Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

PIX-Firewal1 VPN

From: "Zulu" <zulu () thepub co za>
Date: Thu, 29 May 2003 10:16:59 +0200
HI All,

Sorry 'bout the html mail. (long story)

I am trying to set 'n VPN from my PIx 6.22 tpo a Firewall1 NG fp2.
The NG box will always initiate the vpn.

Here is what I get when I debug ipsec & isakmp:

crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
VPN Peer: ISAKMP: Added new peer: ip:NG-FWL_ADDRESS Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:NG-FWL_ADDRESS Ref cnt incremented to:1
Total VPN Peers:1
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP: Created a peer node for NG-FWL_ADDRESS
OAK_QM exchange
ISAKMP (0:0): Need config/address
ISAKMP (0:0): initiating peer config to NG-FWL_ADDRESS. ID =
4174316855 (0xf8cf0537)
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...






My Config looks like this:


(There is a cisco-vpn client thingy set up already! AND WORKS)

isakmp enable outside
sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set set-2 esp-des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set strong
crypto map partner-map client configuration address initiate
crypto map partner-map interface outside

access-list ipsec permit ip host HOST-A 172.23.1.0 255.255.255.0
access-list ipsec permit ip host HOST_B 172.23.1.0 255.255.255.0

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

ip local pool dealer 172.23.1.1-172.23.1.254
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp client configuration address-pool local dealer outside

crypto map partner-map 20 ipsec-isakmp dynamic cisco

vpngroup vpngroup address-pool dealer
vpngroup vpngroup split-tunnel ipsec
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********


(But now I need to set up a Site to Site To a FW1)


access-list SHELL-VPN permit ip host MY_HOST(natted) host
HIS_HOST(no-nat)
access-list SHELL-VPN permit ip host MY_HOST(natted) host
HIS_HOST(natted)
access-list SHELL-VPN permit ip host MY_HOST(no-nat) host
HIS_HOST(no-nat)
access-list SHELL-VPN permit ip host MY_HOST(no-nat) host
HIS_HOST(natted)

access-list SHELL-VPN permit ip host HIS-HOST(no-nat) host
MY_HOST(natted)
access-list SHELL-VPN permit ip host HIS_HOST(no-nat) host
MY_HOST(no-nat)
access-list SHELL-VPN permit ip host HIS-HOST(natted) host
MY_HOST(natted)
access-list SHELL-VPN permit ip host HIS_HOST(natted) host
MY_HOST(no-nat)

(AS you can see I've opened for all possibilities)


access-list NO-NAT permit ip host MY_HOST(no-nat) host
HIS_HOST(no-nat)
access-list NO-NAT permit ip host MY_HOST(no-nat) host
HIS_HOST(natted)
access-list NO-NAT deny ip host MY_HOST(no-nat) any
nat (inside) 0 access-list NO-NAT


static (inside,outside) MY_HOST(natted) MY_HOST(no-nat) netmask
255.255.255.255 0 0


access-group My-outside-acl in interface outside

access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host
MY_HOST(natted) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(natted) host
MY_HOST(natted) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host
MY_HOST(no-nat) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(natted) host
MY_HOST(no-nat) eq ftp

(AS you can see I've opened for all possibilities)



crypto map partner-map 10 ipsec-isakmp
crypto map partner-map 10 match address SHELL-VPN
crypto map partner-map 10 set pfs group2
crypto map partner-map 10 set peer HIS_FIREWALL_address
crypto map partner-map 10 set transform-set set-2 strong
crypto map partner-map 10 set security-association lifetime seconds
3600 kilobytes 4608000

isakmp key ******** address 196.36.178.114 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1440



What am I overlooking?? Are there compatibility issues with PIX and NG
IPSEC??


Thanks!!
_______________________________________________________________________
Cool Connection, Cool Price, Internet Access for R59 monthly @ WebMail
http://www.webmail.co.za/dialup/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: