Astaro <-> CyberGuard VPN connection

Uh... details? Which VPN protocol, which parameters, which network configuration?

Hi Sebastian,

Both machines have official IP Addresses, no NAT or anything similar in between. The Astaro has a fixed IP Address, the CyberGuard a dynamic one, which is resolved with dyndns. For the start I would be happy if I can get it to work even with entering the dynamic address as a fixed one.

The protocol should be IP Sec which both support. The Keys can be pre-shared or RSA keys - I have tried both w/o sucess.

I think the problem is to get both devices to use the same IPSec parameters. I have tried configuring the same properties on both sides, but have probably confused something because the configuration differs a litte.

I have created RSA keys on both machines and have exchanged the public keys.

On the Astaro: ISAKMP (IKE) Settings IKE Mode: Main Mode Encryption Algorithm:AES 256 bit Authentication Algorithm: MD5 160 bit IKE DH Group: DH Group 5 (MODP1536) SA Lifetime (secs): 7800 IPSec Settings IPSec Mode:Tunnel IPSec Protocol: ESP Encryption Algorithm:AES 256 bit Enforce Algorithms: off Authentication Algorithm: MD 160 bit SA Lifetime (secs): 3600 PFS: No PFS Compression: Off

On the CyberGuard Keying : Main Mode IKE Phase 1 Settings: Key lifetime (sec): 7800 Rekey margin (sec): 600 Rekey fuzz (%): 100 Phase 1 Proposal : AES (256bit)-MD5-Diffie Hellman Group 5 (1536bit) Phase 2 Settings: Key lifetime (sec): 7800 Phase 2 Proposal : AES128-MD5-no PFC

The settings seem right, but it does not work. Thanks

Dan

Not even some ISP's routers?

Native ESP or with NAT traversal?

So you had success at least on IKE key exchange or what?

Huh? That's how it's supposed to be.

Hm... the parameters are well defined and seem to match. I'm just a bit worried about the authentication algorithm on IKE, but you said you also tried without.

Can you put a sniffer in between or got some extensive log files?