Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN from 3640 to Watchguard Firebox X Edge Problems

Reply
Thread Tools

VPN from 3640 to Watchguard Firebox X Edge Problems

 
 
jlamanna@gmail.com
Guest
Posts: n/a
 
      08-14-2008
Hi,
I'm having problems establishing a VPN tunnel between a 3640 and a
firebox X Edge.
It seems to die during Phase 1 even though the X Edge is setup for
3DES & SHA hashing.

The cisco Local LAN is 192.168.100.0/24 and the X Edge is
192.168.1.0/24.

Any help would be much appreciated.

-- James

Here's the log from the Cisco when it tries to ping 192.168.1.1:

Aug 14 13:16:56.206: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= [cis.co.ip.xxx], remote=
[fir.ebo.x.ip],
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x9F449A63(2672073315), conn_id= 0, keysize= 0, flags= 0x400D
Aug 14 13:16:56.206: ISAKMP: received ke message (1/1)
Aug 14 13:16:56.210: ISAKMP: local port 500, remote port 500
Aug 14 13:16:56.210: ISAKMP (0:1): beginning Main Mode exchange
Aug 14 13:16:56.210: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_NO_STATE
Aug 14 13:16:56.210: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=112
Aug 14 13:16:56.634: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=92
Aug 14 13:16:56.638: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_NO_STATE
Aug 14 13:16:56.638: ISAKMP (0:1): processing SA payload. message ID =
0
Aug 14 13:16:56.638: ISAKMP (0:1): found peer pre-shared key matching
[fir.ebo.x.ip]
Aug 14 13:16:56.638: ISAKMP (0:1): Checking ISAKMP transform 1 against
priority 1 policy
Aug 14 13:16:56.638: ISAKMP: encryption 3DES-CBC
Aug 14 13:16:56.638: ISAKMP: hash SHA
Aug 14 13:16:56.638: ISAKMP: auth pre-share
Aug 14 13:16:56.638: ISAKMP: life type in seconds
Aug 14 13:16:56.638: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
0x80
Aug 14 13:16:56.638: ISAKMP: default group 2
Aug 14 13:16:56.638: ISAKMP (0:1): atts are acceptable. Next payload
is 0
Aug 14 13:16:56.774: ISAKMP (0:1): SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
Aug 14 13:16:56.778: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_SA_SETUP
Aug 14 13:16:56.778: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=232
Aug 14 13:17:06.634: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=92
Aug 14 13:17:06.634: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_SA_SETUP
Aug 14 13:17:06.638: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:06.638: ISAKMP (0:1): retransmitting due to retransmit
phase 1
Aug 14 13:17:06.638: ISAKMP (0:1): retransmitting phase 1
MM_SA_SETUP...
Aug 14 13:17:07.138: ISAKMP (0:1): retransmitting phase 1
MM_SA_SETUP...
Aug 14 13:17:07.138: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:07.138: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
Aug 14 13:17:07.138: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_SA_SETUP
Aug 14 13:17:07.138: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=232
Aug 14 13:17:07.646: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:07.650: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_SA_SETUP
Aug 14 13:17:07.650: ISAKMP (0:1): processing KE payload. message ID =
0
Aug 14 13:17:07.822: ISAKMP (0:1): processing NONCE payload. message
ID = 0
Aug 14 13:17:07.822: ISAKMP (0:1): found peer pre-shared key matching
[fir.ebo.x.ip]
Aug 14 13:17:07.826: ISAKMP (0:1): SKEYID state generated
Aug 14 13:17:07.826: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
Aug 14 13:17:07.826: ISAKMP (1): Total payload length: 12
Aug 14 13:17:07.830: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:07.830: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:16.858: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:16.858: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:16.858: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:16.858: ISAKMP (0:1): retransmitting due to retransmit
phase 1
Aug 14 13:17:16.858: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:17.358: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:17.358: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:17.358: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:17.358: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:17.358: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:26.207: IPSEC(key_engine): request timer fired: count =
1,
(identity) local= [cis.co.ip.xxx], remote= [fir.ebo.x.ip],
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
Aug 14 13:17:26.207: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= [cis.co.ip.xxx], remote=
[fir.ebo.x.ip],
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x241E3B9C(605961116), conn_id= 0, keysize= 0, flags= 0x400D
Aug 14 13:17:26.207: ISAKMP: received ke message (1/1)
Aug 14 13:17:26.207: ISAKMP (0:1): SA is still budding. Attached new
ipsec request to it.
Aug 14 13:17:27.359: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:27.359: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:27.359: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:27.359: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:27.359: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:27.383: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:27.387: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:27.387: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:27.387: ISAKMP (0:1): retransmission skipped for phase 1
(time since last transmission 2
Aug 14 13:17:32.255: UDP: rcvd src=67.19.103.173(123),
dst=[cis.co.ip.xxx](123), length=56
Aug 14 13:17:37.387: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:37.387: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:37.387: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:37.387: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:37.387: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:37.387: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:37.391: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:37.391: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:37.391: ISAKMP (0:1): retransmission skipped for phase 1
(time since last transmission 4)
Aug 14 13:17:47.391: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:47.391: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:47.391: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:47.391: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:47.391: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:47.407: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:47.407: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:47.407: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:47.407: ISAKMP (0:1): retransmission skipped for phase 1
(time since last transmission 16)
Aug 14 13:17:56.208: IPSEC(key_engine): request timer fired: count =
2,
(identity) local= [cis.co.ip.xxx], remote= [fir.ebo.x.ip],
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
Aug 14 13:17:56.208: ISAKMP: received ke message (3/1)
Aug 14 13:17:56.208: ISAKMP (0:1): ignoring request to send delete
notify (sa not authenticated) src [cis.co.ip.xxx] dst [fir.ebo.x.ip]
Aug 14 13:17:57.408: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:57.408: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:57.408: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:57.408: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:57.408: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:57.416: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:57.420: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:57.420: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:57.420: ISAKMP (0:1): retransmission skipped for phase 1
(time since last transmission 12)
Aug 14 13:18:07.420: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:18:07.420: ISAKMP (0:1): peer does not do paranoid
keepalives.

Aug 14 13:18:07.420: ISAKMP (0:1): deleting SA reason "death by
retransmission P1" state (I) MM_KEY_EXCH (peer [fir.ebo.x.ip]) input
queue 0
Aug 14 13:18:07.420: ISAKMP (0:1): deleting node 506435737 error TRUE
reason "death by retransmission P1"
Aug 14 13:18:07.420: ISAKMP (0:1): deleting node 147192259 error TRUE
reason "death by retransmission P1"

And the Cisco config:

!
! Last configuration change at 11:32:12 PDT Thu Aug 14 2008
! NVRAM config last updated at 11:32:13 PDT Thu Aug 14 2008
!
version 12.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
boot system flash:c3640-ik9o3s-mz.122-46a.bin
logging buffered 32768 debugging
!
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.100.2 192.168.100.30
!
ip dhcp pool LAN
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 4.2.2.2
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key zzzzzzzzz address zzz.zzz.zzz.zzz
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer zzz.zzz.zzz.zzz
set transform-set 3DES-SHA
set pfs group2
match address 101
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/0
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip nat outside
full-duplex
crypto map VPN-Map-1
!
interface Ethernet1/1
ip address 192.168.100.1 255.255.255.0
ip nat inside
half-duplex
!
ip nat pool branch xxx.xxx.xxx.xxy xxx.xxx.xxx.xxy netmask
255.255.255.224
ip nat inside source list acl_nat pool branch overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
no ip http server
!
!
ip access-list extended acl_nat
deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0
0.0.0.255
route-map nonat permit 10
match ip address 130
!
!
dial-peer cor custom
!
!
!
!
!
ntp clock-period 17180080
ntp server 67.19.103.173
end
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Watchguard / Safenet Client and Cisco VPN Client Compatible? Patrick Dunnigan Cisco 1 01-30-2009 01:14 PM
Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel jbuice@gmail.com Cisco 6 07-22-2008 09:45 PM
Ipsec vpn between 3005 and firebox 1000 John Strow Cisco 0 05-23-2007 03:41 AM
Cisco PIX and WatchGuard SOHO dynamic VPN connection Andy Low Cisco 5 05-10-2004 03:14 PM
Cisco 827 -> Watchguard VPN David Lee Cisco 1 09-18-2003 11:26 AM



Advertisments