Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   pix-nortel contivity ipsec failing (http://www.velocityreviews.com/forums/t29918-pix-nortel-contivity-ipsec-failing.html)

Rik Bain 11-02-2003 03:14 PM

Re: pix-nortel contivity ipsec failing
 
try using "no-xauth no-config-mode" at the end of the ISAKMP key....?


On Mon, 03 Nov 2003 03:37:21 +0600, Bill F wrote:

> peer v.v.v.v is a nortel contivity.
>
> peer g.g.g.g is another pix for which the tunnel is functiong several
> questions
> 1. why are they attempting to use OAK_MM, which I assume is the Oakley
> key protocol, and,(actually I guess this is part of the IKE stack) 2.
> why is XAUTH listed as a requested attribute? Neither of these are
> selected on the contivity as far as I can see from a screenshot, anyway.
> 3. how do I know which isakmp policy each tunnel is using? Its using the
> correct transform set but how do I know which isakmp policy is being
> used - could the isakmp policy have something to do with the OAK_MM
> request?
>
> *******************************************
>
> crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500
> OAK_MM exchange
> ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing
> HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578
> protocol 1
> spi 0, message ID = 0
> ISAKMP (0): processing notify INITIAL_CONTACT ISAKMP (0): SA has been
> authenticated
>
> ISAKMP (0:0): Need XAUTH
> ISAKMP/xauth: request attribute XAUTH_TYPE ISAKMP/xauth: request
> attribute XAUTH_USER_NAME ISAKMP/xauth: request attribute
> XAUTH_USER_PASSWORD ISAKMP (0:0): initiating peer config to v.v.v.v ID =
> 708333664 (0x2a385060)modecfg: sa: 1498e04, new mess id= 2a385060
>
> return status is IKMP_NO_ERROR
> VPN Peer: ISAKMP: Added new peer: ip:v.v.v.v/500 Total VPN Peers:2 VPN
> Peer: ISAKMP: Peer ip:v.v.v.v/500 Ref cnt incremented to:1 Total VPN
> Peers:2
> crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500
>
> ******************************************** # sh crypto isakmp sa Total
> : 2
> Embryonic : 0
> dst src state pending created
> g.g.g.g a.a.a.a QM_IDLE 0 1
> v.v.v.v a.a.a.a OAK_CONF_XAUTH 3 0
>
> ********************************************
>
> # sh crypto map
> #first one is a cisco client map entry Crypto Map: "mymap" interfaces: {
> outside }
> client authentication ias
> .........
>
> Crypto Map "mymap" 1 ipsec-isakmp
> Peer = g.g.g.g
> access-list 102; 8 elements
> ............
>
> Current peer: g.g.g.g
> Security association lifetime: 4608000 kilobytes/28800 seconds
> PFS (Y/N): N
> Transform sets={ myset, }
>
> Crypto Map "mymap" 2 ipsec-isakmp
> Peer = v.v.v.v
> access-list 104; 24 elements
> .......
>
>
> Current peer: v.v.v.v
> Security association lifetime: 4608000 kilobytes/28800 seconds
> PFS (Y/N): N
> Transform sets={ valencia, }
>
> #the tunnel to v.v.v.v is using the correct transform set but how do I
> know which isakmp #policy is being used - could the isakmp policy have
> something to do #with the OAK_MM request?
> **********************************************
>
> my pix cfg
>
> crypto ipsec transform-set myset esp-3des esp-sha-hmac # below transform
> is for peer v.v.v.v crypto ipsec transform-set valencia esp-3des
> esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto
> map mymap 1 ipsec-isakmp
> crypto map mymap 1 match address 102
> crypto map mymap 1 set peer g.g.g.g
> crypto map mymap 1 set transform-set myset crypto map mymap 2
> ipsec-isakmp
> crypto map mymap 2 match address 104
> crypto map mymap 2 set peer v.v.v.v
> crypto map mymap 2 set transform-set valencia crypto map mymap 10
> ipsec-isakmp dynamic dynmap crypto map mymap client authentication ias
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key ******** address g.g.g.g netmask 255.255.255.255 isakmp key
> ******** address v.v.v.v netmask 255.255.255.255 isakmp identity address
> isakmp policy 10 authentication pre-share isakmp policy 10 encryption
> 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> # intended for peer v.v.v.
> isakmp policy 11 authentication pre-share isakmp policy 11 encryption
> 3des
> isakmp policy 11 hash md5
> isakmp policy 11 group 2
> isakmp policy 11 lifetime 900


Bill F 11-02-2003 09:37 PM

pix-nortel contivity ipsec failing
 
peer v.v.v.v is a nortel contivity.

peer g.g.g.g is another pix for which the tunnel is functiong
several questions
1. why are they attempting to use OAK_MM, which I assume is the Oakley
key protocol, and,(actually I guess this is part of the IKE stack)
2. why is XAUTH listed as a requested attribute?
Neither of these are selected on the contivity as far as I can see from
a screenshot, anyway.
3. how do I know which isakmp policy each tunnel is using?
Its using the correct transform set but how do I know which isakmp
policy is being used - could the isakmp policy have something to do with
the OAK_MM request?

*******************************************

crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0): SA has been authenticated

ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to v.v.v.v ID = 708333664
(0x2a385060)modecfg: sa: 1498e04, new mess id= 2a385060

return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Added new peer: ip:v.v.v.v/500 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:v.v.v.v/500 Ref cnt incremented to:1 Total VPN
Peers:2
crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500

********************************************
# sh crypto isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
g.g.g.g a.a.a.a QM_IDLE 0 1
v.v.v.v a.a.a.a OAK_CONF_XAUTH 3 0

********************************************

# sh crypto map
#first one is a cisco client map entry
Crypto Map: "mymap" interfaces: { outside }
client authentication ias
..........

Crypto Map "mymap" 1 ipsec-isakmp
Peer = g.g.g.g
access-list 102; 8 elements
.............

Current peer: g.g.g.g
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }

Crypto Map "mymap" 2 ipsec-isakmp
Peer = v.v.v.v
access-list 104; 24 elements
........


Current peer: v.v.v.v
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ valencia, }

#the tunnel to v.v.v.v is using the correct transform set but how do I
know which isakmp #policy is being used - could the isakmp policy have
something to do #with the OAK_MM request?
**********************************************

my pix cfg

crypto ipsec transform-set myset esp-3des esp-sha-hmac
# below transform is for peer v.v.v.v
crypto ipsec transform-set valencia esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address 102
crypto map mymap 1 set peer g.g.g.g
crypto map mymap 1 set transform-set myset
crypto map mymap 2 ipsec-isakmp
crypto map mymap 2 match address 104
crypto map mymap 2 set peer v.v.v.v
crypto map mymap 2 set transform-set valencia
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication ias
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address g.g.g.g netmask 255.255.255.255
isakmp key ******** address v.v.v.v netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
# intended for peer v.v.v.
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 900




All times are GMT. The time now is 01:08 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.