Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > lan-lan tunnel, pix-concentrator

Reply
Thread Tools

lan-lan tunnel, pix-concentrator

 
 
Adam KOSA
Guest
Posts: n/a
 
      05-30-2006
Hi

I'm trying to create a lan-lan tunnel between a 3005 and a pix501. the
pix has 3des license:
VPN-DES: Enabled
VPN-3DES-AES: Enabled

i've been following the doc on cisco web:
http://www.cisco.com/warp/public/471/ALTIGA_pix.html

but i have no idea about what i'm doing wrong. the parameters on the
3005:

authentication: esp/sha/hmac-128, preshared key
encryption: aes-256
ike proposal: encr: aes-256, auth: sha/hmac/160, group 2

on the pix side:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.8
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address x.x.x.8 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 60 10
isakmp log 100
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes-256
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

The vpn web log says:

23877 05/30/2006 17:15:31.390 SEV=4 AUTH/23 RPT=823 x.x.x.9
User [x.x.x.9] Group [x.x.x.9] disconnected: duration: 0:00:00

23876 05/30/2006 17:15:31.390 SEV=4 IKEDBG/97 RPT=278 x.x.x.9
Group [x.x.x.9]
QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)!

23871 05/30/2006 17:15:31.390 SEV=5 IKE/34 RPT=5016 x.x.x.9
Group [x.x.x.9]
Received local IP Proxy Subnet data in ID Payload:
Address 10.10.141.0, Mask 255.255.255.0, Protocol 0, Port 0

23868 05/30/2006 17:15:31.390 SEV=5 IKE/35 RPT=2216 x.x.x.9
Group [x.x.x.9]
Received remote IP Proxy Subnet data in ID Payload:
Address 10.12.0.0, Mask 255.255.0.0, Protocol 0, Port 0

23864 05/30/2006 17:15:31.340 SEV=4 IKE/119 RPT=16200 x.x.x.9
Group [x.x.x.9]
PHASE 1 COMPLETED

The PIX says:

[...]
VPN Peer: ISAKMP: Added new peer: ip.x.x.8/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip.x.x.8/500 Ref cnt incremented to:1 Total VPN
Peers:1
crypto_isakmp_process_block:src.x.x.8, dest.x.x.9 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24576 protocol 1
spi 0, message ID = 3863724126
ISAKMP (0): processing responder lifetime
ISAKMP (0): phase 1 responder lifetime of 3600s
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src.x.x.8, dest.x.x.9 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 2461701839, spi size =
16
ISAKMP (0): deleting SA: src x.x.x.9, dst x.x.x.8
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xb31854, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip.x.x.8/500 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip.x.x.8/500 Total VPN
peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.8

and i ran out of ideas. I've tried to config the pix with the no x-auth,
changing ipsec nat-t, changing the transform sets... but no luck. Can
anyone tell me what i'm doing wrong?

The only error message what i see is the
QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)!
from the concentrator webpage, but i don't know what that means.

Thanks very much
Adam
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-30-2006
In article <(E-Mail Removed). hu>,
Adam KOSA <(E-Mail Removed)> wrote:
>I'm trying to create a lan-lan tunnel between a 3005 and a pix501.


>the parameters on the 3005:


>authentication: esp/sha/hmac-128, preshared key
>encryption: aes-256
>ike proposal: encr: aes-256, auth: sha/hmac/160, group 2


You really should use group 5 with AES.


>on the pix side:
>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
>crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5


I recommend instead,

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA TRANS_ESP_3DES_MD5

>isakmp policy 20 authentication pre-share
>isakmp policy 20 encryption 3des
>isakmp policy 20 hash md5
>isakmp policy 20 group 2
>isakmp policy 20 lifetime 86400
>isakmp policy 40 authentication pre-share
>isakmp policy 40 encryption aes-256
>isakmp policy 40 hash sha
>isakmp policy 40 group 2
>isakmp policy 40 lifetime 86400


I recommend changing the group to 5 for aes-256, and I recommend
reversing the order so that AES-256 has a higher priority than
3DES/MD5 .

I don't particularily recommend 3DES/MD5 : 3DES/SHA is considered
more secure.


>The vpn web log says:


>23877 05/30/2006 17:15:31.390 SEV=4 AUTH/23 RPT=823 x.x.x.9
>User [x.x.x.9] Group [x.x.x.9] disconnected: duration: 0:00:00


>23876 05/30/2006 17:15:31.390 SEV=4 IKEDBG/97 RPT=278 x.x.x.9
>Group [x.x.x.9]
>QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)!


This link *might* help:
http://groups.google.ca/group/openbs...84126f585b4584


>23871 05/30/2006 17:15:31.390 SEV=5 IKE/34 RPT=5016 x.x.x.9
>Group [x.x.x.9]
>Received local IP Proxy Subnet data in ID Payload:
> Address 10.10.141.0, Mask 255.255.255.0, Protocol 0, Port 0


>23868 05/30/2006 17:15:31.390 SEV=5 IKE/35 RPT=2216 x.x.x.9
>Group [x.x.x.9]
>Received remote IP Proxy Subnet data in ID Payload:
> Address 10.12.0.0, Mask 255.255.0.0, Protocol 0, Port 0


I notice that the remote IP (from the PIX) is netmask 255.255.0.0:
was that what you were expecting?

Meanwhile, on the PIX, push up the debug level. If my fingers
still remember the commands:

debug crypto isakmp 2
debug crypto ipsec 2
 
Reply With Quote
 
 
 
 
Adam KOSA
Guest
Posts: n/a
 
      06-07-2006

Hi Walter,

On May 30, 2006 18:04 (-0000) Walter Roberson wrote:

:Meanwhile, on the PIX, push up the debug level. If my fingers
:still remember the commands:
:

thanks for the reply, it helped!

Regards
Adam
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments