Firewall Wizards mailing list archives
RE: PIX-Firewal1 VPN
From: "Sutantyo, Danny" <DSutantyo () livingstonintl com>
Date: Thu, 29 May 2003 10:59:47 -0400
Zulu, Remember the interesting traffic (ACL) on your PIX Fw has to match with the encryption domain on NG. Make sure you check that, and go to phoneboy.com, there's an article in setting up Tunnel between these 2 devices. DS -----Original Message----- From: Zulu [mailto:zulu () thepub co za] Sent: Thursday, May 29, 2003 04:17 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX-Firewal1 VPN HI All, Sorry 'bout the html mail. (long story) I am trying to set 'n VPN from my PIx 6.22 tpo a Firewall1 NG fp2. The NG box will always initiate the vpn. Here is what I get when I debug ipsec & isakmp: crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS VPN Peer: ISAKMP: Added new peer: ip:NG-FWL_ADDRESS Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:NG-FWL_ADDRESS Ref cnt incremented to:1 Total VPN Peers:1 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP: Created a peer node for NG-FWL_ADDRESS OAK_QM exchange ISAKMP (0:0): Need config/address ISAKMP (0:0): initiating peer config to NG-FWL_ADDRESS. ID = 4174316855 (0xf8cf0537) return status is IKMP_NO_ERROR crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0): retransmitting phase 2... ISAKMP (0): retransmitting phase 2... My Config looks like this: (There is a cisco-vpn client thingy set up already! AND WORKS) isakmp enable outside sysopt connection permit-ipsec crypto ipsec transform-set strong esp-des esp-sha-hmac crypto ipsec transform-set set-2 esp-des esp-md5-hmac crypto dynamic-map cisco 4 set transform-set strong crypto map partner-map client configuration address initiate crypto map partner-map interface outside access-list ipsec permit ip host HOST-A 172.23.1.0 255.255.255.0 access-list ipsec permit ip host HOST_B 172.23.1.0 255.255.255.0 isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 ip local pool dealer 172.23.1.1-172.23.1.254 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp client configuration address-pool local dealer outside crypto map partner-map 20 ipsec-isakmp dynamic cisco vpngroup vpngroup address-pool dealer vpngroup vpngroup split-tunnel ipsec vpngroup vpngroup idle-time 1800 vpngroup vpngroup password ******** (But now I need to set up a Site to Site To a FW1) access-list SHELL-VPN permit ip host MY_HOST(natted) host HIS_HOST(no-nat) access-list SHELL-VPN permit ip host MY_HOST(natted) host HIS_HOST(natted) access-list SHELL-VPN permit ip host MY_HOST(no-nat) host HIS_HOST(no-nat) access-list SHELL-VPN permit ip host MY_HOST(no-nat) host HIS_HOST(natted) access-list SHELL-VPN permit ip host HIS-HOST(no-nat) host MY_HOST(natted) access-list SHELL-VPN permit ip host HIS_HOST(no-nat) host MY_HOST(no-nat) access-list SHELL-VPN permit ip host HIS-HOST(natted) host MY_HOST(natted) access-list SHELL-VPN permit ip host HIS_HOST(natted) host MY_HOST(no-nat) (AS you can see I've opened for all possibilities) access-list NO-NAT permit ip host MY_HOST(no-nat) host HIS_HOST(no-nat) access-list NO-NAT permit ip host MY_HOST(no-nat) host HIS_HOST(natted) access-list NO-NAT deny ip host MY_HOST(no-nat) any nat (inside) 0 access-list NO-NAT static (inside,outside) MY_HOST(natted) MY_HOST(no-nat) netmask 255.255.255.255 0 0 access-group My-outside-acl in interface outside access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host MY_HOST(natted) eq ftp access-list My-outside-acl permit tcp host HIS_HOST(natted) host MY_HOST(natted) eq ftp access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host MY_HOST(no-nat) eq ftp access-list My-outside-acl permit tcp host HIS_HOST(natted) host MY_HOST(no-nat) eq ftp (AS you can see I've opened for all possibilities) crypto map partner-map 10 ipsec-isakmp crypto map partner-map 10 match address SHELL-VPN crypto map partner-map 10 set pfs group2 crypto map partner-map 10 set peer HIS_FIREWALL_address crypto map partner-map 10 set transform-set set-2 strong crypto map partner-map 10 set security-association lifetime seconds 3600 kilobytes 4608000 isakmp key ******** address 196.36.178.114 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 1440 What am I overlooking?? Are there compatibility issues with PIX and NG IPSEC?? Thanks!! _______________________________________________________________________ Cool Connection, Cool Price, Internet Access for R59 monthly @ WebMail http://www.webmail.co.za/dialup/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX-Firewal1 VPN Zulu (May 29)
- <Possible follow-ups>
- RE: PIX-Firewal1 VPN Sutantyo, Danny (May 29)