RE: PIX-Firewal1 VPN

["Sutantyo, Danny" <DSutantyo () livingstonintl com>]

Zulu,

Remember the interesting traffic (ACL) on your PIX Fw has to match with the
encryption domain on NG. Make sure you check that, and go to phoneboy.com,
there's an article in setting up Tunnel between these 2 devices.

DS



-----Original Message-----
From: Zulu [mailto:zulu () thepub co za] 
Sent: Thursday, May 29, 2003 04:17 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX-Firewal1 VPN


HI All,

Sorry 'bout the html mail. (long story)

I am trying to set 'n VPN from my PIx 6.22 tpo a Firewall1 NG fp2. The NG
box will always initiate the vpn.

Here is what I get when I debug ipsec & isakmp:

crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS VPN
Peer: ISAKMP: Added new peer: ip:NG-FWL_ADDRESS Total VPN Peers:1 VPN Peer:
ISAKMP: Peer ip:NG-FWL_ADDRESS Ref cnt incremented to:1 Total VPN Peers:1
OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS OAK_MM
exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS OAK_MM
exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0):
processing HASH payload. message ID = 0 ISAKMP (0): SA has been
authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP: Created a peer node for NG-FWL_ADDRESS
OAK_QM exchange
ISAKMP (0:0): Need config/address
ISAKMP (0:0): initiating peer config to NG-FWL_ADDRESS. ID = 4174316855
(0xf8cf0537) return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0):
retransmitting phase 2...
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0):
retransmitting phase 2...
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS ISAKMP
(0:0): phase 2 packet is a duplicate of a previous packet. ISAKMP (0):
retransmitting phase 2... ISAKMP (0): retransmitting phase 2...






My Config looks like this:


(There is a cisco-vpn client thingy set up already! AND WORKS)

isakmp enable outside
sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set set-2 esp-des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set strong
crypto map partner-map client configuration address initiate crypto map
partner-map interface outside

access-list ipsec permit ip host HOST-A 172.23.1.0 255.255.255.0 access-list
ipsec permit ip host HOST_B 172.23.1.0 255.255.255.0

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

ip local pool dealer 172.23.1.1-172.23.1.254
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp client configuration address-pool local dealer outside

crypto map partner-map 20 ipsec-isakmp dynamic cisco

vpngroup vpngroup address-pool dealer
vpngroup vpngroup split-tunnel ipsec
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********


(But now I need to set up a Site to Site To a FW1)


access-list SHELL-VPN permit ip host MY_HOST(natted) host
HIS_HOST(no-nat)
access-list SHELL-VPN permit ip host MY_HOST(natted) host
HIS_HOST(natted)
access-list SHELL-VPN permit ip host MY_HOST(no-nat) host
HIS_HOST(no-nat)
access-list SHELL-VPN permit ip host MY_HOST(no-nat) host
HIS_HOST(natted)

access-list SHELL-VPN permit ip host HIS-HOST(no-nat) host
MY_HOST(natted)
access-list SHELL-VPN permit ip host HIS_HOST(no-nat) host
MY_HOST(no-nat)
access-list SHELL-VPN permit ip host HIS-HOST(natted) host
MY_HOST(natted)
access-list SHELL-VPN permit ip host HIS_HOST(natted) host
MY_HOST(no-nat)

(AS you can see I've opened for all possibilities)


access-list NO-NAT permit ip host MY_HOST(no-nat) host
HIS_HOST(no-nat)
access-list NO-NAT permit ip host MY_HOST(no-nat) host
HIS_HOST(natted)
access-list NO-NAT deny ip host MY_HOST(no-nat) any
nat (inside) 0 access-list NO-NAT


static (inside,outside) MY_HOST(natted) MY_HOST(no-nat) netmask
255.255.255.255 0 0


access-group My-outside-acl in interface outside

access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host
MY_HOST(natted) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(natted) host
MY_HOST(natted) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host
MY_HOST(no-nat) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(natted) host
MY_HOST(no-nat) eq ftp

(AS you can see I've opened for all possibilities)



crypto map partner-map 10 ipsec-isakmp
crypto map partner-map 10 match address SHELL-VPN
crypto map partner-map 10 set pfs group2
crypto map partner-map 10 set peer HIS_FIREWALL_address
crypto map partner-map 10 set transform-set set-2 strong
crypto map partner-map 10 set security-association lifetime seconds 3600
kilobytes 4608000

isakmp key ******** address 196.36.178.114 netmask 255.255.255.255 
isakmp identity address 
isakmp policy 10 authentication pre-share 
isakmp policy 10 encryption des 
isakmp policy 10 hash sha 
isakmp policy 10 group 2 
isakmp policy 10 lifetime 1440



What am I overlooking?? Are there compatibility issues with PIX and NG
IPSEC??


Thanks!!
_______________________________________________________________________
Cool Connection, Cool Price, Internet Access for R59 monthly @ WebMail
http://www.webmail.co.za/dialup/
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards