Firewall Wizards mailing list archives

Pix to Vigor VPN

From: "Richard Worwood" <richardw () tdbnetworks com>
Date: Thu, 16 Jan 2003 23:32:13 -0000
I'm having some problems setting up a VPN between a Pix 501 and a Vigor 2600
over ADSL, the intention is to migrate the vpn across to the production 520
once I've got this going alongside a dial vpn config but as ever I'm having
a few problems.

It would seem that I've got the vpn so that it will authenticate and
establish itself and then it gets a "decaps: rec'd IPSEC packet has invalid
spi for destaddr=xx.xx.4.83, prot=esp, spi=0xbbeab54f(0)" error and it all
falls over.

I've attached the output from a debug crypto isakmp trace and a copy of the
pix config below .

If anyone could help I would be most greatfull.

crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83
VPN Peer: ISAKMP: Added new peer: ip:xx.xx.1.46 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:xx.xx.1.46 Ref cnt incremented to:1 Total VPN
Peers:1
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 22 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth pre-share
ISAKMP:      default group 1
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 1 against priority 22 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 1
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 28
ISAKMP (0): Total payload length: 32
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1647417420

ISAKMP : Checking IPSec proposal 0

ISAKMP: transform 0, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 3
ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      authenticator is HMAC-SHA
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 1647417420

ISAKMP (0): processing ID payload. message ID = 1647417420
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 10.2.254.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1647417420
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 10.0.0.0/255.255.255.0 prot 0 port 0
return status is IKMP_NO_ERROR4
ISAKMP (0): sending NOTIFY message 11 protocol 3
crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_QM exchange
oakley_process_quick_mode: OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from      xx.xx.1.46 to      xx.xx.4.83 (proxy
10.2.254.
0 to        10.0.0.0)
        has spi 3152721231 and conn_id 4 and flags 4
        lifetime of 3600 seconds
        outbound SA from      xx.xx.4.83 to      xx.xx.1.46 (proxy
10.0.0
.0 to      10.2.254.0)
        has spi 4286529457 and conn_id 3 and flags 4
        lifetime of 3600 seconds
VPN Peer: IPSEC: Peer ip:xx.xx.1.46 Ref cnt incremented to:2 Total VPN
Peers:1
VPN Peer: IPSEC: Peer ip:xx.xx.1.46 Ref cnt incremented to:3 Total VPN
Peers:1
return status is IKMP_NO_ERROR02101: decaps: rec'd IPSEC packet has invalid
spi
for destaddr=xx.xx.4.83, prot=esp, spi=0xbbeab54f(0)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname tdb-dev-fw
domain-name abracad.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list Bexleyheath-vpn-traffic permit ip 10.0.0.0 255.255.255.0
10.2.254.0
255.255.255.0
pager lines 24
logging on
logging timestamp
logging console warnings
logging buffered debugging
logging trap warnings
logging history warnings
logging facility 22
logging host inside 10.0.0.170
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.4.83 255.255.255.248
ip address inside 10.0.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.3.0 255.255.255.0 inside
pdm location 10.0.0.170 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 17 xx.xx.4.82
nat (inside) 17 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xx.4.86 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.0.170 /
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set Tunnel-ESP-DES-MD5 esp-des esp-sha-hmac
crypto map Bexleyheath-Tunnel 222 ipsec-isakmp
crypto map Bexleyheath-Tunnel 222 match address Bexleyheath-vpn-traffic
crypto map Bexleyheath-Tunnel 222 set peer xx.xx.1.46
crypto map Bexleyheath-Tunnel 222 set transform-set Tunnel-ESP-DES-MD5
crypto map Bexleyheath-Tunnel interface outside
isakmp enable outside
isakmp key ******** address xx.xx.1.46 netmask 255.255.255.255 no-xauth
no-confi
g-mode
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption des
isakmp policy 22 hash sha
isakmp policy 22 group 1
isakmp policy 22 lifetime 5000
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.0.3.0 255.255.255.0 inside
ssh timeout 5
terminal width 80


Thanks in advance

Richard

________________________________________________________
Richard Worwood, TDB Networks
4 High Street, Twyford, Berkshire  RG10 9AE
Office: +44 (0) 118 934 0056
Mobile: +44 (0) 7771 662880
Email: richardw () tdbnetworks com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:

Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 13)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 14)
  - Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 14)
    - Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 15)
    - Pix to Vigor VPN Richard Worwood (Jan 17)
    - Re: Pix to Vigor VPN Ben Nagy (Jan 20)