VPN with racoon Phase 2 issue

Hi,
I want to established an Ipsec site to site vpn between redhat server
and Juniper Netscreen.
I know how to do it on netscreen.

172.30.99.0/24
IPSEC 172.30.98.0/24
Redhat>10.2.120.3/22========10.2.121.100/22<Juniper

My proposal on netscreen side is :
Phase 1:PreSharedKey, DH_G2, 3des, Sha1
Phase 2:nopfs, esp, des, md5, liftetime 3600s

Here is the configuration file of racoon :

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
remote 10.2.121.100
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

and here is my ifcfg-ipsec0
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
AH_PROTO=none
SRCGW=172.30.99.1
DSTGW=172.30.98.1
SRCNET=172.30.99.0/24
DSTNET=172.30.98.0/24
DST=10.2.121.100

On netscreen, I have the following debug message :
IKE<10.2.120.3> SA life type = seconds
IKE<0.0.0.0 > SA life duration (TV) = 3600
IKE<0.0.0.0 > encap mode from peer = 1.
IKE<0.0.0.0 > encap mode after converting it to private value
= 1.
IKE<10.2.120.3> Phase 2 received:
IKE<10.2.120.3> atts<00000002 00000002 00000000 00000001 00000001
00000000>
IKE<10.2.120.3> proto(2)<AH>, ah(2)<AH_MD5>, auth(1)<MD5>,
encap(1)<TUNNEL>, group(0)
IKE<10.2.120.3> expect [0]:
IKE<10.2.120.3> atts<00000003 00000000 00000002 00000001 00000001
00000000>
IKE<10.2.120.3> proto(3)<ESP>, esp(2)<ESP_DES>, auth(1)<MD5>,
encap(1)<TUNNEL>, group(0)
IKE<10.2.120.3> proposal not acceptable, but no more proposal in
payload.
IKE<10.2.120.3> Phase 2: Rejected proposals from peer. Negotiations
failed.

As you can see, there is no acceptable proposal, but normally it
should.
It seems that racoon send proposal with AH, MD5 but Netscreen expect
only ESP des...

I must missed something in racoon configuration, so if someone can
tell me where to look.

With Redhat ES4, does I have to deal with setkey and ipsec.conf
(ipsec.conf doesn't exist on the server) ?
At the moment, I only configured ifcfg-ipsec0 and racoon.conf...

(E-Mail Removed) wrote:
> With Redhat ES4, does I have to deal with setkey and ipsec.conf
> (ipsec.conf doesn't exist on the server) ?
> At the moment, I only configured ifcfg-ipsec0 and racoon.conf...
Use setkey for the policies. That's the proposal that is missing.

On 1 mar, 05:30, Joe Beasley <jbeas...@somwhere.com> wrote:
> xscr...@gmail.com wrote:
> > With Redhat ES4, does I have to deal with setkey and ipsec.conf
> > (ipsec.conf doesn't exist on the server) ?
> > At the moment, I only configured ifcfg-ipsec0 and racoon.conf...
>
> Use setkey for the policies. That's the proposal that is missing.

Ok Joe,
but are you sure that in redhat 4 update 4 we have to deal with
setkey ???

On 1 mar, 05:30, Joe Beasley <jbeas...@somwhere.com> wrote:
> xscr...@gmail.com wrote:
> > With Redhat ES4, does I have to deal with setkey and ipsec.conf
> > (ipsec.conf doesn't exist on the server) ?
> > At the moment, I only configured ifcfg-ipsec0 and racoon.conf...
>
> Use setkey for the policies. That's the proposal that is missing.

Hello again,
tried everything, but I still have only one proposal :
proto(2)<AH>, ah(2)<AH_MD5>, auth(1)<MD5>, encap(1)<TUNNEL>, group(2)
And I would like
proto(3)<ESP>, esp(3)<ESP_3DES>, auth(2)<SHA>, encap(1)<TUNNEL>,
group(2)

Where can I set ESP and not AH ???

(E-Mail Removed) wrote:
> On 1 mar, 05:30, Joe Beasley <jbeas...@somwhere.com> wrote:
>> xscr...@gmail.com wrote:
>>> With Redhat ES4, does I have to deal with setkey and ipsec.conf
>>> (ipsec.conf doesn't exist on the server) ?
>>> At the moment, I only configured ifcfg-ipsec0 and racoon.conf...
>> Use setkey for the policies. That's the proposal that is missing.
>
> Hello again,
> tried everything, but I still have only one proposal :
> proto(2)<AH>, ah(2)<AH_MD5>, auth(1)<MD5>, encap(1)<TUNNEL>, group(2)
> And I would like
> proto(3)<ESP>, esp(3)<ESP_3DES>, auth(2)<SHA>, encap(1)<TUNNEL>,
> group(2)
>
> Where can I set ESP and not AH ???
Not sure about the RHES4. I use ubuntu server and freebsd to make
connections to cisco routers and pixs. Both use setkey.

On 4 mar, 05:14, Joe Beasley <jbeas...@somwhere.com> wrote:
> xscr...@gmail.com wrote:
> > On 1 mar, 05:30, Joe Beasley <jbeas...@somwhere.com> wrote:
> >> xscr...@gmail.com wrote:
> >>> With Redhat ES4, does I have to deal with setkey and ipsec.conf
> >>> (ipsec.conf doesn't exist on the server) ?
> >>> At the moment, I only configured ifcfg-ipsec0 and racoon.conf...
> >> Use setkey for the policies. That's the proposal that is missing.
>
> > Hello again,
> > tried everything, but I still have only one proposal :
> > proto(2)<AH>, ah(2)<AH_MD5>, auth(1)<MD5>, encap(1)<TUNNEL>, group(2)
> > And I would like
> > proto(3)<ESP>, esp(3)<ESP_3DES>, auth(2)<SHA>, encap(1)<TUNNEL>,
> > group(2)
>
> > Where can I set ESP and not AH ???
>
> Not sure about the RHES4. I use ubuntu server and freebsd to make
> connections to cisco routers and pixs. Both use setkey.

Ok thank you Joe, actually, you're right, I have to use setkey, so I
use this :

flush;
spdflush;
spdadd 172.30.97.0/24 172.30.96.0/24 any -P out ipsec esp/tunnel/
10.2.120.4-10.2.121.100/require;
spdadd 172.30.96.0/24 172.30.97.0/24 any -P in ipsec esp/tunnel/
10.2.121.100-10.2.120.4/require;

and everything is find now.