Firewall Wizards mailing list archives
Pix to Checkpoint VPN Connectivity
From: "Richard Worwood" <richardw () tdbnetworks com>
Date: Mon, 10 May 2004 07:41:02 +0100
I'm in the process of trying to setup a vpn connection between our Pix 515 and a supplier who have a checkpoint firewall but not having an awful lot of luck. It looks to me as from the debugs I've captured as if the VPN is establishing successfully but for some reason is unable to establish a credible proxy relationship to allow communications to flow. I've include copies of the debug capture and the config of my firewall for review as I suspect I'm just doing something stupid but as ever any help will be gratefully received. Regards Richard Pix Debug Log ISAKMP (0): beginning Quick Mode exchange, M-ID of -1779604032:95ed65c0IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xd7e65927(3622197543) for SA from x.x.19.139 to x.x.4.83 for prot 3 crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 2515363264 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: group is 2 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPSec policy invalidated proposal ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 3 return status is IKMP_ERR_NO_RETRANSIPSEC(key_engine): request timer fired: count = 1, (identity) local= x.x.4.83, remote= x.x.19.139, local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1), remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1) ISAKMP (0): beginning Quick Mode exchange, M-ID of 52913619:32765d3IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x3985d33c(965071676) for SA from x.x.19.139 to x.x.4.83 for prot 3 crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 52913619 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: group is 2 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPSec policy invalidated proposal ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 3 return status is IKMP_ERR_NO_RETRANSIPSEC(key_engine): request timer fired: count = 2, (identity) local= x.x.4.83, remote= x.x.19.139, local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1), remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1) Config file PIX Version 6.3(2) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 tdb-vpn security10 enable password xxxxxxxxxxxxxxxx passwd xxxxxxxxxxxxxxxx hostname fw01 domain-name tester.com clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 access-list inbound-acl permit icmp any any echo-reply access-list inbound-acl permit icmp any any unreachable access-list inbound-acl permit icmp any any time-exceeded access-list inbound-acl permit udp any eq domain any access-list vpn_connect permit ip host x.x.0.253 host x.x.19.65 access-list x.x.19.65-us-ftp-vpn-traffic permit icmp host x.x.0.253 host x.x.19.65 access-list x.x.19.65-us-ftp-vpn-traffic permit tcp host x.x.0.253 host x.x.19.65 eq ftp-data access-list x.x.19.65-us-ftp-vpn-traffic permit tcp host x.x.0.253 host x.x.19.65 eq ftp pager lines 25 logging on logging console warnings logging buffered warnings logging trap notifications logging history warnings logging facility 22 logging queue 0 logging host inside x.x.0.251 logging host inside x.x.0.15 mtu outside 1500 mtu inside 1500 mtu tdb-vpn 1500 ip address outside x.x.4.83 255.255.255.248 ip address inside x.x.0.254 255.255.255.0 ip address tdb-vpn 127.0.0.1 255.255.255.248 ip verify reverse-path interface outside ip audit name Anal attack action drop ip audit name Anal_Info info action alarm ip audit interface outside Anal_Info ip audit interface outside Anal ip audit info action alarm ip audit attack action alarm ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2002 disable ip audit signature 2003 disable ip audit signature 2004 disable ip audit signature 2005 disable ip audit signature 2006 disable ip audit signature 2007 disable ip audit signature 2008 disable ip audit signature 2009 disable ip audit signature 2010 disable ip audit signature 2011 disable ip audit signature 2012 disable pdm location x.x.0.0 255.255.255.0 inside pdm logging errors 100 pdm history enable arp timeout 14400 global (outside) 17 interface nat (inside) 0 access-list vpn_connect nat (inside) 17 0.0.0.0 0.0.0.0 0 0 access-group inbound-acl in interface outside router ospf 1 network x.x.0.0 255.255.255.0 area 0 log-adj-changes redistribute static route outside 0.0.0.0 0.0.0.0 x.x.4.86 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server AuthInbound protocol radius aaa-server AuthInbound (inside) host x.x.0.253 cisco timeout 10 floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map internal-vpn-tunnel 90 ipsec-isakmp crypto map internal-vpn-tunnel 90 match address x.x.19.65-us-ftp-vpn-traffic crypto map internal-vpn-tunnel 90 set pfs group2 crypto map internal-vpn-tunnel 90 set peer x.x.19.139 crypto map internal-vpn-tunnel 90 set transform-set ESP-3DES-SHA crypto map internal-vpn-tunnel interface outside isakmp enable outside isakmp key <Private Key> address x.x.19.139 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 28800 isakmp policy 30 authentication pre-share isakmp policy 30 encryption des isakmp policy 30 hash sha isakmp policy 30 group 1 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 3600 isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash sha isakmp policy 50 group 2 isakmp policy 50 lifetime 86400 console timeout 10 terminal width 80 banner exec **************************************************************************** *** banner exec *************************** Private Computer System *************************** banner exec **************************************************************************** *** banner exec The data held on this TDB Networks Ltd. host system is PRIVATE PROPERTY.Access banner exec to the data is only available for authorised users and purposes. Unauthorised banner exec entry contravenes the Computer Misuse Act 1990 and may incur criminal penalties banner exec as well as damages. Please proceed if you are an authorised user. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix to Checkpoint VPN Connectivity Richard Worwood (May 10)
- <Possible follow-ups>
- RE: Pix to Checkpoint VPN Connectivity mlists (May 10)
- Pix to Checkpoint VPN Connectivity cs 2004 (May 27)