Firewall Wizards mailing list archives
Re: Pix to Vigor VPN
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 20 Jan 2003 12:25:58 +0100
Hm. More logs would be good - does the other end produce any kind of logs that we could look at? Also, try running a debug crypto ipsec - it looks like isakmp is finishing OK, but the problem is from the IPSec engine. The only things I can quickly pick up from looking at the stuff below is that firstly, that incoming spi appears to match - 0xbbeab54f is 3152721231, which matches the incoming SPI from the debug. Normally this error message is caused by an age difference in the SAs between the two devices (the remote device hasn't yet cleared the SPI from the last connection), which was what I typed before I looked more carefully. Here...dunno.
From here, I'd try and get the deb cryp ipsec, also a couple of show
commands, like sh cryp ipsec sa and sh cryp isa sa. Also, what's the version of your PIX software - you could check for outstanding issues (some past PIX bugs have caused failures with that message). On suspicion, you could always try using a different subnet, too - 10.0.0.0 and 10.2.254.0 can appear to be subnets of each other (although not with the netmasks you're using) - some bizarre devices may have problems with that, and also some devices may have problems with zero subnets (although that's wrong). Also make sure that they have the netmasks matching yours at the other end (although it appears so from the ISAKMP debugs). That's all kind of voodoo and arm waving, though. Good luck, ben ----- Original Message ----- From: "Richard Worwood" <richardw () tdbnetworks com> To: <firewall-wizards () honor icsalabs com> Sent: Friday, January 17, 2003 12:32 AM Subject: [fw-wiz] Pix to Vigor VPN
I'm having some problems setting up a VPN between a Pix 501 and a Vigor
2600
over ADSL, the intention is to migrate the vpn across to the production
520
once I've got this going alongside a dial vpn config but as ever I'm
having
a few problems. It would seem that I've got the vpn so that it will authenticate and establish itself and then it gets a "decaps: rec'd IPSEC packet has
invalid
spi for destaddr=xx.xx.4.83, prot=esp, spi=0xbbeab54f(0)" error and it all falls over. I've attached the output from a debug crypto isakmp trace and a copy of
the
pix config below . If anyone could help I would be most greatfull. crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 VPN Peer: ISAKMP: Added new peer: ip:xx.xx.1.46 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:xx.xx.1.46 Ref cnt incremented to:1 Total VPN Peers:1 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 0 against priority 22 policy ISAKMP: life type in seconds ISAKMP: life duration (basic) of 28800 ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 1 against priority 22 policy ISAKMP: life type in seconds ISAKMP: life duration (basic) of 28800 ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_FQDN
return status is IKMP_NO_ERROR crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_MM
exchange
ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_MM
exchange
ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 2 protocol : 17 port : 500 length : 28 ISAKMP (0): Total payload length: 32 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1647417420 ISAKMP : Checking IPSec proposal 0 ISAKMP: transform 0, ESP_DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts not acceptable. Next payload is 3 ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: authenticator is HMAC-SHA ISAKMP (0): atts are acceptable. ISAKMP (0): processing NONCE payload. message ID = 1647417420 ISAKMP (0): processing ID payload. message ID = 1647417420 ISAKMP (0): ID_IPV4_ADDR_SUBNET src 10.2.254.0/255.255.255.0 prot 0 port 0 ISAKMP (0): processing ID payload. message ID = 1647417420 ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 10.0.0.0/255.255.255.0 prot 0 port 0 return status is IKMP_NO_ERROR4 ISAKMP (0): sending NOTIFY message 11 protocol 3 crypto_isakmp_process_block: src xx.xx.1.46, dest xx.xx.4.83 OAK_QM
exchange
oakley_process_quick_mode: OAK_QM_AUTH_AWAIT ISAKMP (0): Creating IPSec SAs inbound SA from xx.xx.1.46 to xx.xx.4.83 (proxy 10.2.254. 0 to 10.0.0.0) has spi 3152721231 and conn_id 4 and flags 4 lifetime of 3600 seconds outbound SA from xx.xx.4.83 to xx.xx.1.46 (proxy 10.0.0 .0 to 10.2.254.0) has spi 4286529457 and conn_id 3 and flags 4 lifetime of 3600 seconds VPN Peer: IPSEC: Peer ip:xx.xx.1.46 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: IPSEC: Peer ip:xx.xx.1.46 Ref cnt incremented to:3 Total VPN Peers:1 return status is IKMP_NO_ERROR02101: decaps: rec'd IPSEC packet has
invalid
spi for destaddr=xx.xx.4.83, prot=esp, spi=0xbbeab54f(0) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname tdb-dev-fw domain-name abracad.co.uk fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list Bexleyheath-vpn-traffic permit ip 10.0.0.0 255.255.255.0 10.2.254.0 255.255.255.0 pager lines 24 logging on logging timestamp logging console warnings logging buffered debugging logging trap warnings logging history warnings logging facility 22 logging host inside 10.0.0.170 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside xx.xx.4.83 255.255.255.248 ip address inside 10.0.0.254 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm pdm location 10.0.0.0 255.255.255.0 inside pdm location 10.0.3.0 255.255.255.0 inside pdm location 10.0.0.170 255.255.255.255 inside pdm logging warnings 100 pdm history enable arp timeout 14400 global (outside) 17 xx.xx.4.82 nat (inside) 17 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 xx.xx.4.86 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 10.0.0.0 255.255.255.0 inside http 10.0.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 10.0.0.170 / floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set Tunnel-ESP-DES-MD5 esp-des esp-sha-hmac crypto map Bexleyheath-Tunnel 222 ipsec-isakmp crypto map Bexleyheath-Tunnel 222 match address Bexleyheath-vpn-traffic crypto map Bexleyheath-Tunnel 222 set peer xx.xx.1.46 crypto map Bexleyheath-Tunnel 222 set transform-set Tunnel-ESP-DES-MD5 crypto map Bexleyheath-Tunnel interface outside isakmp enable outside isakmp key ******** address xx.xx.1.46 netmask 255.255.255.255 no-xauth no-confi g-mode isakmp policy 22 authentication pre-share isakmp policy 22 encryption des isakmp policy 22 hash sha isakmp policy 22 group 1 isakmp policy 22 lifetime 5000 telnet timeout 5 ssh 10.0.0.0 255.255.255.0 inside ssh 10.0.3.0 255.255.255.0 inside ssh timeout 5 terminal width 80 Thanks in advance Richard ________________________________________________________ Richard Worwood, TDB Networks 4 High Street, Twyford, Berkshire RG10 9AE Office: +44 (0) 118 934 0056 Mobile: +44 (0) 7771 662880 Email: richardw () tdbnetworks com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 13)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 15)
- Pix to Vigor VPN Richard Worwood (Jan 17)
- Re: Pix to Vigor VPN Ben Nagy (Jan 20)
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 14)