Hi,
Im trying to establish an IPSec tunnel to a racoon server which is behind NAT.
When I configure aggressive mode on the racoon I get an error that usually indicates mismatched mode (aggressive/main):
May 22 15:59:01 C9160615036 racoon: [public_ip] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
When I change to main mode the tunnel seems to be established but being purged immidiatly:
May 22 16:02:38 C9160615036 racoon: INFO: Adding remote and local NAT-D payloads.
May 22 16:02:38 C9160615036 racoon: INFO: NAT-T: ports changed to: xxxxx[4500]<->10.16.56.229[4500]
May 22 16:02:38 C9160615036 racoon: INFO: KA list add: 10.16.56.229[4500]->xxxxxxx[4500]
May 22 16:02:38 C9160615036 racoon: INFO: ISAKMP-SA established 10.16.56.229[4500]-xxxxx[4500] spi:b543b2b44c07eb63:57a31818c6517c7d
May 22 16:02:38 C9160615036 racoon: INFO: respond new phase 2 negotiation: 10.16.56.229[4500]<=>xxxxxx[4500]
May 22 16:02:38 C9160615036 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 22 16:02:38 C9160615036 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
May 22 16:02:38 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxx[4500] spi=54437926(0x33ea826)
May 22 16:02:38 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxx[4500] spi=1334098996(0x4f84bc34)
May 22 16:02:41 C9160615036 racoon: INFO: respond new phase 2 negotiation: 10.16.56.229[4500]<=>xxxxxxx[4500]
May 22 16:02:41 C9160615036 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 22 16:02:41 C9160615036 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
May 22 16:02:41 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxx[4500] spi=111203544(0x6a0d4d8)
May 22 16:02:41 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxxxxx[4500] spi=827354367(0x31506cff)
May 22 16:02:41 C9160615036 racoon: INFO: purged IPsec-SA proto_id=ESP spi=1334098996.
May 22 16:02:46 C9160615036 racoon: INFO: respond new phase 2 negotiation: 10.16.56.229[4500]<=>xxxxxxxxxx[4500]
May 22 16:02:46 C9160615036 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 22 16:02:46 C9160615036 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
May 22 16:02:46 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxxxx[4500] spi=57622458(0x36f3fba)
May 22 16:02:46 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxxx[4500] spi=500826022(0x1dd9ffa6)
May 22 16:02:46 C9160615036 racoon: INFO: purged IPsec-SA proto_id=ESP spi=827354367.
Does TMG not support IKE Aggressive mode?
Any idea why it might get purged when using main mode?
this is the racoon conf:
log info;path pre_shared_key "/etc/racoon/psk.txt";
listen
{
isakmp 10.16.56.229 [500];
isakmp_natt 10.16.56.229 [4500];
}
remote anonymous
{
# exchange_mode main;
nat_traversal on;
lifetime time 24 hour;
proposal
{
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
lifetime time 24 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Thanks!!