Firewall Wizards mailing list archives
PIX-Firewal1 VPN
From: "Zulu" <zulu () thepub co za>
Date: Thu, 29 May 2003 10:16:59 +0200
HI All, Sorry 'bout the html mail. (long story) I am trying to set 'n VPN from my PIx 6.22 tpo a Firewall1 NG fp2. The NG box will always initiate the vpn. Here is what I get when I debug ipsec & isakmp: crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS VPN Peer: ISAKMP: Added new peer: ip:NG-FWL_ADDRESS Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:NG-FWL_ADDRESS Ref cnt incremented to:1 Total VPN Peers:1 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP: Created a peer node for NG-FWL_ADDRESS OAK_QM exchange ISAKMP (0:0): Need config/address ISAKMP (0:0): initiating peer config to NG-FWL_ADDRESS. ID = 4174316855 (0xf8cf0537) return status is IKMP_NO_ERROR crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0): retransmitting phase 2... ISAKMP (0): retransmitting phase 2... My Config looks like this: (There is a cisco-vpn client thingy set up already! AND WORKS) isakmp enable outside sysopt connection permit-ipsec crypto ipsec transform-set strong esp-des esp-sha-hmac crypto ipsec transform-set set-2 esp-des esp-md5-hmac crypto dynamic-map cisco 4 set transform-set strong crypto map partner-map client configuration address initiate crypto map partner-map interface outside access-list ipsec permit ip host HOST-A 172.23.1.0 255.255.255.0 access-list ipsec permit ip host HOST_B 172.23.1.0 255.255.255.0 isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 ip local pool dealer 172.23.1.1-172.23.1.254 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp client configuration address-pool local dealer outside crypto map partner-map 20 ipsec-isakmp dynamic cisco vpngroup vpngroup address-pool dealer vpngroup vpngroup split-tunnel ipsec vpngroup vpngroup idle-time 1800 vpngroup vpngroup password ******** (But now I need to set up a Site to Site To a FW1) access-list SHELL-VPN permit ip host MY_HOST(natted) host HIS_HOST(no-nat) access-list SHELL-VPN permit ip host MY_HOST(natted) host HIS_HOST(natted) access-list SHELL-VPN permit ip host MY_HOST(no-nat) host HIS_HOST(no-nat) access-list SHELL-VPN permit ip host MY_HOST(no-nat) host HIS_HOST(natted) access-list SHELL-VPN permit ip host HIS-HOST(no-nat) host MY_HOST(natted) access-list SHELL-VPN permit ip host HIS_HOST(no-nat) host MY_HOST(no-nat) access-list SHELL-VPN permit ip host HIS-HOST(natted) host MY_HOST(natted) access-list SHELL-VPN permit ip host HIS_HOST(natted) host MY_HOST(no-nat) (AS you can see I've opened for all possibilities) access-list NO-NAT permit ip host MY_HOST(no-nat) host HIS_HOST(no-nat) access-list NO-NAT permit ip host MY_HOST(no-nat) host HIS_HOST(natted) access-list NO-NAT deny ip host MY_HOST(no-nat) any nat (inside) 0 access-list NO-NAT static (inside,outside) MY_HOST(natted) MY_HOST(no-nat) netmask 255.255.255.255 0 0 access-group My-outside-acl in interface outside access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host MY_HOST(natted) eq ftp access-list My-outside-acl permit tcp host HIS_HOST(natted) host MY_HOST(natted) eq ftp access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host MY_HOST(no-nat) eq ftp access-list My-outside-acl permit tcp host HIS_HOST(natted) host MY_HOST(no-nat) eq ftp (AS you can see I've opened for all possibilities) crypto map partner-map 10 ipsec-isakmp crypto map partner-map 10 match address SHELL-VPN crypto map partner-map 10 set pfs group2 crypto map partner-map 10 set peer HIS_FIREWALL_address crypto map partner-map 10 set transform-set set-2 strong crypto map partner-map 10 set security-association lifetime seconds 3600 kilobytes 4608000 isakmp key ******** address 196.36.178.114 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 1440 What am I overlooking?? Are there compatibility issues with PIX and NG IPSEC?? Thanks!! _______________________________________________________________________ Cool Connection, Cool Price, Internet Access for R59 monthly @ WebMail http://www.webmail.co.za/dialup/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX-Firewal1 VPN Zulu (May 29)
- <Possible follow-ups>
- RE: PIX-Firewal1 VPN Sutantyo, Danny (May 29)