Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   problems with cisco <-> netscreen (http://www.velocityreviews.com/forums/t54252-problems-with-cisco-netscreen.html)

scubabri@gmail.com 01-21-2006 09:30 PM
problems with cisco <-> netscreen
 
It appears that my cisco 806 is trying to forward the packets out my
public interface without encrypting them and sending them to the peer.
I can route packets from my 192.168.22.0 network where the netscreen
is, they make it over to the 192.168.23.0 network, but the responses
never make it back.

Anyone care to help me out on this?

Here is the router config.

Using 4991 out of 131072 bytes
!
version 12.3
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco-rtr
!
boot-start-marker
boot-end-marker
!
logging cns-events debugging

!
clock timezone Central -6
clock summer-time CDT recurring 1 Sun Apr 3:00 last Sun Oct 3:00
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common
ip subnet-zero
no ip source-route
ip domain name int.fl240.com
ip name-server 192.168.23.26
ip dhcp excluded-address 192.168.23.200 192.168.23.201
ip dhcp excluded-address 192.168.23.1 192.168.23.39
!
no ip bootp server
ip inspect name myfw cuseeme audit-trail on timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http java-list 3 audit-trail on timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
!
!
!
!
class-map match-all VONAGE
match access-group 101
!
!
policy-map ALL
class VONAGE
bandwidth 256
class class-default
fair-queue
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key netscreen address netscreen
!
!
crypto ipsec transform-set aptset esp-3des esp-sha-hmac
crypto ipsec transform-set ns-interop esp-des esp-md5-hmac
!
crypto map aptmap 2 ipsec-isakmp
set peer 192.168.22.200
set transform-set aptset
match address 111
!
crypto map netscreen-net 10 ipsec-isakmp
set peer netscreen
set transform-set ns-interop
match address 130
!
!
!
interface Ethernet0
ip address 192.168.23.1 255.255.255.0
ip nat inside
ip policy route-map proxy-redirect
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address address 255.255.255.0
ip access-group 111 in
no ip unreachables
ip nat outside
ip inspect myfw out
no cdp enable
crypto map netscreen-net
service-policy output ALL
!
interface Virtual-Template1
ip unnumbered Ethernet1
ip mroute-cache
peer default ip address pool pptp
ppp encrypt mppe 40
ppp authentication ms-chap
!
ip local pool pptp 192.168.23.200 192.168.23.201
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1 permanent
no ip http server
no ip http secure-server
!
logging facility local5
logging 192.168.23.27
access-list 1 permit 192.168.23.0 0.0.0.255
access-list 1 permit any
access-list 3 permit any
access-list 23 permit 192.168.23.0 0.0.0.255
access-list 101 permit udp host 192.168.23.40 any
access-list 101 permit udp any host 192.168.23.40
access-list 102 permit ip 192.168.23.0 0.0.0.255 any
access-list 104 permit ip address 0.0.0.255 any
access-list 104 permit udp address 0.0.0.255 any eq isakmp
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 permit tcp any any eq 22
access-list 111 permit ip 192.168.22.0 0.0.0.255 192.168.23.0 0.0.0.255
log
access-list 111 permit ip 192.168.23.0 0.0.0.255 192.168.22.0 0.0.0.255
log
access-list 120 deny tcp any any neq www
access-list 120 deny tcp host 192.168.23.26 any
access-list 120 permit tcp any any
access-list 130 permit ip 192.168.22.0 0.0.0.255 192.168.23.0 0.0.0.255
log
access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.22.0 0.0.0.255
log
no cdp run
route-map proxy-redirect permit 10
match ip address 120
set ip next-hop 192.168.23.26
!
banner motd ^C
go away or I will track you down and sue you and you will go to jail

Enter Password:

^C
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 0 0
password 7
transport input ssh
!
scheduler max-task-time 5000
end


here is an output from debug ipsec sa
cisco-rtr#debug crypto ipsec
Crypto IPSEC debugging is on
cisco-rtr#terminal monitor
cisco-rtr#clear crypto sa peer netscreen
cisco-rtr#
12:18:44: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= cisco, sa_prot= 50,
sa_spi= 0x54464F6D(1413893997),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2004
12:18:44: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
(sa) sa_dest= netscreen, sa_prot= 50,
sa_spi= 0x4C131F1C(1276321564),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2005,
(identity) local= cisco, remote= netscreen,
local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4)
12:18:44: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= netscreen, sa_prot= 50,
sa_spi= 0x4C131F1C(1276321564),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2005
12:18:44: ISAKMP: Unlocking IPSEC struct 0x813F3908 from
delete_siblings, count 0
12:18:44: ISAKMP: received ke message (3/1)
12:18:44: ISAKMP: set new node -844168567 to QM_IDLE
12:18:44: ISAKMP (0:1): sending packet to netscreen my_port 500
peer_port 500 (I) QM_IDLE
12:18:44: ISAKMP (0:1): purging node -844168567
12:18:44: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
12:18:44: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE

12:18:53: ISAKMP (0:1): received packet from netscreen dport 500 sport
500 Global (I) QM_IDLE
12:18:53: ISAKMP: set new node -928160302 to QM_IDLE
12:18:53: ISAKMP (0:1): processing HASH payload. message ID =
-928160302
12:18:53: ISAKMP (0:1): processing SA payload. message ID = -928160302
12:18:53: ISAKMP (0:1): Checking IPSec proposal 1
12:18:53: ISAKMP: transform 1, ESP_DES
12:18:53: ISAKMP: attributes in transform:
12:18:53: ISAKMP: SA life type in seconds
12:18:53: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
12:18:53: ISAKMP: encaps is 1 (Tunnel)
12:18:53: ISAKMP: authenticator is HMAC-MD5
12:18:53: ISAKMP (0:1): atts are acceptable.
12:18:53: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= cisco, remote= netscreen,
local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
12:18:53: IPSEC(kei_proxy): head = netscreen-net, map->ivrf = ,
kei->ivrf =
12:18:53: ISAKMP (0:1): processing NONCE payload. message ID =
-928160302
12:18:53: ISAKMP (0:1): processing ID payload. message ID = -928160302
12:18:53: ISAKMP (0:1): processing ID payload. message ID = -928160302
12:18:53: ISAKMP (0:1): asking for 1 spis from ipsec
12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_PEER,
IKE_QM_EXCH
12:18:53: ISAKMP (0:1): Old State = IKE_QM_READY New State =
IKE_QM_SPI_STARVE
12:18:53: IPSEC(key_engine): got a queue event...
12:18:53: IPSEC(spi_response): getting spi 1606767518 for SA
from cisco to netscreen for prot 3
12:18:53: ISAKMP: received ke message (2/1)
12:18:53: ISAKMP: Locking peer struct 0x813F3908, IPSEC refcount 1 for
for stuff_ke
12:18:53: ISAKMP (0:1): Creating IPSec SAs
12:18:53: inbound SA from netscreen to cisco (f/i) 0/ 0
(proxy 192.168.22.0 to 192.168.23.0)
12:18:53: has spi 0x5FC5539E and conn_id 2000 and flags 2
12:18:53: lifetime of 3600 seconds
12:18:53: has client flags 0x0
12:18:53: outbound SA from cisco to netscreen (f/i) 0/ 0 (proxy
192.168.23.0 to 192.168.22.0 )
12:18:53: has spi 1276321566 and conn_id 2001 and flags A
12:18:53: lifetime of 3600 seconds
12:18:53: has client flags 0x0
12:18:53: ISAKMP (0:1): sending packet to netscreen my_port 500
peer_port 500 (I) QM_IDLE
12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_IPSEC,
IKE_SPI_REPLY
12:18:53: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State =
IKE_QM_R_QM2
12:18:53: IPSEC(key_engine): got a queue event...
12:18:53: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= cisco, remote= netscreen,
local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 0kb,
spi= 0x5FC5539E(1606767518), conn_id= 2000, keysize= 0, flags= 0x2
12:18:53: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= cisco, remote= netscreen,
local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 0kb,
spi= 0x4C131F1E(1276321566), conn_id= 2001, keysize= 0, flags= 0xA
12:18:53: IPSEC(kei_proxy): head = netscreen-net, map->ivrf = ,
kei->ivrf =
12:18:53: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the
same proxies and netscreen
12:18:53: IPSEC(add mtree): src 192.168.23.0, dest 192.168.22.0,
dest_port 0

12:18:53: IPSEC(create_sa): sa created,
(sa) sa_dest= cisco, sa_prot= 50,
sa_spi= 0x5FC5539E(1606767518),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000
12:18:53: IPSEC(create_sa): sa created,
(sa) sa_dest= netscreen, sa_prot= 50,
sa_spi= 0x4C131F1E(1276321566),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001
12:18:53: ISAKMP (0:1): received packet from netscreen dport 500 sport
500 Global (I) QM_IDLE
12:18:53: ISAKMP (0:1): deleting node -928160302 error FALSE reason
"quick mode done (await)"
12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_PEER,
IKE_QM_EXCH
12:18:53: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State =
IKE_QM_PHASE2_COMPLETE
12:18:53: IPSEC(key_engine): got a queue event...
12:18:53: IPSEC(key_engine_enable_outbound): rec'd enable notify from
ISAKMP
12:18:53: IPSEC(key_engine_enable_outbound): enable SA with spi
1276321566/50 for netscreen
12:19:43: ISAKMP (0:1): purging node -928160302

scubabri 01-22-2006 01:07 AM
Re: problems with cisco <-> netscreen
 
turns out it was my nat configuration that was horking it up :)

b

slimordium 01-29-2008 05:13 PM
nat?
 
Which was what? I am having the same problem.


All times are GMT. The time now is 05:58 AM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57