pix 525 & bdcom 2621 ipsec error!

Discussion in 'Cisco' started by pansin, May 14, 2005.

  1. pansin

    pansin Guest

    plese help me

    =====================================================================
    bdcom 2621 router configinformation:
    Current configuration:
    !
    !version 1.3.2E
    service timestamps log date
    service timestamps debug date
    no service password-encryption
    !
    hostname kaifaqu2
    !
    enable password 0 ciscobdcom 2621 level 15
    !
    crypto isakmp key ciscobdcom 2621 10.10.20.138 255.255.255.224
    !
    crypto isakmp policy 1
    hash md5
    lifetime 28800
    !
    crypto ipsec transform-set 01
    transform-type esp-des esp-sha-hmac
    !
    crypto map 1 1 ipsec-isakmp
    set peer 10.10.20.138
    set pfs group1
    set transform-set 01
    match address 101
    !
    interface FastEthernet0/0
    ip address 192.168.55.1 255.255.255.0
    ip address 192.168.56.1 255.255.255.0 secondary
    no ip directed-broadcast
    ip nat inside
    !
    interface FastEthernet0/1
    ip address 10.10.140.163 255.255.255.240
    no ip directed-broadcast
    crypto map 1
    ip nat outside
    !
    interface Serial0/2
    no ip address
    no ip directed-broadcast
    !
    interface Serial0/3
    no ip address
    no ip directed-broadcast
    !
    interface Async0/0
    no ip address
    no ip directed-broadcast
    !
    ip route default 10.10.140.161
    !
    ip access-list standard nat
    permit 192.168.55.0 255.255.255.0
    permit 192.168.56.0 255.255.255.0
    !
    ip access-list extended 101
    permit ip 192.168.55.0 255.255.255.0 192.168.4.0 255.255.255.0
    permit ip 192.168.55.0 255.255.255.0 192.168.3.0 255.255.255.0
    permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
    permit ip 192.168.55.0 255.255.255.0 192.168.1.0 255.255.255.0
    !
    ip nat translation max-entries 300
    ip nat inside source list nat interface FastEthernet0/1
    !
    -----------------------------------------------------------------------------------
    isakmpinformation
    Protection suite of priority 1
    encryption algorithm: DES - Data Encryption Standard (56 bit
    keys).
    hash algorithm: Message Digest 5
    authentication method: Pre-Shared Key
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 28800 seconds
    Default protection suite
    encryption algorithm: DES - Data Encryption Standard (56 bit
    keys).
    hash algorithm: Secure Hash Standard
    authentication method: Pre-Shared Key
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 86400 seconds
    ==================================================================================

    cisco pix 525information
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.5.0
    255.255.255.0
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.55.0
    255.255.255.0
    access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.55.0
    255.255.255.0
    access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.55.0
    255.255.255.0
    access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.55.0
    255.255.255.0
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.56.0
    255.255.255.0
    access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.56.0
    255.255.255.0
    access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.56.0
    255.255.255.0
    access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.56.0
    255.255.255.0
    access-list vpn permit ip 192.168.0.0 255.255.255.0 192.168.5.0
    255.255.255.0
    access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.55.0
    255.255.255.0
    access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.55.0
    255.255.255.0
    access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.55.0
    255.255.255.0
    access-list vpn permit ip 192.168.4.0 255.255.255.0 192.168.55.0
    255.255.255.0
    access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.56.0
    255.255.255.0
    access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.56.0
    255.255.255.0
    access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.56.0
    255.255.255.0
    access-list vpn permit ip 192.168.4.0 255.255.255.0 192.168.56.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 10.10.20.138 255.255.255.224
    ip address inside 192.168.255.254 255.255.255.0
    ip address DMZ 192.168.254.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address DMZ
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (DMZ) 1 interface
    nat (inside) 0 access-list vpn
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (DMZ,outside) 10.10.20.134 192.168.254.4 netmask
    255.255.255.255 0 0
    static (DMZ,outside) 10.10.20.130 192.168.254.2 netmask
    255.255.255.255 0 0
    conduit permit icmp any any
    conduit permit ip host 10.10.20.134 any
    conduit permit ip host 10.10.20.130 any
    route outside 0.0.0.0 0.0.0.0 10.10.20.129 1
    route inside 192.168.0.0 255.255.255.0 192.168.255.1 1
    route inside 192.168.1.0 255.255.255.0 192.168.255.1 1
    route inside 192.168.2.0 255.255.255.0 192.168.255.1 1
    route inside 192.168.3.0 255.255.255.0 192.168.255.1 1
    route inside 192.168.4.0 255.255.255.0 192.168.255.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set 01 esp-des esp-sha-hmac
    crypto map 1 1 ipsec-isakmp
    crypto map 1 1 match address 100
    crypto map 1 1 set pfs
    crypto map 1 1 set peer 10.10.140.162
    crypto map 1 1 set transform-set 01
    crypto map 1 2 ipsec-isakmp
    crypto map 1 2 match address 101
    crypto map 1 2 set pfs
    crypto map 1 2 set peer 10.10.140.163
    crypto map 1 2 set transform-set 01
    crypto map 1 interface outside
    isakmp enable outside
    isakmp key ******** address 10.10.140.162 netmask 255.255.255.240
    isakmp key ******** address 10.10.140.163 netmask 255.255.255.240
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 28800
    telnet 192.168.0.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.3.0 255.255.255.0 inside
    telnet 192.168.4.0 255.255.255.0 inside
    telnet 192.168.255.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:f01f0894bddb743031b7c041072c685d
    : end
    ------------------------------------------------------------------------------------
    isakmp information
    Protection suite of priority 1
    encryption algorithm: DES - Data Encryption Standard (56 bit
    keys).
    hash algorithm: Message Digest 5
    authentication method: Pre-Shared Key
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 28800 seconds, no volume limit
    Default protection suite
    encryption algorithm: DES - Data Encryption Standard (56 bit
    keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 86400 seconds, no volume limit
    cisco pix 525debuginformation
    Protection suite of priority 1
    encryption algorithm: DES - Data Encryption Standard (56 bit
    keys).
    hash algorithm: Message Digest 5
    authentication method: Pre-Shared Key
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 28800 seconds, no volume limit
    Default protection suite
    encryption algorithm: DES - Data Encryption Standard (56 bit
    keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 86400 seconds, no volume limit
    ==============================================================================================
    pix 525 debug information

    pixfirewall#
    ISAKMP (0): beginning Main Mode exchange
    crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138
    spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 1
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 28800
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138
    spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 500
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    ISAKMP (0): retransmitting phase 1 (0)...
    ISAKMP (0): retransmitting phase 1 (1)...
    crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138
    spt:500 dpt:500
    ISAKMP: error, msg not encrypted
    ISAKMP (0): deleting SA: src 10.10.20.138, dst 10.10.140.163
    ISADB: reaper checking SA 0x3845ce4, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 10.10.140.163/500 not found - peers:0
    ======================================================================================

    bdcom 2621 show ipsec command information:
    Transform set 01: { esp-des esp-sha-hmac }
    will negotiate ={ Tunnel }
    Interface: FastEthernet0/1
    Crypto map name:1 , local addr. 10.10.140.163

    local ident (addr/mask/prot/port): (192.168.55.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    local crypto endpt.: 10.10.140.163, remote crypto endpt.:
    10.10.20.138

    ------------------------------------------------------------------------------------
    cisco pix 525 show information

    Transform set 01: { esp-des esp-sha-hmac }
    will negotiate = { Tunnel, },


    local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port):
    (192.168.55.0/255.255.255.0/0/0)
    current_peer: 10.10.140.163:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 18, #recv errors 0

    local crypto endpt.: 10.10.20.138, remote crypto endpt.:
    10.10.140.163
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:


    outbound ah sas:


    outbound pcp sas:




    --

    http://pansin.mblogger.cn
    http://pansin.spymac.net
    http://pansin.blogone.net
     
    pansin, May 14, 2005
    #1
    1. Advertising

  2. In article <>,
    pansin <> wrote:
    :crypto ipsec transform-set 01
    : transform-type esp-des esp-sha-hmac

    des + sha is not supported on any current PIX software release.
    If you are using des, you need to use md5 instead of sha.

    [This limitation does not apply to any of the other encryptions.]
    --
    Would you buy a used bit from this man??
     
    Walter Roberson, May 14, 2005
    #2
    1. Advertising

  3. pansin

    pansin Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<d653j7$gem$>...
    > In article <>,
    > pansin <> wrote:
    > :crypto ipsec transform-set 01
    > : transform-type esp-des esp-sha-hmac
    >
    > des + sha is not supported on any current PIX software release.
    > If you are using des, you need to use md5 instead of sha.
    >
    > [This limitation does not apply to any of the other encryptions.]



    thank you.
    i now modify the error ,i use 2 pix525 ,but ,debug info error also
    :

    ISAKMP (0): beginning Main Mode exchange
    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 1
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 28800
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): received xauth v6 vendor id

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): remote peer supports dead peer detection

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 500
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    1334059226:4f8420daIPSEC(key_engine): got a queue event...
    IPSEC(spi_response): getting spi 0x3ef3d0ab(1056166059) for SA
    from 10.10.20.138 to 10.10.140.163 for prot 3

    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    VPN Peer: ISAKMP: Peer ip:10.10.20.138/500 Ref cnt incremented to:2 Total
    VPN Peers:1
    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
    ISAKMP (0): processing NOTIFY payload 14 protocol 0
    spi 0, message ID = 3528213790IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 10.10.20.138

    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0x310bfcc, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:10.10.20.138/500 Ref cnt decremented to:1 Total
    VPN Peers:1IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 10.10.20.138

    ISADB: reaper checking SA 0x311343c, conn_id = 0
    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
    ISAKMP: sa not found for ike msg

    ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x4f8420da
    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
    ISAKMP: illegal udp len
    IPSEC(key_engine): request timer fired: count = 2,
    (identity) local= 10.10.140.163, remote= 10.10.20.138,
    local_proxy= 192.168.56.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    -1828690246:930066baIPSEC(key_engine): got a queue event...
    IPSEC(spi_response): getting spi 0xf6c17598(4139873688) for SA
    from 10.10.20.138 to 10.10.140.163 for prot 3

    ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0x4f8420da
    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
    ISAKMP (0): processing NOTIFY payload 14 protocol 0
    spi 0, message ID = 1736598443IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 10.10.20.138

    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
    ISAKMP: illegal udp len

    crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500
    dpt:500
     
    pansin, May 16, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JammyKat

    VPN from Inside to DMZ of 525 PIX

    JammyKat, Oct 20, 2003, in forum: Cisco
    Replies:
    1
    Views:
    427
    Walter Roberson
    Oct 20, 2003
  2. Richard Sanderson
    Replies:
    1
    Views:
    1,334
    Masud Reza
    Jan 22, 2004
  3. ka-50

    PIX 525 and two PIX-4FE-66=

    ka-50, Oct 19, 2004, in forum: Cisco
    Replies:
    1
    Views:
    579
    Walter Roberson
    Oct 19, 2004
  4. AM
    Replies:
    0
    Views:
    656
  5. Replies:
    0
    Views:
    1,492
Loading...

Share This Page