Re: Pix to Vigor VPN

["Ben Nagy" <ben () iagu net>]

Hm.

More logs would be good - does the other end produce any kind of logs that
we could look at? Also, try running a debug crypto ipsec - it looks like
isakmp is finishing OK, but the problem is from the IPSec engine.

The only things I can quickly pick up from looking at the stuff below is
that firstly, that incoming spi appears to match - 0xbbeab54f is 3152721231,
which matches the incoming SPI from the debug. Normally this error message
is caused by an age difference in the SAs between the two devices (the
remote device hasn't yet cleared the SPI from the last connection), which
was what I typed before I looked more carefully. Here...dunno.

> From here, I'd try and get the deb cryp ipsec, also a couple of show
commands, like sh cryp ipsec sa and sh cryp isa sa. Also, what's the version
of your PIX software - you could check for outstanding issues (some past PIX
bugs have caused failures with that message).

On suspicion, you could always try using a different subnet, too - 10.0.0.0
and 10.2.254.0 can appear to be subnets of each other (although not with the
netmasks you're using) - some bizarre devices may have problems with that,
and also some devices may have problems with zero subnets (although that's
wrong). Also make sure that they have the netmasks matching yours at the
other end (although it appears so from the ISAKMP debugs). That's all kind
of voodoo and arm waving, though.

Good luck,

ben

----- Original Message -----
From: "Richard Worwood" <richardw () tdbnetworks com>
To: <firewall-wizards () honor icsalabs com>
Sent: Friday, January 17, 2003 12:32 AM
Subject: [fw-wiz] Pix to Vigor VPN


> I'm having some problems setting up a VPN between a Pix 501 and a Vigor
2600
> over ADSL, the intention is to migrate the vpn across to the production
520
> once I've got this going alongside a dial vpn config but as ever I'm
having
> a few problems.
>
> It would seem that I've got the vpn so that it will authenticate and
> establish itself and then it gets a "decaps: rec'd IPSEC packet has
invalid
> spi for destaddr=xx.xx.4.83, prot=esp, spi=0xbbeab54f(0)" error and it all
> falls over.
>
> I've attached the output from a debug crypto isakmp trace and a copy of
the
> pix config below .
>
> If anyone could help I would be most greatfull.
>
> crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83
> VPN Peer: ISAKMP: Added new peer: ip:xx.xx.1.46 Total VPN Peers:1
> VPN Peer: ISAKMP: Peer ip:xx.xx.1.46 Ref cnt incremented to:1 Total VPN
> Peers:1
> OAK_MM exchange
> ISAKMP (0): processing SA payload. message ID = 0
>
> ISAKMP (0): Checking ISAKMP transform 0 against priority 22 policy
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (basic) of 28800
> ISAKMP:      encryption DES-CBC
> ISAKMP:      hash MD5
> ISAKMP:      auth pre-share
> ISAKMP:      default group 1
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 1 against priority 22 policy
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (basic) of 28800
> ISAKMP:      encryption DES-CBC
> ISAKMP:      hash SHA
> ISAKMP:      auth pre-share
> ISAKMP:      default group 1
> ISAKMP (0): atts are acceptable. Next payload is 3
> ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_FQDN
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_MM
exchange
> ISAKMP (0): processing KE payload. message ID = 0
>
> ISAKMP (0): processing NONCE payload. message ID = 0
>
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_MM
exchange
> ISAKMP (0): processing ID payload. message ID = 0
> ISAKMP (0): processing HASH payload. message ID = 0
> ISAKMP (0): SA has been authenticated
>
> ISAKMP (0): ID payload
>         next-payload : 8
>         type         : 2
>         protocol     : 17
>         port         : 500
>         length       : 28
> ISAKMP (0): Total payload length: 32
> return status is IKMP_NO_ERROR
> ISAKMP (0): sending INITIAL_CONTACT notify
> ISAKMP (0): sending NOTIFY message 24578 protocol 1
> ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
> ISAKMP (0): sending NOTIFY message 24576 protocol 1
> crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83
> OAK_QM exchange
> oakley_process_quick_mode:
> OAK_QM_IDLE
> ISAKMP (0): processing SA payload. message ID = 1647417420
>
> ISAKMP : Checking IPSec proposal 0
>
> ISAKMP: transform 0, ESP_DES
> ISAKMP:   attributes in transform:
> ISAKMP:      encaps is 1
> ISAKMP:      SA life type in seconds
> ISAKMP:      SA life duration (basic) of 3600
> ISAKMP:      authenticator is HMAC-MD5
> ISAKMP (0): atts not acceptable. Next payload is 3
> ISAKMP: transform 1, ESP_DES
> ISAKMP:   attributes in transform:
> ISAKMP:      encaps is 1
> ISAKMP:      SA life type in seconds
> ISAKMP:      SA life duration (basic) of 3600
> ISAKMP:      authenticator is HMAC-SHA
> ISAKMP (0): atts are acceptable.
> ISAKMP (0): processing NONCE payload. message ID = 1647417420
>
> ISAKMP (0): processing ID payload. message ID = 1647417420
> ISAKMP (0): ID_IPV4_ADDR_SUBNET src 10.2.254.0/255.255.255.0 prot 0 port 0
> ISAKMP (0): processing ID payload. message ID = 1647417420
> ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 10.0.0.0/255.255.255.0 prot 0 port 0
> return status is IKMP_NO_ERROR4
> ISAKMP (0): sending NOTIFY message 11 protocol 3
> crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_QM
exchange
> oakley_process_quick_mode: OAK_QM_AUTH_AWAIT
> ISAKMP (0): Creating IPSec SAs
>         inbound SA from      xx.xx.1.46 to      xx.xx.4.83 (proxy
> 10.2.254.
> 0 to        10.0.0.0)
>         has spi 3152721231 and conn_id 4 and flags 4
>         lifetime of 3600 seconds
>         outbound SA from      xx.xx.4.83 to      xx.xx.1.46 (proxy
> 10.0.0
> .0 to      10.2.254.0)
>         has spi 4286529457 and conn_id 3 and flags 4
>         lifetime of 3600 seconds
> VPN Peer: IPSEC: Peer ip:xx.xx.1.46 Ref cnt incremented to:2 Total VPN
> Peers:1
> VPN Peer: IPSEC: Peer ip:xx.xx.1.46 Ref cnt incremented to:3 Total VPN
> Peers:1
> return status is IKMP_NO_ERROR02101: decaps: rec'd IPSEC packet has
invalid
> spi
> for destaddr=xx.xx.4.83, prot=esp, spi=0xbbeab54f(0)
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname tdb-dev-fw
> domain-name abracad.co.uk
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list Bexleyheath-vpn-traffic permit ip 10.0.0.0 255.255.255.0
> 10.2.254.0
> 255.255.255.0
> pager lines 24
> logging on
> logging timestamp
> logging console warnings
> logging buffered debugging
> logging trap warnings
> logging history warnings
> logging facility 22
> logging host inside 10.0.0.170
> interface ethernet0 10baset
> interface ethernet1 10full
> mtu outside 1500
> mtu inside 1500
> ip address outside xx.xx.4.83 255.255.255.248
> ip address inside 10.0.0.254 255.255.255.0
> ip verify reverse-path interface outside
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 10.0.0.0 255.255.255.0 inside
> pdm location 10.0.3.0 255.255.255.0 inside
> pdm location 10.0.0.170 255.255.255.255 inside
> pdm logging warnings 100
> pdm history enable
> arp timeout 14400
> global (outside) 17 xx.xx.4.82
> nat (inside) 17 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 xx.xx.4.86 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> http server enable
> http 10.0.0.0 255.255.255.0 inside
> http 10.0.3.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> tftp-server inside 10.0.0.170 /
> floodguard enable
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set Tunnel-ESP-DES-MD5 esp-des esp-sha-hmac
> crypto map Bexleyheath-Tunnel 222 ipsec-isakmp
> crypto map Bexleyheath-Tunnel 222 match address Bexleyheath-vpn-traffic
> crypto map Bexleyheath-Tunnel 222 set peer xx.xx.1.46
> crypto map Bexleyheath-Tunnel 222 set transform-set Tunnel-ESP-DES-MD5
> crypto map Bexleyheath-Tunnel interface outside
> isakmp enable outside
> isakmp key ******** address xx.xx.1.46 netmask 255.255.255.255 no-xauth
> no-confi
> g-mode
> isakmp policy 22 authentication pre-share
> isakmp policy 22 encryption des
> isakmp policy 22 hash sha
> isakmp policy 22 group 1
> isakmp policy 22 lifetime 5000
> telnet timeout 5
> ssh 10.0.0.0 255.255.255.0 inside
> ssh 10.0.3.0 255.255.255.0 inside
> ssh timeout 5
> terminal width 80
>
>
> Thanks in advance
>
> Richard
>
> ________________________________________________________
> Richard Worwood, TDB Networks
> 4 High Street, Twyford, Berkshire  RG10 9AE
> Office: +44 (0) 118 934 0056
> Mobile: +44 (0) 7771 662880
> Email: richardw () tdbnetworks com
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards