PIX525 - Setup ipsec tunnel to two Nortel FW sharing the same subnet

Discussion in 'Cisco' started by iwhite, Nov 14, 2005.

  1. iwhite

    iwhite Guest

    Hi guys,

    I'm trying to setup ipsec tunnels to two Nortel boxes (Contivity 600)
    sharing the same subnet from a CISCO PIX-525E running under 6.3(3).

    PIX 525 LAN : 192.168.104.0/24
    Nortel boxes LAN: 192.168.105.0/24

    Indeed I want to ensure that if one Nortel box failed the other keep
    its link to my pix up and allow users in the Nortel subnet to reach the
    one behind the PIX.

    Nortel boxes are configured with failover and vrrp. this ensure that if
    any interface falls, the other box take the hand.

    Problem is that only one tunnel is mounted correctly, the other failed
    in ipsec negociation phase2 because of the PIX which reject it.

    Does anybody see what could explain this behaviour?
    Do you think that sharing the same subnet with 2 different ipsec
    tunnels wouldn't be possible?

    thank you
    Frédéric


    -------------------------
    #sh isakmp sa
    Total : 2
    Embryonic : 0
    dst src state pending created
    212.147.x.x 212.147.x.x QM_IDLE 0 1
    212.147.x.x 212.147.x.x QM_IDLE 0 0

    -> the second one is not mounted properly.
    --------------------------
    PIX conf :

    access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0
    192.168.105.0 255.255.255.0
    access-list 110 line 2 permit ip 192.168.105.0 255.255.255.0
    192.168.104.0 255.255.255.0
    access-list 120 line 1 permit ip 192.168.104.0 255.255.255.0
    192.168.105.0 255.255.255.0
    access-list 120 line 2 permit ip 192.168.105.0 255.255.255.0
    192.168.104.0 255.255.255.0

    crypto ipsec transform-set set2 esp-des esp-sha-hmac
    crypto map C1 5 ipsec-isakmp
    crypto map C1 5 match address 110
    crypto map C1 5 set peer 212.147.x.x
    crypto map C1 5 set transform-set set2
    crypto map C1 10 ipsec-isakmp
    crypto map C1 10 match address 120
    crypto map C1 10 set peer 212.147.x.x
    crypto map C1 10 set transform-set set2
    crypto map C1 interface outside

    ----------------------------------
    Debug crypto isakmp

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_DES
    ISAKMP: attributes in transform:
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 28800
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP (0): atts are acceptable.
    ISAKMP: IPSec policy invalidated proposal
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 3
    return status is IKMP_ERR_NO_RETRANS
    iwhite, Nov 14, 2005
    #1
    1. Advertising

  2. In article <>,
    iwhite <> wrote:
    >I'm trying to setup ipsec tunnels to two Nortel boxes (Contivity 600)
    >sharing the same subnet from a CISCO PIX-525E running under 6.3(3).


    >crypto ipsec transform-set set2 esp-des esp-sha-hmac


    Try MD5 instead of SHA. 6.3 doesn't allow SHA with single-DES
    (I don't know why not.)
    --
    Is there any thing whereof it may be said, See, this is new? It hath
    been already of old time, which was before us. -- Ecclesiastes
    Walter Roberson, Nov 14, 2005
    #2
    1. Advertising

  3. iwhite

    iwhite Guest

    Hi Walter,

    I tried with md5 and result is not better.
    For information if I change the subnet of my secondary Nortel FW to a
    different one (i.e: 192.168.106.0/24) then both ipsec tunnels are up
    and running!

    I don't know why but it seems that the PIX doesn't like to have the
    same subnet shared with 2 different remote FW through ipsec tunnels.

    Do you or somebody else have other ideas ?

    cheers
    Frédéric
    iwhite, Nov 15, 2005
    #3
  4. In article <>,
    iwhite <> wrote:
    >I'm trying to setup ipsec tunnels to two Nortel boxes (Contivity 600)
    >sharing the same subnet from a CISCO PIX-525E running under 6.3(3).


    >PIX 525 LAN : 192.168.104.0/24
    >Nortel boxes LAN: 192.168.105.0/24


    >Indeed I want to ensure that if one Nortel box failed the other keep
    >its link to my pix up and allow users in the Nortel subnet to reach the
    >one behind the PIX.


    >Nortel boxes are configured with failover and vrrp. this ensure that if
    >any interface falls, the other box take the hand.


    >PIX conf :


    >access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0
    >access-list 110 line 2 permit ip 192.168.105.0 255.255.255.0 192.168.104.0 255.255.255.0
    >access-list 120 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0
    >access-list 120 line 2 permit ip 192.168.105.0 255.255.255.0 192.168.104.0 255.255.255.0


    >crypto ipsec transform-set set2 esp-des esp-sha-hmac
    >crypto map C1 5 ipsec-isakmp
    >crypto map C1 5 match address 110
    >crypto map C1 5 set peer 212.147.x.x
    >crypto map C1 5 set transform-set set2


    You do not need to put the forward and backward flow into the same
    match-address ACL. Just the forward flow:

    access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0

    and leave out the second line.

    >crypto map C1 10 ipsec-isakmp
    >crypto map C1 10 match address 120
    >crypto map C1 10 set peer 212.147.x.x
    >crypto map C1 10 set transform-set set2
    >crypto map C1 interface outside


    PIX always scans for matches from the highest priority (lowest number)
    to lowest. It stops when it finds a match. As your two address lists
    are identical, it is always going to match on the C1 5, and never going
    to get as far as C1 10. Even if the peer for C1 5 dies, the PIX will
    not get as far as C1 10. PIX 6.x also has no mechanism for load sharing.

    I'm not clear from your posting whether the two nortel peers are at the same
    (virtual) IP address? If so then that is sure to cause problems, as
    the PIX makes its decisions based upon IP address -- problems, that is,
    if you want both to be active at the same time.

    If you do NOT want both Nortel to be active at the same time, then only
    one of the two should be in contact with the PIX at a time and the PIX
    should be configured as

    access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0
    crypto map C1 5 ipsec-isakmp
    crypto map C1 5 match address 110
    crypto map C1 5 set peer 212.147.x.x
    crypto map C1 5 set transform-set set2

    where 212.147.x.x is their (VRRP) shared IP address. In this situation
    the PIX should not be configured with any information about the second
    Nortel, because the failover to the second Nortel is supposed to
    be transparent in such a situation.


    If you DO want both Nortel to be active at the same time, and both
    carrying part of the load, then configure something like

    access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.128
    access-list 120 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.128 255.255.255.128

    (that is, use the two lists to partition the destination traffic somehow), then

    crypto map C1 5 ipsec-isakmp
    crypto map C1 5 match address 110
    crypto map C1 5 set peer 212.147.x.1
    crypto map C1 5 set transform-set set2
    crypto map C1 10 ipsec-isakmp
    crypto map C1 10 match address 120
    crypto map C1 10 set peer 212.147.x.2
    crypto map C1 10 set transform-set set2

    presuming that the surviving Nortel can take on both 212.147.x.1 and 212.147.x.2


    If the Nortels cannot take on two IPs, then a more typical config would be,

    access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0
    crypto map C1 5 ipsec-isakmp
    crypto map C1 5 match address 110
    crypto map C1 5 set peer 212.147.x.1 212.147.x.2
    crypto map C1 5 set transform-set set2

    The PIX would try 212.147.x.1 first, and if it timed out connecting
    to 212.147.x.1 at any point, it would move on to 212.147.x.2 -- and
    it would stick with 212.147.x.2 as long as that still responded
    before moving back to try 212.147.x.1. That is, if you have multiple
    peers listed, the PIX does -not- make any attempt to contact the
    other peers on the list to determine whether they have come up yet
    and if so then to resume going to them instead of the active peer:
    it just sticks with whatever peer is active as long as it keeps talking.
    [However, if the other peer comes alive and contacts the PIX, there are
    some circumstances under which it can sort of "interrupt" and gain
    the conversation back again. The documentation on this aspect is
    confusing.]


    You might even be able to combine these last two configurations into
    something like,

    access-list 110 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.128
    access-list 120 line 1 permit ip 192.168.104.0 255.255.255.0 192.168.105.128 255.255.255.128
    crypto map C1 5 ipsec-isakmp
    crypto map C1 5 match address 110
    crypto map C1 5 set peer 212.147.x.1 212.147.x.2
    crypto map C1 5 set transform-set set2
    crypto map C1 10 ipsec-isakmp
    crypto map C1 10 match address 120
    crypto map C1 10 set peer 212.147.x.2 212.147.x.1
    crypto map C1 10 set transform-set set2

    This would be appropriate for circumstances in which you want to split
    the traffic while both Nortel are alive, and the Nortel do NOT take on
    both IPs during failover but -do- somehow assume the ability to take
    on both subnets, and that the Nortels also know how to shift back
    to only handling one of the subnets when they come out of failover.

    [I have no information as to what the Nortels are able to handle.]
    --
    If you lie to the compiler, it will get its revenge. -- Henry Spencer
    Walter Roberson, Nov 15, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. This Old Man
    Replies:
    4
    Views:
    666
    This Old Man
    Oct 20, 2003
  2. AM
    Replies:
    0
    Views:
    453
  3. Ken  Gallagher
    Replies:
    2
    Views:
    2,563
    ken gallagher
    Aug 7, 2006
  4. derSchweiz

    IPSEC Multiple Modems on same Subnet

    derSchweiz, Jan 28, 2007, in forum: Cisco
    Replies:
    1
    Views:
    437
    derSchweiz
    Jan 28, 2007
  5. Brian
    Replies:
    1
    Views:
    334
    Martin Bilgrav
    Aug 17, 2007
Loading...

Share This Page