >ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 >ISAKMP (0): atts are not acceptable.... >When I connect with a Cisco VPN Client, I get: >ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 >ISAKMP (0): atts are acceptable.... >What do these hexadecimal numbers mean? >LIFETIME_SECONDS: 86400 86400 is hex 0x15180 0x20c4 isn't any figure I recognize, but I notice it doesn't have four groups, and I find traces online with 0x0 0x20 0xc4 0x9b . Perhaps you missed the 0x9b in your posting? 0x20c49b is 2147483 which happens to be the truncation of 0x7fffffff 2147483647 -- which doesn't sound like a coincidence. Lifetimes are automatically negotiated (the minimum of the two is used, if I recall correctly). That suggests that the line or three above the VPI dump is the one at fault.
From: sebaaaat on 14 Dec 2006 05:55 Walter Roberson schrieb: > >LIFETIME_SECONDS: 86400 > > 86400 is hex 0x15180 > > 0x20c4 isn't any figure I recognize, but I notice it doesn't have > four groups, and I find traces online with 0x0 0x20 0xc4 0x9b . > Perhaps you missed the 0x9b in your posting? > > 0x20c49b is 2147483 which happens to be the truncation of > 0x7fffffff 2147483647 -- which doesn't sound like a coincidence. > > Lifetimes are automatically negotiated (the minimum of the > two is used, if I recall correctly). That suggests that the line > or three above the VPI dump is the one at fault. Yes, maybe i forgot the 0x9b.. But these lines (life duration...) are the only lines in the VPI dumps of the Nokia and the Cisco Client which are different. Everything else (encryption, hash, group ..) is the same in both dumps. What does the number 0x20c49b - 2147483 / 0x7fffffff - 2147483647 mean? do I have to change my LIFTETIME_SECONDS from 86400 to 2147483?
From: sebaaaat on 15 Dec 2006 03:00 sorry, is anybody still into this? nobody a suggestion?
|
Pages: 1 Prev: Cisco VPN Client WINS Problem? Next: Remote peer no longer responding -- please help |