PIX VPN

Prev: Form Wound Coil
Next: Cisco 2950 Switch VLAN Config

From: terrydoc on 1 Jun 2010 06:40

---

Having trouble establishing PIX VPN with Juniper firewall; I am
configuring the PIX - traffic from 1.1.1.1 should establish the VPN...

Juniper Proposals are ESP 3DES HMAC SHA1 (IKE) –
Juniper: (192.168.1.254 inside; outside 1.1.1.1)
IKE - Phase 1 proposal

exchange: main mode
dh group: group 2
encryption: 3des
authentication: sha1
lifetime: 28800

IPSEC - Phase 2 proposal
protocol: esp
encryption: 3des
authentication: sha1
lifetime: 28800
____________________________

Cisco PIX (192.168.100.254 inside; outside 2.2.2.2)

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0
255.255.255.0
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.1.0
255.255.255.0

ip address outside 2.2.2.2 255.255.255.192
ip address inside 192.168.100.254 255.255.255.0

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 2.2.2.3 1

sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-aes-192 esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 102
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
____________________________________

ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
ISAKMP (0): deleting SA: src 1.1.1.1, dst 2.2.2.2
return status is IKMP_ERR_NO_RETRANS
ISADB: reaper checking SA 0x1182924, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt decremented to:0 Total
VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:1.1.1.1/500 Total VPN peers:
0IPSEC(key
_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 1.1.1.1

crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): ID payload
next-payload : 10
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50
0
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:1.1.1.1/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt incremented to:1 Total
VPN
Peers:1
crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50
0
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 566405065

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal):
transform proposal
(prot 3, trans 3, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
___________________________

PIXFW# show
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x21c2a7c9crypto
ipse
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x21c2a7c9c sa

interface: outside
Crypto map tag: mymap, local addr. 2.2.2.2

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:
inbound ah sas:

ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x21c2a7c9
ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x21c2a7c9
transmitting phase 2 (6/0)... mess_id 0x21c2a7c9
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
___________________________________

From: terrydoc on 1 Jun 2010 07:23

---

On 1 June, 11:40, "terry...(a)o2.ie" <terry...(a)o2.ie> wrote:
> Having trouble establishing PIX VPN with Juniper firewall; I am
> configuring the PIX - traffic from 1.1.1.1 should establish the VPN...
>
> Juniper Proposals are ESP 3DES HMAC SHA1 (IKE) –
> Juniper: (192.168.1.254 inside; outside 1.1.1.1)
> IKE - Phase 1 proposal
>
> exchange: main mode
> dh group: group 2
> encryption: 3des
> authentication: sha1
> lifetime: 28800
>
> IPSEC - Phase 2 proposal
> protocol: esp
> encryption: 3des
> authentication: sha1
> lifetime: 28800
> ____________________________
>
> Cisco PIX  (192.168.100.254 inside; outside 2.2.2.2)
>
> access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0
> 255.255.255.0
> access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.1.0
> 255.255.255.0
>
> ip address outside 2.2.2.2 255.255.255.192
> ip address inside 192.168.100.254 255.255.255.0
>
> nat (inside) 0 access-list nonat
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 2.2.2.3 1
>
> sysopt connection permit-ipsec
> crypto ipsec transform-set mytrans esp-aes-192 esp-sha-hmac
> crypto map mymap 10 ipsec-isakmp
> crypto map mymap 10 match address 102
> crypto map mymap 10 set pfs group2
> crypto map mymap 10 set peer 1.1.1.1
> crypto map mymap 10 set transform-set mytrans
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 28800
> ____________________________________
>
> ISAKMP (0): SA not acceptable!
> ISAKMP (0): sending NOTIFY message 14 protocol 0
> ISAKMP (0): deleting SA: src 1.1.1.1, dst 2.2.2.2
> return status is IKMP_ERR_NO_RETRANS
> ISADB: reaper checking SA 0x1182924, conn_id = 0  DELETE IT!
>
> VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt decremented to:0 Total
> VPN
> Peers:1
> VPN Peer: ISAKMP: Deleted peer: ip:1.1.1.1/500 Total VPN peers:
> 0IPSEC(key
> _engine): got a queue event...
> IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
> IPSEC(key_engine_delete_sas): delete all SAs shared with  1.1.1.1
>
> crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500
> OAK_AG exchange
> ISAKMP (0): processing SA payload. message ID = 0
> ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
> ISAKMP:      encryption 3DES-CBC
> ISAKMP:      hash SHA
> ISAKMP:      default group 2
> ISAKMP:      auth pre-share
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (basic) of 28800
> ISAKMP (0): atts are acceptable. Next payload is 0
> ISAKMP (0): processing KE payload. message ID = 0
> ISAKMP (0): processing NONCE payload. message ID = 0
> ISAKMP (0): processing ID payload. message ID = 0
> ISAKMP (0): processing vendor id payload
> ISAKMP (0): processing vendor id payload
> ISAKMP (0): processing vendor id payload
> ISAKMP (0): processing vendor id payload
> ISAKMP (0:0): vendor ID is NAT-T
> ISAKMP (0): processing vendor id payload
> ISAKMP (0): processing vendor id payload
> ISAKMP (0): processing vendor id payload
> ISAKMP (0): remote peer supports dead peer detection
> ISAKMP (0): processing vendor id payload
> ISAKMP (0): received xauth v6 vendor id
> ISAKMP (0): ID payload
>         next-payload : 10
>         type         : 1
>         protocol     : 17
>         port         : 0
>         length       : 8
> ISAKMP (0): Total payload length: 12
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50
> 0
> OAK_AG exchange
> ISAKMP (0): processing HASH payload. message ID = 0
> ISAKMP (0): SA has been authenticated
> return status is IKMP_NO_ERROR
> ISAKMP (0): sending INITIAL_CONTACT notify
> ISAKMP (0): sending NOTIFY message 24578 protocol 1
> VPN Peer: ISAKMP: Added new peer: ip:1.1.1.1/500 Total VPN Peers:1
> VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt incremented to:1 Total
> VPN
> Peers:1
> crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50
> 0
> OAK_QM exchange
> oakley_process_quick_mode:
> OAK_QM_IDLE
> ISAKMP (0): processing SA payload. message ID = 566405065
>
> ISAKMP : Checking IPSec proposal 1
>
> ISAKMP: transform 1, ESP_3DES
> ISAKMP:   attributes in transform:
> ISAKMP:      SA life type in seconds
> ISAKMP:      SA life duration (basic) of 28800
> ISAKMP:      encaps is 1
> ISAKMP:      authenticator is HMAC-SHAIPSEC(validate_proposal):
> transform proposal
> (prot 3, trans 3, hmac_alg 2) not supported
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP (0): SA not acceptable!
> ISAKMP (0): sending NOTIFY message 14 protocol 0
> return status is IKMP_ERR_NO_RETRANS
> crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500
> ISAKMP: phase 2 packet is a duplicate of a previous packet
> ISAKMP: resending last response
> ___________________________
>
> PIXFW# show
> ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x21c2a7c9crypto
> ipse
> ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x21c2a7c9c sa
>
> interface: outside
>     Crypto map tag: mymap, local addr. 2.2.2.2
>
>    local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
>    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
>    current_peer: 1.1.1.1:0
>      PERMIT, flags={origin_is_acl,}
>     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
>     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
>     #pkts compressed: 0, #pkts decompressed: 0
>     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
>     #send errors 0, #recv errors 0
>
>      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
>      path mtu 1500, ipsec overhead 0, media mtu 1500
>      current outbound spi: 0
>
>      inbound esp sas:
>      inbound ah sas:
>
> ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x21c2a7c9
> ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x21c2a7c9
>               transmitting phase 2 (6/0)... mess_id 0x21c2a7c9
>      inbound pcp sas:
>      outbound esp sas:
>      outbound ah sas:
>      outbound pcp sas:
>
>    local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
>    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
>    current_peer: 1.1.1.1:0
>      PERMIT, flags={origin_is_acl,}
>     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
>     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
>     #pkts compressed: 0, #pkts decompressed: 0
>     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
>     #send errors 0, #recv errors 0
>
>      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
>      path mtu 1500, ipsec overhead 0, media mtu 1500
>      current outbound spi: 0
>
>      inbound esp sas:
>      inbound ah sas:
>      inbound pcp sas:
>      outbound esp sas:
>      outbound ah sas:
>      outbound pcp sas:
> ___________________________________

I made a change - (I saw "ISAKMP (0:0): vendor ID is NAT-T" in
original debug)
isakmp nat-traversal 20

it appears to have made a difference as now I have

PIXFW(config)# show crypto ipsec sa


interface: outside
Crypto map tag: mymap, local addr. 2.2.2.2

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
e #pkts decaps: 0, #pkts d
cIrSyApKtM:P 0(,0 )#:pkts verriefty 0
#pktrs compressed: a0, #npkts decsommiptrtesisendg: p0h
a s e 2# p(k5t/s n1o)t. .c.o mpressed: m0e, #spkts comprs. failed:
0, _#ipdkts
decom p0rxe2sas1 6feaei5lfed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:


PIXFW(config)#
ISAKMP (0): retransmitting phase 2 (6/1)... mess_id 0x2a16ee5f
PIXFW(config)#
PIXFW(config)# show crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
2.2.2.2 1.1.1.1 QM_IDLE 0 0

 | 
Pages: 1
Prev: Form Wound Coil
Next: Cisco 2950 Switch VLAN Config