Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX525 - Setup ipsec tunnel to two Nortel FW sharing the same subnet

Reply
Thread Tools

PIX525 - Setup ipsec tunnel to two Nortel FW sharing the same subnet

 
 
iwhite
Guest
Posts: n/a
 
      11-14-2005

Hi guys,

I'm trying to setup ipsec tunnels to two Nortel boxes (Contivity 600)
sharing the same subnet from a CISCO PIX-525E running under 6.3(3).

PIX 525 LAN : 192.168.104.0/24
Nortel boxes LAN: 192.168.105.0/24

Indeed I want to ensure that if one Nortel box failed the other keep
its link to my pix up and allow users in the Nortel subnet to reach the
one behind the PIX.

Nortel boxes are configured with failover and vrrp. this ensure that if
any interface falls, the other box take the hand.

Problem is that only one tunnel is mounted correctly, the other failed
in ipsec negociation phase2 because of the PIX which reject it.

Does anybody see what could explain this behaviour?
Do you think that sharing the same subnet with 2 different ipsec
tunnels wouldn't be possible?

thank you
Frédéric


-------------------------
#sh isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
212.147.x.x 212.147.x.x QM_IDLE 0 1
212.147.x.x 212.147.x.x QM_IDLE 0 0

-> the second one is not mounted properly.
--------------------------
PIX conf :

access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0
192.168.105.0 255.255.255.0
access-list 110 line 2 permit ip 192.168.105.0 255.255.255.0
192.168.104.0 255.255.255.0
access-list 120 line 1 permit ip 192.168.104.0 255.255.255.0
192.168.105.0 255.255.255.0
access-list 120 line 2 permit ip 192.168.105.0 255.255.255.0
192.168.104.0 255.255.255.0

crypto ipsec transform-set set2 esp-des esp-sha-hmac
crypto map C1 5 ipsec-isakmp
crypto map C1 5 match address 110
crypto map C1 5 set peer 212.147.x.x
crypto map C1 5 set transform-set set2
crypto map C1 10 ipsec-isakmp
crypto map C1 10 match address 120
crypto map C1 10 set peer 212.147.x.x
crypto map C1 10 set transform-set set2
crypto map C1 interface outside

----------------------------------
Debug crypto isakmp

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-14-2005
In article <(E-Mail Removed) .com>,
iwhite <(E-Mail Removed)> wrote:
>I'm trying to setup ipsec tunnels to two Nortel boxes (Contivity 600)
>sharing the same subnet from a CISCO PIX-525E running under 6.3(3).


>crypto ipsec transform-set set2 esp-des esp-sha-hmac


Try MD5 instead of SHA. 6.3 doesn't allow SHA with single-DES
(I don't know why not.)
--
Is there any thing whereof it may be said, See, this is new? It hath
been already of old time, which was before us. -- Ecclesiastes
 
Reply With Quote
 
 
 
 
iwhite
Guest
Posts: n/a
 
      11-15-2005
Hi Walter,

I tried with md5 and result is not better.
For information if I change the subnet of my secondary Nortel FW to a
different one (i.e: 192.168.106.0/24) then both ipsec tunnels are up
and running!

I don't know why but it seems that the PIX doesn't like to have the
same subnet shared with 2 different remote FW through ipsec tunnels.

Do you or somebody else have other ideas ?

cheers
Frédéric

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-15-2005
In article <(E-Mail Removed) .com>,
iwhite <(E-Mail Removed)> wrote:
>I'm trying to setup ipsec tunnels to two Nortel boxes (Contivity 600)
>sharing the same subnet from a CISCO PIX-525E running under 6.3(3).


>PIX 525 LAN : 192.168.104.0/24
>Nortel boxes LAN: 192.168.105.0/24


>Indeed I want to ensure that if one Nortel box failed the other keep
>its link to my pix up and allow users in the Nortel subnet to reach the
>one behind the PIX.


>Nortel boxes are configured with failover and vrrp. this ensure that if
>any interface falls, the other box take the hand.


>PIX conf :


>access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0
>access-list 110 line 2 permit ip 192.168.105.0 255.255.255.0 192.168.104.0 255.255.255.0
>access-list 120 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0
>access-list 120 line 2 permit ip 192.168.105.0 255.255.255.0 192.168.104.0 255.255.255.0


>crypto ipsec transform-set set2 esp-des esp-sha-hmac
>crypto map C1 5 ipsec-isakmp
>crypto map C1 5 match address 110
>crypto map C1 5 set peer 212.147.x.x
>crypto map C1 5 set transform-set set2


You do not need to put the forward and backward flow into the same
match-address ACL. Just the forward flow:

access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0

and leave out the second line.

>crypto map C1 10 ipsec-isakmp
>crypto map C1 10 match address 120
>crypto map C1 10 set peer 212.147.x.x
>crypto map C1 10 set transform-set set2
>crypto map C1 interface outside


PIX always scans for matches from the highest priority (lowest number)
to lowest. It stops when it finds a match. As your two address lists
are identical, it is always going to match on the C1 5, and never going
to get as far as C1 10. Even if the peer for C1 5 dies, the PIX will
not get as far as C1 10. PIX 6.x also has no mechanism for load sharing.

I'm not clear from your posting whether the two nortel peers are at the same
(virtual) IP address? If so then that is sure to cause problems, as
the PIX makes its decisions based upon IP address -- problems, that is,
if you want both to be active at the same time.

If you do NOT want both Nortel to be active at the same time, then only
one of the two should be in contact with the PIX at a time and the PIX
should be configured as

access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0
crypto map C1 5 ipsec-isakmp
crypto map C1 5 match address 110
crypto map C1 5 set peer 212.147.x.x
crypto map C1 5 set transform-set set2

where 212.147.x.x is their (VRRP) shared IP address. In this situation
the PIX should not be configured with any information about the second
Nortel, because the failover to the second Nortel is supposed to
be transparent in such a situation.


If you DO want both Nortel to be active at the same time, and both
carrying part of the load, then configure something like

access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.128
access-list 120 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.128 255.255.255.128

(that is, use the two lists to partition the destination traffic somehow), then

crypto map C1 5 ipsec-isakmp
crypto map C1 5 match address 110
crypto map C1 5 set peer 212.147.x.1
crypto map C1 5 set transform-set set2
crypto map C1 10 ipsec-isakmp
crypto map C1 10 match address 120
crypto map C1 10 set peer 212.147.x.2
crypto map C1 10 set transform-set set2

presuming that the surviving Nortel can take on both 212.147.x.1 and 212.147.x.2


If the Nortels cannot take on two IPs, then a more typical config would be,

access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0
crypto map C1 5 ipsec-isakmp
crypto map C1 5 match address 110
crypto map C1 5 set peer 212.147.x.1 212.147.x.2
crypto map C1 5 set transform-set set2

The PIX would try 212.147.x.1 first, and if it timed out connecting
to 212.147.x.1 at any point, it would move on to 212.147.x.2 -- and
it would stick with 212.147.x.2 as long as that still responded
before moving back to try 212.147.x.1. That is, if you have multiple
peers listed, the PIX does -not- make any attempt to contact the
other peers on the list to determine whether they have come up yet
and if so then to resume going to them instead of the active peer:
it just sticks with whatever peer is active as long as it keeps talking.
[However, if the other peer comes alive and contacts the PIX, there are
some circumstances under which it can sort of "interrupt" and gain
the conversation back again. The documentation on this aspect is
confusing.]


You might even be able to combine these last two configurations into
something like,

access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.128
access-list 120 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.128 255.255.255.128
crypto map C1 5 ipsec-isakmp
crypto map C1 5 match address 110
crypto map C1 5 set peer 212.147.x.1 212.147.x.2
crypto map C1 5 set transform-set set2
crypto map C1 10 ipsec-isakmp
crypto map C1 10 match address 120
crypto map C1 10 set peer 212.147.x.2 212.147.x.1
crypto map C1 10 set transform-set set2

This would be appropriate for circumstances in which you want to split
the traffic while both Nortel are alive, and the Nortel do NOT take on
both IPs during failover but -do- somehow assume the ability to take
on both subnets, and that the Nortels also know how to shift back
to only handling one of the subnets when they come out of failover.

[I have no information as to what the Nortels are able to handle.]
--
If you lie to the compiler, it will get its revenge. -- Henry Spencer
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
connecting a Nortel Contivity VPN device to a Cisco PIX Firewall in IPSEC tunnel mode Ken Gallagher Cisco 2 08-07-2006 02:51 PM
IPsec PIX525 to PIX515 performances. AM Cisco 0 10-14-2005 08:04 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM
Two PIX on same subnet with same gateway? This Old Man Cisco 4 10-20-2003 07:27 PM



Advertisments