PIX VPN

Discussion in 'Cisco' started by terrydoc@o2.ie, Jun 1, 2010.

  1. Guest

    Having trouble establishing PIX VPN with Juniper firewall; I am
    configuring the PIX - traffic from 1.1.1.1 should establish the VPN...

    Juniper Proposals are ESP 3DES HMAC SHA1 (IKE) –
    Juniper: (192.168.1.254 inside; outside 1.1.1.1)
    IKE - Phase 1 proposal

    exchange: main mode
    dh group: group 2
    encryption: 3des
    authentication: sha1
    lifetime: 28800

    IPSEC - Phase 2 proposal
    protocol: esp
    encryption: 3des
    authentication: sha1
    lifetime: 28800
    ____________________________

    Cisco PIX (192.168.100.254 inside; outside 2.2.2.2)

    access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.1.0
    255.255.255.0

    ip address outside 2.2.2.2 255.255.255.192
    ip address inside 192.168.100.254 255.255.255.0

    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 2.2.2.3 1

    sysopt connection permit-ipsec
    crypto ipsec transform-set mytrans esp-aes-192 esp-sha-hmac
    crypto map mymap 10 ipsec-isakmp
    crypto map mymap 10 match address 102
    crypto map mymap 10 set pfs group2
    crypto map mymap 10 set peer 1.1.1.1
    crypto map mymap 10 set transform-set mytrans
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 28800
    ____________________________________

    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    ISAKMP (0): deleting SA: src 1.1.1.1, dst 2.2.2.2
    return status is IKMP_ERR_NO_RETRANS
    ISADB: reaper checking SA 0x1182924, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt decremented to:0 Total
    VPN
    Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:1.1.1.1/500 Total VPN peers:
    0IPSEC(key
    _engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 1.1.1.1

    crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0
    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 28800
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing KE payload. message ID = 0
    ISAKMP (0): processing NONCE payload. message ID = 0
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): processing vendor id payload
    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): remote peer supports dead peer detection
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): received xauth v6 vendor id
    ISAKMP (0): ID payload
    next-payload : 10
    type : 1
    protocol : 17
    port : 0
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50
    0
    OAK_AG exchange
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    VPN Peer: ISAKMP: Added new peer: ip:1.1.1.1/500 Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt incremented to:1 Total
    VPN
    Peers:1
    crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50
    0
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 566405065

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 28800
    ISAKMP: encaps is 1
    ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal):
    transform proposal
    (prot 3, trans 3, hmac_alg 2) not supported
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    return status is IKMP_ERR_NO_RETRANS
    crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    ___________________________

    PIXFW# show
    ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x21c2a7c9crypto
    ipse
    ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x21c2a7c9c sa

    interface: outside
    Crypto map tag: mymap, local addr. 2.2.2.2

    local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    current_peer: 1.1.1.1:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:
    inbound ah sas:

    ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x21c2a7c9
    ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x21c2a7c9
    transmitting phase 2 (6/0)... mess_id 0x21c2a7c9
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:

    local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    current_peer: 1.1.1.1:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:
    ___________________________________
     
    , Jun 1, 2010
    #1
    1. Advertising

  2. Guest

    On 1 June, 11:40, "" <> wrote:
    > Having trouble establishing PIX VPN with Juniper firewall; I am
    > configuring the PIX - traffic from 1.1.1.1 should establish the VPN...
    >
    > Juniper Proposals are ESP 3DES HMAC SHA1 (IKE) –
    > Juniper: (192.168.1.254 inside; outside 1.1.1.1)
    > IKE - Phase 1 proposal
    >
    > exchange: main mode
    > dh group: group 2
    > encryption: 3des
    > authentication: sha1
    > lifetime: 28800
    >
    > IPSEC - Phase 2 proposal
    > protocol: esp
    > encryption: 3des
    > authentication: sha1
    > lifetime: 28800
    > ____________________________
    >
    > Cisco PIX  (192.168.100.254 inside; outside 2.2.2.2)
    >
    > access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0
    > 255.255.255.0
    > access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.1.0
    > 255.255.255.0
    >
    > ip address outside 2.2.2.2 255.255.255.192
    > ip address inside 192.168.100.254 255.255.255.0
    >
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 2.2.2.3 1
    >
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set mytrans esp-aes-192 esp-sha-hmac
    > crypto map mymap 10 ipsec-isakmp
    > crypto map mymap 10 match address 102
    > crypto map mymap 10 set pfs group2
    > crypto map mymap 10 set peer 1.1.1.1
    > crypto map mymap 10 set transform-set mytrans
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash sha
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 28800
    > ____________________________________
    >
    > ISAKMP (0): SA not acceptable!
    > ISAKMP (0): sending NOTIFY message 14 protocol 0
    > ISAKMP (0): deleting SA: src 1.1.1.1, dst 2.2.2.2
    > return status is IKMP_ERR_NO_RETRANS
    > ISADB: reaper checking SA 0x1182924, conn_id = 0  DELETE IT!
    >
    > VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt decremented to:0 Total
    > VPN
    > Peers:1
    > VPN Peer: ISAKMP: Deleted peer: ip:1.1.1.1/500 Total VPN peers:
    > 0IPSEC(key
    > _engine): got a queue event...
    > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    > IPSEC(key_engine_delete_sas): delete all SAs shared with  1.1.1.1
    >
    > crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500
    > OAK_AG exchange
    > ISAKMP (0): processing SA payload. message ID = 0
    > ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    > ISAKMP:      encryption 3DES-CBC
    > ISAKMP:      hash SHA
    > ISAKMP:      default group 2
    > ISAKMP:      auth pre-share
    > ISAKMP:      life type in seconds
    > ISAKMP:      life duration (basic) of 28800
    > ISAKMP (0): atts are acceptable. Next payload is 0
    > ISAKMP (0): processing KE payload. message ID = 0
    > ISAKMP (0): processing NONCE payload. message ID = 0
    > ISAKMP (0): processing ID payload. message ID = 0
    > ISAKMP (0): processing vendor id payload
    > ISAKMP (0): processing vendor id payload
    > ISAKMP (0): processing vendor id payload
    > ISAKMP (0): processing vendor id payload
    > ISAKMP (0:0): vendor ID is NAT-T
    > ISAKMP (0): processing vendor id payload
    > ISAKMP (0): processing vendor id payload
    > ISAKMP (0): processing vendor id payload
    > ISAKMP (0): remote peer supports dead peer detection
    > ISAKMP (0): processing vendor id payload
    > ISAKMP (0): received xauth v6 vendor id
    > ISAKMP (0): ID payload
    >         next-payload : 10
    >         type         : 1
    >         protocol     : 17
    >         port         : 0
    >         length       : 8
    > ISAKMP (0): Total payload length: 12
    > return status is IKMP_NO_ERROR
    > crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50
    > 0
    > OAK_AG exchange
    > ISAKMP (0): processing HASH payload. message ID = 0
    > ISAKMP (0): SA has been authenticated
    > return status is IKMP_NO_ERROR
    > ISAKMP (0): sending INITIAL_CONTACT notify
    > ISAKMP (0): sending NOTIFY message 24578 protocol 1
    > VPN Peer: ISAKMP: Added new peer: ip:1.1.1.1/500 Total VPN Peers:1
    > VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt incremented to:1 Total
    > VPN
    > Peers:1
    > crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50
    > 0
    > OAK_QM exchange
    > oakley_process_quick_mode:
    > OAK_QM_IDLE
    > ISAKMP (0): processing SA payload. message ID = 566405065
    >
    > ISAKMP : Checking IPSec proposal 1
    >
    > ISAKMP: transform 1, ESP_3DES
    > ISAKMP:   attributes in transform:
    > ISAKMP:      SA life type in seconds
    > ISAKMP:      SA life duration (basic) of 28800
    > ISAKMP:      encaps is 1
    > ISAKMP:      authenticator is HMAC-SHAIPSEC(validate_proposal):
    > transform proposal
    > (prot 3, trans 3, hmac_alg 2) not supported
    > ISAKMP (0): atts not acceptable. Next payload is 0
    > ISAKMP (0): SA not acceptable!
    > ISAKMP (0): sending NOTIFY message 14 protocol 0
    > return status is IKMP_ERR_NO_RETRANS
    > crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500
    > ISAKMP: phase 2 packet is a duplicate of a previous packet
    > ISAKMP: resending last response
    > ___________________________
    >
    > PIXFW# show
    > ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x21c2a7c9crypto
    > ipse
    > ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x21c2a7c9c sa
    >
    > interface: outside
    >     Crypto map tag: mymap, local addr. 2.2.2.2
    >
    >    local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    >    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    >    current_peer: 1.1.1.1:0
    >      PERMIT, flags={origin_is_acl,}
    >     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    >     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    >     #pkts compressed: 0, #pkts decompressed: 0
    >     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    > failed: 0
    >     #send errors 0, #recv errors 0
    >
    >      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
    >      path mtu 1500, ipsec overhead 0, media mtu 1500
    >      current outbound spi: 0
    >
    >      inbound esp sas:
    >      inbound ah sas:
    >
    > ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x21c2a7c9
    > ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x21c2a7c9
    >               transmitting phase 2 (6/0)... mess_id 0x21c2a7c9
    >      inbound pcp sas:
    >      outbound esp sas:
    >      outbound ah sas:
    >      outbound pcp sas:
    >
    >    local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    >    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    >    current_peer: 1.1.1.1:0
    >      PERMIT, flags={origin_is_acl,}
    >     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    >     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    >     #pkts compressed: 0, #pkts decompressed: 0
    >     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    > failed: 0
    >     #send errors 0, #recv errors 0
    >
    >      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
    >      path mtu 1500, ipsec overhead 0, media mtu 1500
    >      current outbound spi: 0
    >
    >      inbound esp sas:
    >      inbound ah sas:
    >      inbound pcp sas:
    >      outbound esp sas:
    >      outbound ah sas:
    >      outbound pcp sas:
    > ___________________________________


    I made a change - (I saw "ISAKMP (0:0): vendor ID is NAT-T" in
    original debug)
    isakmp nat-traversal 20

    it appears to have made a difference as now I have

    PIXFW(config)# show crypto ipsec sa


    interface: outside
    Crypto map tag: mymap, local addr. 2.2.2.2

    local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    current_peer: 1.1.1.1:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    e #pkts decaps: 0, #pkts d
    cIrSyApKtM:p 0(,0 )#:pkts verriefty 0
    #pktrs compressed: a0, #npkts decsommiptrtesisendg: p0h
    a s e 2# p(k5t/s n1o)t. .c.o mpressed: m0e, #spkts comprs. failed:
    0, _#ipdkts
    decom p0rxe2sas1 6feaei5lfed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:

    local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    current_peer: 1.1.1.1:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:


    PIXFW(config)#
    ISAKMP (0): retransmitting phase 2 (6/1)... mess_id 0x2a16ee5f
    PIXFW(config)#
    PIXFW(config)# show crypto isakmp sa
    Total : 1
    Embryonic : 0
    dst src state pending created
    2.2.2.2 1.1.1.1 QM_IDLE 0 0
     
    , Jun 1, 2010
    #2
    1. Advertising

  3. oysterblade

    Joined:
    Jun 8, 2010
    Messages:
    1
    looks like your transform sets do not match on the juniper side you have set 3des-hmac-sha1 and on the Pix side you hae esp-aes192 esp-sha-hmac. Try changing your policy to reflect this.
     
    oysterblade, Jun 8, 2010
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    624
    Richard
    Nov 15, 2003
  2. GVB
    Replies:
    1
    Views:
    2,875
    Martin Bilgrav
    Feb 6, 2004
  3. Tom
    Replies:
    4
    Views:
    689
  4. Marko Uusitalo
    Replies:
    1
    Views:
    1,534
    Frank Durham
    Apr 11, 2005
  5. Svenn
    Replies:
    3
    Views:
    755
    Svenn
    Mar 13, 2006
Loading...

Share This Page