FEC Onlineservices
IPSec phase 1 authentication details
Since IPSec Image 7.1.1 it is possible to configure different IPSec profiles for phase 1 and phase 2. Therefore coexistent IPSec peers can be configured with PreSharedKeys and Certificates (see Release Notes 7.1.1 for more details).

The following chart shows all configuration possibilities at a glance:
Phase 1 profile Authentication method IP address (initiator) Result
aggressive PSKs dynamic O.K.
aggressive PSKs static O.K.
id-protect PSKs dynamic not O.K. *
id-protect PSKs static O.K.
aggressive Certificates dynamic O.K.
aggressive Certificates static O.K.
id-protect Certificates dynamic O.K.
id-protect Certificates static O.K.

* The IPSec connection will fail because the "responder" canīt authenticate the peer.

The authentication of IPSec peers will fail when different proposals (AES, 3DES, Blowfish,...) and/or different modes (id-protect, aggressive) are used. The example below shows the error message of a failed IPSec connection:
11:32:45 INFO/IPSEC: P1: peer 1 (PSKs) sa 5306 (I): failed id der_asn1_dn(any:0,[0..99]=C=de, ST=Bavaria, L=Nuremberg, O=Support, CN=R1200) -> ip (No proposal chosen)

In case of different modes (id-protect, aggressive) the solution is to choose an "id-protect" profile for "IKE (Phase 1) Defaults".

In case of miscellaneous "id-protect" profiles are used the different proposals have to be linked. This configuration has to be carried out via the MIB tables. The parameter "NextChoice(rw)" within the "ikeProfileTable" has to be set to the next used "id-protect" profile.


Đ 2013 bintec elmeg GmbH