I am trying to set up a VPN using a Nokia CC 500 and FW1. I'm using IKE
and pre-shared secrets. The tunnel works in one direction, from the
network behind the Nokia to the network behind the FW1 machine, but when
I attempt to access the network behind the Nokia CC 500 from the network
behind the FW1, it fails and I get the following on the CC 500 console
(some IPs changed to protect the innocent):
Thu Feb 15
15:16:18 2001 (IPSEC)-ERR: key_find_responder_policy: matching outbound
selector not found
Thu Feb 15 15:16:18 2001 (IKE)-ERR: receive: failed to
locate QM responder policy
then:
Thu Feb 15
15:16:43 2001 (IKE)-AUDIT: IKE SA deleted for 123.123.123.66
(123.123.123.66)
Thu Feb 15 15:16:43 2001 (IKE)-NOTICE: process_sa: no
proposal chosen
Then the tunnel
goes down and does not come back up until traffic goes from the network behind
the Nokia CC 500 to the network behind the FW1 box.
When it is up,
IPSEC looks like this:
IPSec Security
Associations:
spi:
ffff3c00 <- ffff1d87
source
address:
123.123.123.66
destination address:
123.123.123.80
client
identity: 10.10/24
type:
esp
integrity algorithm: md5 (128
bits)
secrecy algorithm: 3des
(192 bits)
flags:
inbound,initiator,tunnel
lifetime:
60 minutes
time-to-live:
59 minutes
traffic:
848 bytes
spi:
ffff1d87 -> ffff3c00 (1)
source
address:
123.123.123.80
destination address:
123.123.123.66
client
identity: 10/24
type:
esp
integrity algorithm: md5 (128
bits)
secrecy algorithm: 3des
(192 bits)
flags:
outbound,initiator,tunnel
lifetime:
60 minutes
time-to-live:
59 minutes
traffic:
632 bytes
and IKE looks like
this:
IKE Security
Associations:
sequence:
2b
state:
MM_IDLE
flags:
outbound,valid
source:
123.123.123.80
destination:
123.123.123.66
peer
identity:
fqdn.domain.com
oakley
group:
modp-768
encryption algorithm: 3des
hash
algorithm: md5
authentication method: pre-shared key
associations:
2
lifetime:
8 hours
time-to-live:
7 hours
It's also really
slow. Anyone out there have any experience with the Nokia CC 500 that
they would like to share?
Scott