Firewall Wizards mailing list archives

RE: Pix to Checkpoint VPN Connectivity

From: <mlists () tdbnetworks org>
Date: Mon, 10 May 2004 15:38:12 +0100

Thanks to Darrens help I seem to have got a little further but true to form
have hit another brick wall.

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 40 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 50 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
next-payload : 8
type         : 1
protocol     : 17
port         : 500
length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of
-2067221398:84c8b46aIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x36c44056(918831190) for SA 
from  x.x.19.139 to      x.x.4.83 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2227745898

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,
  (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, 
    dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), 
    src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

ISAKMP (0): processing NONCE payload. message ID = 2227745898

ISAKMP (0): processing KE payload. message ID = 2227745898

ISAKMP (0): processing ID payload. message ID = 2227745898
ISAKMP (0): processing ID payload. message ID = 2227745898map_alloc_entry:
allocating entry 3
map_alloc_entry: allocating entry 4

ISAKMP (0): Creating IPSec SAs
        inbound SA from  x.x.19.139 to      x.x.4.83 (proxy
x.x.19.65 to      x.x.0.253)
        has spi 918831190 and conn_id 3 and flags 25
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
        outbound SA from      x.x.4.83 to  x.x.19.139 (proxy      x.x.0.253
to          x.x.19.65)
        has spi 3145190809 and conn_id 4 and flags 25
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= x.x.4.83, src= x.x.19.139, 
    dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), 
    src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 28800s and 4608000kb, 
    spi= 0x36c44056(918831190), conn_id= 3, keysize= 0, flags= 0x25
IPSEC(initialize_sas): ,
  (key eng. msg.) src= x.x.4.83, dest= x.x.19.139, 
    src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), 
    dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 28800s and 4608000kb, 
    spi= 0xbb77cd99(3145190809), conn_id= 4, keysize= 0, flags= 0x25

VPN Peer: IPSEC: Peer Info not found during IPSEC addition: Peer
ip:x.x.19.139/500

VPN Peer: IPSEC: Peer Info not found during IPSEC addition: Peer
ip:x.x.19.139/500

return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Added new peer: ip:x.x.19.139/500 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:x.x.19.139/500 Ref cnt incremented to:1 Total VPN
Peers:2
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3319682682

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      group is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10 
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      encaps is 1IPSEC(validate_proposal): invalid transform proposal
flags -- 0x14

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP: no pre-shared key for      4.24.220.6
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response

tdb-fw01# 

tdb-fw01# 

tdb-fw01# 
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): beginning Quick Mode exchange, M-ID of
1680169563:64255a5bIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xe2569566(3797325158) for SA 
from      x.x.4.84 to      x.x.4.83 for prot 3

crypto_isakmp_process_block:src:x.x.4.84, dest:x.x.4.83 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1680169563

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part #1,
  (key eng. msg.) dest= x.x.4.84, src= x.x.4.83, 
    dest_proxy= x.x.0.252/255.255.255.255/0/0 (type=1), 
    src_proxy= x.x.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 1680169563

ISAKMP (0): processing ID payload. message ID = 1680169563
ISAKMP (0): processing ID payload. message ID = 1680169563map_alloc_entry:
allocating entry 5
map_alloc_entry: allocating entry 6

ISAKMP (0): Creating IPSec SAs
        inbound SA from      x.x.4.84 to      x.x.4.83 (proxy      x.x.0.252
to        x.x.0.0)
        has spi 3797325158 and conn_id 5 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
        outbound SA from      x.x.4.83 to      x.x.4.84 (proxy
x.x.0.0 to      x.x.0.252)
        has spi 4148531421 and conn_id 6 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= x.x.4.83, src= x.x.4.84, 
    dest_proxy= x.x.0.0/255.255.255.0/0/0 (type=4), 
    src_proxy= x.x.0.252/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 28800s and 4608000kb, 
    spi= 0xe2569566(3797325158), conn_id= 5, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= x.x.4.83, dest= x.x.4.84, 
    src_proxy= x.x.0.0/255.255.255.0/0/0 (type=4), 
    dest_proxy= x.x.0.252/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac , 
    lifedur= 28800s and 4608000kb, 
    spi= 0xf74590dd(4148531421), conn_id= 6, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:x.x.4.84/500 Ref cnt incremented to:4 Total VPN
Peers:2
VPN Peer: IPSEC: Peer ip:x.x.4.84/500 Ref cnt incremented to:5 Total VPN
Peers:2
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISAKMP (0): deleting SA: src 4.24.220.6, dst x.x.4.83
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xc5de567a
ISADB: reaper checking SA 0x11b78b4, conn_id = 0
ISADB: reaper checking SA 0x124ccbc, conn_id = 0
ISADB: reaper checking SA 0x1257fc4, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 4.24.220.6/500 not found - peers:2

ISADB: reaper checking SA 0x11b78b4, conn_id = 0
ISADB: reaper checking SA 0x124ccbc, conn_id = 0
crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500
ISAKMP: sa not found for ike msg


Richard

________________________________________________________
Richard Worwood, TDB Networks
4 High Street, Twyford, Berkshire  RG10 9AE
Office: +44 (0) 118 934 0056
Mobile: +44 (0) 7771 662880
Email: richardw () tdbnetworks com
Web: www.tdbnetworks.com   

-----Original Message-----
From: Hartman, Darren [mailto:dhartman () icsalabs com] 
Sent: 10 May 2004 14:22
To: Richard Worwood
Subject: RE: [fw-wiz] Pix to Checkpoint VPN Connectivity


 
Possible problem:

From the debug info:

    dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), 
    src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),

    local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1), 
    remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1)

It looks like the peer is configured for "ANY" (0/0) protocol/port for
traffic selectors, but the PIX is configured for "ICMP" (1/0).

From your config, the crypto-map references the ACL which permits only

ICMP:

"crypto map internal-vpn-tunnel 90 match address
x.x.19.65-us-ftp-vpn-traffic"

"access-list x.x.19.65-us-ftp-vpn-traffic permit icmp host x.x.0.253 host
x.x.19.65"

To troubleshoot, try using your other ACL in the "match address" line, which
should match the 0/0 traffic selectors: "access-list vpn_connect permit ip
host x.x.0.253 host x.x.19.65"

Good Luck,
Darren Hartman
Sr. Lab Analyst
ICSA Labs
1000 Bent Creek Blvd, Suite 200
Mechanicsburg PA  17050
Phone: 717.790.8123
Fax: 717.790.8170
www.icsalabs.com



-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Richard
Worwood
Sent: Monday, May 10, 2004 2:41 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Pix to Checkpoint VPN Connectivity

I'm in the process of trying to setup a vpn connection between our Pix 515
and a supplier who have a checkpoint firewall but not having an awful lot of
luck. It looks to me as from the debugs I've captured as if the VPN is
establishing successfully but for some reason is unable to establish a
credible proxy relationship to allow communications to flow. I've include
copies of the debug capture and the config of my firewall for review as I
suspect I'm just doing something stupid but as ever any help will be
gratefully received.

Regards

Richard

Pix Debug Log

ISAKMP (0): beginning Quick Mode exchange, M-ID of
-1779604032:95ed65c0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xd7e65927(3622197543) for SA 
from  x.x.19.139 to      x.x.4.83 for prot 3

crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2515363264

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request):
proposal part #1,
  (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, 
    dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), 
    src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, 
    dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), 
    src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3 return status is
IKMP_ERR_NO_RETRANSIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= x.x.4.83, remote= x.x.19.139, 
    local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1), 
    remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1)

ISAKMP (0): beginning Quick Mode exchange, M-ID of
52913619:32765d3IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x3985d33c(965071676) for SA 
from  x.x.19.139 to      x.x.4.83 for prot 3

crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 52913619

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request):
proposal part #1,
  (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, 
    dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), 
    src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, 
    dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), 
    src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3 return status is
IKMP_ERR_NO_RETRANSIPSEC(key_engine): request timer fired: count = 2,
  (identity) local= x.x.4.83, remote= x.x.19.139, 
    local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1), 
    remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1)


Config file

PIX Version 6.3(2)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 tdb-vpn security10
enable password xxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxx
hostname fw01
domain-name tester.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol
h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80
fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup
protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup
protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup
protocol tftp 69

access-list inbound-acl permit icmp any any echo-reply access-list
inbound-acl permit icmp any any unreachable access-list inbound-acl permit
icmp any any time-exceeded access-list inbound-acl permit udp any eq domain
any access-list vpn_connect permit ip host x.x.0.253 host x.x.19.65
access-list x.x.19.65-us-ftp-vpn-traffic permit icmp host x.x.0.253 host
x.x.19.65 access-list x.x.19.65-us-ftp-vpn-traffic permit tcp host x.x.0.253
host x.x.19.65 eq ftp-data access-list x.x.19.65-us-ftp-vpn-traffic permit
tcp host x.x.0.253 host x.x.19.65 eq ftp pager lines 25 logging on logging
console warnings logging buffered warnings logging trap notifications
logging history warnings logging facility 22 logging queue 0 logging host
inside x.x.0.251 logging host inside x.x.0.15 mtu outside 1500 mtu inside
1500 mtu tdb-vpn 1500 ip address outside x.x.4.83 255.255.255.248 ip address
inside x.x.0.254 255.255.255.0 ip address tdb-vpn 127.0.0.1 255.255.255.248
ip verify reverse-path interface outside ip audit name Anal attack action
drop ip audit name Anal_Info info action alarm ip audit interface outside
Anal_Info ip audit interface outside Anal ip audit info action alarm ip
audit attack action alarm ip audit signature 2000 disable ip audit signature
2001 disable ip audit signature 2002 disable ip audit signature 2003 disable
ip audit signature 2004 disable ip audit signature 2005 disable ip audit
signature 2006 disable ip audit signature 2007 disable ip audit signature
2008 disable ip audit signature 2009 disable ip audit signature 2010 disable
ip audit signature 2011 disable ip audit signature 2012 disable pdm location
x.x.0.0 255.255.255.0 inside pdm logging errors 100 pdm history enable arp
timeout 14400 global (outside) 17 interface nat (inside) 0 access-list
vpn_connect nat (inside) 17 0.0.0.0 0.0.0.0 0 0 access-group inbound-acl in
interface outside router ospf 1
  network x.x.0.0 255.255.255.0 area 0
  log-adj-changes
  redistribute static
route outside 0.0.0.0 0.0.0.0 x.x.4.86 1 timeout xlate 3:00:00 timeout conn
1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout
h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth
0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS
protocol radius aaa-server LOCAL protocol local aaa-server AuthInbound
protocol radius aaa-server AuthInbound (inside) host x.x.0.253 cisco timeout
10 floodguard enable sysopt connection permit-ipsec crypto ipsec
transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map
internal-vpn-tunnel 90 ipsec-isakmp crypto map internal-vpn-tunnel 90 match
address x.x.19.65-us-ftp-vpn-traffic crypto map internal-vpn-tunnel 90 set
pfs group2 crypto map internal-vpn-tunnel 90 set peer x.x.19.139 crypto map
internal-vpn-tunnel 90 set transform-set ESP-3DES-SHA crypto map
internal-vpn-tunnel interface outside isakmp enable outside isakmp key
<Private Key> address x.x.19.139 netmask 255.255.255.255 no-xauth
no-config-mode 

isakmp identity address
isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des
isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime
28800 isakmp policy 30 authentication pre-share isakmp policy 30 encryption
des isakmp policy 30 hash sha isakmp policy 30 group 1 isakmp policy 30
lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40
encryption 3des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp
policy 40 lifetime 3600 isakmp policy 50 authentication pre-share isakmp
policy 50 encryption 3des isakmp policy 50 hash sha isakmp policy 50 group 2
isakmp policy 50 lifetime 86400 console timeout 10 terminal width 80 banner
exec
************************************************************************
****
***
banner exec *************************** Private Computer System
***************************
banner exec
************************************************************************
****
***
banner exec The data held on this TDB Networks Ltd. host system is PRIVATE
PROPERTY.Access banner exec to the data is only available for authorised
users and purposes. Unauthorised banner exec entry contravenes the Computer
Misuse Act 1990 and may incur criminal penalties banner exec as well as
damages. Please proceed if you are an authorised user.


_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


***********************************************************************
This message is intended only for the use of the intended recipient and may
contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you are not
the intended recipient, you are hereby notified that any use, dissemination,
disclosure or copying of this communication is strictly prohibited.  If you
have received this communication in error, please destroy all copies of this
message and its attachments and notify us immediately.
***********************************************************************



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pix to Checkpoint VPN Connectivity Richard Worwood (May 10)
- <Possible follow-ups>
- RE: Pix to Checkpoint VPN Connectivity mlists (May 10)
- Pix to Checkpoint VPN Connectivity cs 2004 (May 27)