Firewall Wizards mailing list archives
Pix to Checkpoint VPN Connectivity
From: "Richard Worwood" <richardw () tdbnetworks com>
Date: Mon, 10 May 2004 07:41:02 +0100
I'm in the process of trying to setup a vpn connection between our Pix 515
and a supplier who have a checkpoint firewall but not having an awful lot of
luck. It looks to me as from the debugs I've captured as if the VPN is
establishing successfully but for some reason is unable to establish a
credible proxy relationship to allow communications to flow. I've include
copies of the debug capture and the config of my firewall for review as I
suspect I'm just doing something stupid but as ever any help will be
gratefully received.
Regards
Richard
Pix Debug Log
ISAKMP (0): beginning Quick Mode exchange, M-ID of
-1779604032:95ed65c0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xd7e65927(3622197543) for SA
from x.x.19.139 to x.x.4.83 for prot 3
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2515363264
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,
(key eng. msg.) dest= x.x.19.139, src= x.x.4.83,
dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),
src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= x.x.19.139, src= x.x.4.83,
dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1),
src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANSIPSEC(key_engine): request timer fired:
count = 1,
(identity) local= x.x.4.83, remote= x.x.19.139,
local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1),
remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1)
ISAKMP (0): beginning Quick Mode exchange, M-ID of
52913619:32765d3IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x3985d33c(965071676) for SA
from x.x.19.139 to x.x.4.83 for prot 3
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 52913619
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,
(key eng. msg.) dest= x.x.19.139, src= x.x.4.83,
dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),
src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= x.x.19.139, src= x.x.4.83,
dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1),
src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANSIPSEC(key_engine): request timer fired:
count = 2,
(identity) local= x.x.4.83, remote= x.x.19.139,
local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1),
remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1)
Config file
PIX Version 6.3(2)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 tdb-vpn security10
enable password xxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxx
hostname fw01
domain-name tester.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound-acl permit icmp any any echo-reply
access-list inbound-acl permit icmp any any unreachable
access-list inbound-acl permit icmp any any time-exceeded
access-list inbound-acl permit udp any eq domain any
access-list vpn_connect permit ip host x.x.0.253 host x.x.19.65
access-list x.x.19.65-us-ftp-vpn-traffic permit icmp host x.x.0.253 host
x.x.19.65
access-list x.x.19.65-us-ftp-vpn-traffic permit tcp host x.x.0.253 host
x.x.19.65 eq ftp-data
access-list x.x.19.65-us-ftp-vpn-traffic permit tcp host x.x.0.253 host
x.x.19.65 eq ftp
pager lines 25
logging on
logging console warnings
logging buffered warnings
logging trap notifications
logging history warnings
logging facility 22
logging queue 0
logging host inside x.x.0.251
logging host inside x.x.0.15
mtu outside 1500
mtu inside 1500
mtu tdb-vpn 1500
ip address outside x.x.4.83 255.255.255.248
ip address inside x.x.0.254 255.255.255.0
ip address tdb-vpn 127.0.0.1 255.255.255.248
ip verify reverse-path interface outside
ip audit name Anal attack action drop
ip audit name Anal_Info info action alarm
ip audit interface outside Anal_Info
ip audit interface outside Anal
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2006 disable
ip audit signature 2007 disable
ip audit signature 2008 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
ip audit signature 2011 disable
ip audit signature 2012 disable
pdm location x.x.0.0 255.255.255.0 inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 17 interface
nat (inside) 0 access-list vpn_connect
nat (inside) 17 0.0.0.0 0.0.0.0 0 0
access-group inbound-acl in interface outside
router ospf 1
network x.x.0.0 255.255.255.0 area 0
log-adj-changes
redistribute static
route outside 0.0.0.0 0.0.0.0 x.x.4.86 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host x.x.0.253 cisco timeout 10
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map internal-vpn-tunnel 90 ipsec-isakmp
crypto map internal-vpn-tunnel 90 match address x.x.19.65-us-ftp-vpn-traffic
crypto map internal-vpn-tunnel 90 set pfs group2
crypto map internal-vpn-tunnel 90 set peer x.x.19.139
crypto map internal-vpn-tunnel 90 set transform-set ESP-3DES-SHA
crypto map internal-vpn-tunnel interface outside
isakmp enable outside
isakmp key <Private Key> address x.x.19.139 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 3600
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
console timeout 10
terminal width 80
banner exec
****************************************************************************
***
banner exec *************************** Private Computer System
***************************
banner exec
****************************************************************************
***
banner exec The data held on this TDB Networks Ltd. host system is PRIVATE
PROPERTY.Access
banner exec to the data is only available for authorised users and purposes.
Unauthorised
banner exec entry contravenes the Computer Misuse Act 1990 and may incur
criminal penalties
banner exec as well as damages. Please proceed if you are an authorised
user.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix to Checkpoint VPN Connectivity Richard Worwood (May 10)
- <Possible follow-ups>
- RE: Pix to Checkpoint VPN Connectivity mlists (May 10)
- Pix to Checkpoint VPN Connectivity cs 2004 (May 27)