lan-lan tunnel, pix-concentrator

Discussion in 'Cisco' started by Adam KOSA, May 30, 2006.

  1. Adam KOSA

    Adam KOSA Guest

    Hi

    I'm trying to create a lan-lan tunnel between a 3005 and a pix501. the
    pix has 3des license:
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled

    i've been following the doc on cisco web:
    http://www.cisco.com/warp/public/471/ALTIGA_pix.html

    but i have no idea about what i'm doing wrong. the parameters on the
    3005:

    authentication: esp/sha/hmac-128, preshared key
    encryption: aes-256
    ike proposal: encr: aes-256, auth: sha/hmac/160, group 2

    on the pix side:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer x.x.x.8
    crypto map outside_map 20 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp key ******** address x.x.x.8 netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 60 10
    isakmp log 100
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption aes-256
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400

    The vpn web log says:

    23877 05/30/2006 17:15:31.390 SEV=4 AUTH/23 RPT=823 x.x.x.9
    User [x.x.x.9] Group [x.x.x.9] disconnected: duration: 0:00:00

    23876 05/30/2006 17:15:31.390 SEV=4 IKEDBG/97 RPT=278 x.x.x.9
    Group [x.x.x.9]
    QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)!

    23871 05/30/2006 17:15:31.390 SEV=5 IKE/34 RPT=5016 x.x.x.9
    Group [x.x.x.9]
    Received local IP Proxy Subnet data in ID Payload:
    Address 10.10.141.0, Mask 255.255.255.0, Protocol 0, Port 0

    23868 05/30/2006 17:15:31.390 SEV=5 IKE/35 RPT=2216 x.x.x.9
    Group [x.x.x.9]
    Received remote IP Proxy Subnet data in ID Payload:
    Address 10.12.0.0, Mask 255.255.0.0, Protocol 0, Port 0

    23864 05/30/2006 17:15:31.340 SEV=4 IKE/119 RPT=16200 x.x.x.9
    Group [x.x.x.9]
    PHASE 1 COMPLETED

    The PIX says:

    [...]
    VPN Peer: ISAKMP: Added new peer: ip:x.x.x.8/500 Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:x.x.x.8/500 Ref cnt incremented to:1 Total VPN
    Peers:1
    crypto_isakmp_process_block:src:x.x.x.8, dest:x.x.x.9 spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 24576 protocol 1
    spi 0, message ID = 3863724126
    ISAKMP (0): processing responder lifetime
    ISAKMP (0): phase 1 responder lifetime of 3600s
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:x.x.x.8, dest:x.x.x.9 spt:500 dpt:500
    ISAKMP (0): processing DELETE payload. message ID = 2461701839, spi size =
    16
    ISAKMP (0): deleting SA: src x.x.x.9, dst x.x.x.8
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0xb31854, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:x.x.x.8/500 Ref cnt decremented to:0 Total VPN
    Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.8/500 Total VPN
    peers:0IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.8

    and i ran out of ideas. I've tried to config the pix with the no x-auth,
    changing ipsec nat-t, changing the transform sets... but no luck. Can
    anyone tell me what i'm doing wrong?

    The only error message what i see is the
    QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)!
    from the concentrator webpage, but i don't know what that means.

    Thanks very much
    Adam
     
    Adam KOSA, May 30, 2006
    #1
    1. Advertising

  2. In article <>,
    Adam KOSA <> wrote:
    >I'm trying to create a lan-lan tunnel between a 3005 and a pix501.


    >the parameters on the 3005:


    >authentication: esp/sha/hmac-128, preshared key
    >encryption: aes-256
    >ike proposal: encr: aes-256, auth: sha/hmac/160, group 2


    You really should use group 5 with AES.


    >on the pix side:
    >crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    >crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5


    I recommend instead,

    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA TRANS_ESP_3DES_MD5

    >isakmp policy 20 authentication pre-share
    >isakmp policy 20 encryption 3des
    >isakmp policy 20 hash md5
    >isakmp policy 20 group 2
    >isakmp policy 20 lifetime 86400
    >isakmp policy 40 authentication pre-share
    >isakmp policy 40 encryption aes-256
    >isakmp policy 40 hash sha
    >isakmp policy 40 group 2
    >isakmp policy 40 lifetime 86400


    I recommend changing the group to 5 for aes-256, and I recommend
    reversing the order so that AES-256 has a higher priority than
    3DES/MD5 .

    I don't particularily recommend 3DES/MD5 : 3DES/SHA is considered
    more secure.


    >The vpn web log says:


    >23877 05/30/2006 17:15:31.390 SEV=4 AUTH/23 RPT=823 x.x.x.9
    >User [x.x.x.9] Group [x.x.x.9] disconnected: duration: 0:00:00


    >23876 05/30/2006 17:15:31.390 SEV=4 IKEDBG/97 RPT=278 x.x.x.9
    >Group [x.x.x.9]
    >QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)!


    This link *might* help:
    http://groups.google.ca/group/openbsd.tech/msg/dc84126f585b4584


    >23871 05/30/2006 17:15:31.390 SEV=5 IKE/34 RPT=5016 x.x.x.9
    >Group [x.x.x.9]
    >Received local IP Proxy Subnet data in ID Payload:
    > Address 10.10.141.0, Mask 255.255.255.0, Protocol 0, Port 0


    >23868 05/30/2006 17:15:31.390 SEV=5 IKE/35 RPT=2216 x.x.x.9
    >Group [x.x.x.9]
    >Received remote IP Proxy Subnet data in ID Payload:
    > Address 10.12.0.0, Mask 255.255.0.0, Protocol 0, Port 0


    I notice that the remote IP (from the PIX) is netmask 255.255.0.0:
    was that what you were expecting?

    Meanwhile, on the PIX, push up the debug level. If my fingers
    still remember the commands:

    debug crypto isakmp 2
    debug crypto ipsec 2
     
    Walter Roberson, May 30, 2006
    #2
    1. Advertising

  3. Adam KOSA

    Adam KOSA Guest

    Hi Walter,

    On May 30, 2006 18:04 (-0000) Walter Roberson wrote:

    :Meanwhile, on the PIX, push up the debug level. If my fingers
    :still remember the commands:
    :

    thanks for the reply, it helped!

    Regards
    Adam
     
    Adam KOSA, Jun 7, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,124
  2. Replies:
    1
    Views:
    2,599
    Walter Roberson
    Sep 11, 2006
  3. elinor
    Replies:
    2
    Views:
    1,798
    elinor
    Nov 16, 2006
  4. John Strow
    Replies:
    1
    Views:
    500
  5. Replies:
    1
    Views:
    549
    Martin Bilgrav
    May 1, 2008
Loading...

Share This Page