Firewall Wizards mailing list archives
Problem getting vpn to work between netscreen 208 and cisco 1721
From: Esger Abbink <esger () vesc nl>
Date: Wed, 27 Nov 2002 16:17:24 +0100
Hello, I'm having quite a bit of trouble getting these two devices to 'vpn' well together and I'm currently grasping for straws, hence the post to this list. The situation is as follows: internal net is 192.0.0.0/24 protected by ns208 external net is 10.1.1.0/24 protected by 1721 transit networks are 20.1.1.0/24 (ethernet) and 192.168.80.0/24 (ISDN). The isdn dialup is done by an other cisco router. the VPN is supposed to run between the ns208 and the 1721. With some digging through documentation I've configured both devices and when initiated by traffic they negotiate a vpn link. The problem is that when a packet is actually received on the cisco it discards it with the following error message: 02:23:38: %CRYPTO-4-RECVD_PKT_INV_IDENTITY: identity doesn't match negotiated identity (ip) dest_addr= 192.168.80.10, src_addr= 20.1.1.2, prot= 1 (ident) local=192.168.80.10, remote=20.1.1.2 local proxy=10.1.1.10/255.255.255.255/0/0, remote_proxy=192.0.0.0/255.255.255.0/0/0 02:23:38: IPSEC(epa_des_crypt): decrypted packet failed SA identity check 02:23:49: IPSEC(epa_des_crypt): decrypted packet failed SA identity check 02:24:00: IPSEC(epa_des_crypt): decrypted packet failed SA identity check 02:24:10: IPSEC(epa_des_crypt): decrypted packet failed SA identity check the netscreen displays no errors and thinks the vpn is up although it does change that opinion after a while to 'down'. the netscreen has OS release 4.0.0r1, the cisco has 12.2(8)T5. At the moment I'm quite stuck with this. I've been in touch with both support desks and although they are working on it (for several days already) they both think their respective configs are fine and dont understand why its not working. :( I've included the config of both devices below. If there's anyone who could offer some assistence or better yet has a similar set-up in operation and is willing to provide working configs that would be very much appreciated! thanks in advance, Esger cisco config: Current configuration : 1625 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 1721B ! enable secret 5 $1$nNH6$E4BctAYoaohhGO1A3jzi40 enable password XXXXXXXX ! username 1721A password 0 XXXXXXXXX mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ! ! ! ip audit notify log isdn switch-type basic-net3 ! crypto isakmp policy 25 encr 3des authentication pre-share lifetime 28800 crypto isakmp key XXXXXX address 20.1.1.2 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set paalA esp-3des esp-sha-hmac ! crypto map tunnelmap 10 ipsec-isakmp set peer 20.1.1.2 set transform-set paalA set pfs group1 match address 101 ! ! ! ! interface BRI0 no ip address encapsulation ppp no ip mroute-cache dialer pool-member 1 isdn switch-type basic-net3 isdn spid1 25 isdn spid2 26 isdn answer1 25 isdn answer2 26 no cdp enable ppp authentication chap ! interface FastEthernet0 ip address 10.1.1.10 255.255.255.0 no ip mroute-cache speed auto half-duplex ! interface Dialer1 ip address 192.168.80.10 255.255.255.0 encapsulation ppp authentication chap dialer pool 1 dialer idle-timeout 3600 no cdp enable crypto map tunnelmap ! ip classless ip route 20.1.1.0 255.255.255.0 192.168.80.1 no ip http server ip pim bidir-enable ! ! access-list 1 permit any access-list 2 permit any access-list 3 permit any access-list 101 permit ip 10.1.1.0 0.0.0.255 192.0.0.0 0.0.0.255 dialer-list 1 protocol ip permit ! ! line con 0 line aux 0 line vty 0 4 password makkie1 login ! no scheduler allocate end netscreen config: set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth-server "DefL2TPAuthServer" id 1 set auth-server "DefL2TPAuthServer" account-type l2tp set auth default auth server "Local" set clock "timezone" 1 set admin format dos set admin name "netscreen" set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn set admin auth timeout 10 set admin auth server "Local" unset vrouter trust-vr sharable unset vrouter "trust-vr" auto-route-export set zone id 1000 "3rdparty" set zone id 1001 "IA_palen" set zone "Trust" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" vrouter "untrust-vr" set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "DMZ" vrouter "untrust-vr" set zone "DMZ" tcp-rst set zone "MGT" block set zone "MGT" tcp-rst set zone "3rdparty" vrouter "trust-vr" set zone "3rdparty" block set zone "3rdparty" tcp-rst set zone "IA_palen" vrouter "trust-vr" set zone "IA_palen" block set zone "IA_palen" tcp-rst set zone Untrust screen tear-drop set zone Untrust screen syn-flood set zone Untrust screen ping-death set zone Untrust screen ip-filter-src set zone Untrust screen land set zone V1-Untrust screen tear-drop set zone V1-Untrust screen syn-flood set zone V1-Untrust screen ping-death set zone V1-Untrust screen ip-filter-src set zone V1-Untrust screen land set interface "ethernet1" zone "Trust" set interface "ethernet2" zone "3rdparty" set interface "ethernet3" zone "Untrust" set interface "ethernet5" zone "Trust" set interface vlan1 ip 192.0.0.2/24 set interface ethernet1 ip 192.0.0.2/24 set interface ethernet1 route set interface ethernet2 ip 20.1.1.2/24 set interface ethernet2 route unset interface ethernet3 ip manageable unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet3 manage-ip 192.168.1.1 set interface ethernet2 manage ping set address Trust "192.0.0.0/24" 192.0.0.0 255.255.255.0 set address Trust "192.0.0.12" 192.0.0.12 255.255.255.255 set address 3rdparty "10.1.1.0/24" 10.1.1.0 255.255.255.0 set address 3rdparty "1721" 192.168.80.10 255.255.255.255 set firewall log-self set snmp name "ns208" set ike p1-proposal "pre-g1-3des-sha" Preshare Group1 esp 3DES SHA-1 second 28800 set ike p2-proposal "g1-esp-3des-sha" Group1 ESP 3DES SHA-1 second 28800 set ike gateway "1721B" ip 192.168.80.10 Main outgoing-interface "ethernet2" preshare "secret" proposal "pre-g1-3 des-sha" unset ike policy-checking set ike respond-bad-spi 1 set vpn "IA-vpn" id 6 gateway "1721B" replay tunnel idletime 0 proposal "g1-esp-3des-sha" set vpn "IA-vpn" monitor set ike id-mode subnet set xauth lifetime 480 set xauth default auth server Local set policy id 0 name "vpn-test" from "Trust" to "3rdparty" "192.0.0.0/24" "10.1.1.0/24" "ANY" Tunnel vpn "IA-vpn " id 9 pair-policy 1 no-session-backup set policy id 1 name "vpn-test" from "3rdparty" to "Trust" "10.1.1.0/24" "192.0.0.0/24" "ANY" Tunnel vpn "IA-vpn" id 9 pair-policy 0 no-session-backup unset global-pro policy-manager primary outgoing-interface unset global-pro policy-manager secondary outgoing-interface set nsrp track-ip ip set pki authority default scep mode "auto" set pki x509 default cert-path partial set vrouter "untrust-vr" exit set vrouter "trust-vr" set add-default-route vrouter untrust-vr set route 192.168.80.0/24 interface ethernet2 gateway 20.1.1.20 set route 10.1.1.0/24 interface ethernet2 exit _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Problem getting vpn to work between netscreen 208 and cisco 1721 Esger Abbink (Nov 27)