VPN from 3640 to Watchguard Firebox X Edge Problems

Discussion in 'Cisco' started by jlamanna@gmail.com, Aug 14, 2008.

  1. Guest

    Hi,
    I'm having problems establishing a VPN tunnel between a 3640 and a
    firebox X Edge.
    It seems to die during Phase 1 even though the X Edge is setup for
    3DES & SHA hashing.

    The cisco Local LAN is 192.168.100.0/24 and the X Edge is
    192.168.1.0/24.

    Any help would be much appreciated.

    -- James

    Here's the log from the Cisco when it tries to ping 192.168.1.1:

    Aug 14 13:16:56.206: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= [cis.co.ip.xxx], remote=
    [fir.ebo.x.ip],
    local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x9F449A63(2672073315), conn_id= 0, keysize= 0, flags= 0x400D
    Aug 14 13:16:56.206: ISAKMP: received ke message (1/1)
    Aug 14 13:16:56.210: ISAKMP: local port 500, remote port 500
    Aug 14 13:16:56.210: ISAKMP (0:1): beginning Main Mode exchange
    Aug 14 13:16:56.210: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_NO_STATE
    Aug 14 13:16:56.210: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=112
    Aug 14 13:16:56.634: UDP: rcvd src=[fir.ebo.x.ip](500),
    dst=[cis.co.ip.xxx](500), length=92
    Aug 14 13:16:56.638: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
    (I) MM_NO_STATE
    Aug 14 13:16:56.638: ISAKMP (0:1): processing SA payload. message ID =
    0
    Aug 14 13:16:56.638: ISAKMP (0:1): found peer pre-shared key matching
    [fir.ebo.x.ip]
    Aug 14 13:16:56.638: ISAKMP (0:1): Checking ISAKMP transform 1 against
    priority 1 policy
    Aug 14 13:16:56.638: ISAKMP: encryption 3DES-CBC
    Aug 14 13:16:56.638: ISAKMP: hash SHA
    Aug 14 13:16:56.638: ISAKMP: auth pre-share
    Aug 14 13:16:56.638: ISAKMP: life type in seconds
    Aug 14 13:16:56.638: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
    0x80
    Aug 14 13:16:56.638: ISAKMP: default group 2
    Aug 14 13:16:56.638: ISAKMP (0:1): atts are acceptable. Next payload
    is 0
    Aug 14 13:16:56.774: ISAKMP (0:1): SA is doing pre-shared key
    authentication using id type ID_IPV4_ADDR
    Aug 14 13:16:56.778: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_SA_SETUP
    Aug 14 13:16:56.778: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=232
    Aug 14 13:17:06.634: UDP: rcvd src=[fir.ebo.x.ip](500),
    dst=[cis.co.ip.xxx](500), length=92
    Aug 14 13:17:06.634: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
    (I) MM_SA_SETUP
    Aug 14 13:17:06.638: ISAKMP (0:1): phase 1 packet is a duplicate of a
    previous packet.
    Aug 14 13:17:06.638: ISAKMP (0:1): retransmitting due to retransmit
    phase 1
    Aug 14 13:17:06.638: ISAKMP (0:1): retransmitting phase 1
    MM_SA_SETUP...
    Aug 14 13:17:07.138: ISAKMP (0:1): retransmitting phase 1
    MM_SA_SETUP...
    Aug 14 13:17:07.138: ISAKMP (0:1): incrementing error counter on sa:
    retransmit phase 1
    Aug 14 13:17:07.138: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
    Aug 14 13:17:07.138: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_SA_SETUP
    Aug 14 13:17:07.138: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=232
    Aug 14 13:17:07.646: UDP: rcvd src=[fir.ebo.x.ip](500),
    dst=[cis.co.ip.xxx](500), length=192
    Aug 14 13:17:07.650: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
    (I) MM_SA_SETUP
    Aug 14 13:17:07.650: ISAKMP (0:1): processing KE payload. message ID =
    0
    Aug 14 13:17:07.822: ISAKMP (0:1): processing NONCE payload. message
    ID = 0
    Aug 14 13:17:07.822: ISAKMP (0:1): found peer pre-shared key matching
    [fir.ebo.x.ip]
    Aug 14 13:17:07.826: ISAKMP (0:1): SKEYID state generated
    Aug 14 13:17:07.826: ISAKMP (1): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 500
    length : 8
    Aug 14 13:17:07.826: ISAKMP (1): Total payload length: 12
    Aug 14 13:17:07.830: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:07.830: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=96
    Aug 14 13:17:16.858: UDP: rcvd src=[fir.ebo.x.ip](500),
    dst=[cis.co.ip.xxx](500), length=192
    Aug 14 13:17:16.858: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:16.858: ISAKMP (0:1): phase 1 packet is a duplicate of a
    previous packet.
    Aug 14 13:17:16.858: ISAKMP (0:1): retransmitting due to retransmit
    phase 1
    Aug 14 13:17:16.858: ISAKMP (0:1): retransmitting phase 1
    MM_KEY_EXCH...
    Aug 14 13:17:17.358: ISAKMP (0:1): retransmitting phase 1
    MM_KEY_EXCH...
    Aug 14 13:17:17.358: ISAKMP (0:1): incrementing error counter on sa:
    retransmit phase 1
    Aug 14 13:17:17.358: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
    Aug 14 13:17:17.358: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:17.358: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=96
    Aug 14 13:17:26.207: IPSEC(key_engine): request timer fired: count =
    1,
    (identity) local= [cis.co.ip.xxx], remote= [fir.ebo.x.ip],
    local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
    Aug 14 13:17:26.207: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= [cis.co.ip.xxx], remote=
    [fir.ebo.x.ip],
    local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x241E3B9C(605961116), conn_id= 0, keysize= 0, flags= 0x400D
    Aug 14 13:17:26.207: ISAKMP: received ke message (1/1)
    Aug 14 13:17:26.207: ISAKMP (0:1): SA is still budding. Attached new
    ipsec request to it.
    Aug 14 13:17:27.359: ISAKMP (0:1): retransmitting phase 1
    MM_KEY_EXCH...
    Aug 14 13:17:27.359: ISAKMP (0:1): incrementing error counter on sa:
    retransmit phase 1
    Aug 14 13:17:27.359: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
    Aug 14 13:17:27.359: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:27.359: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=96
    Aug 14 13:17:27.383: UDP: rcvd src=[fir.ebo.x.ip](500),
    dst=[cis.co.ip.xxx](500), length=192
    Aug 14 13:17:27.387: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:27.387: ISAKMP (0:1): phase 1 packet is a duplicate of a
    previous packet.
    Aug 14 13:17:27.387: ISAKMP (0:1): retransmission skipped for phase 1
    (time since last transmission 28)
    Aug 14 13:17:32.255: UDP: rcvd src=67.19.103.173(123),
    dst=[cis.co.ip.xxx](123), length=56
    Aug 14 13:17:37.387: ISAKMP (0:1): retransmitting phase 1
    MM_KEY_EXCH...
    Aug 14 13:17:37.387: ISAKMP (0:1): incrementing error counter on sa:
    retransmit phase 1
    Aug 14 13:17:37.387: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
    Aug 14 13:17:37.387: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:37.387: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=96
    Aug 14 13:17:37.387: UDP: rcvd src=[fir.ebo.x.ip](500),
    dst=[cis.co.ip.xxx](500), length=192
    Aug 14 13:17:37.391: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:37.391: ISAKMP (0:1): phase 1 packet is a duplicate of a
    previous packet.
    Aug 14 13:17:37.391: ISAKMP (0:1): retransmission skipped for phase 1
    (time since last transmission 4)
    Aug 14 13:17:47.391: ISAKMP (0:1): retransmitting phase 1
    MM_KEY_EXCH...
    Aug 14 13:17:47.391: ISAKMP (0:1): incrementing error counter on sa:
    retransmit phase 1
    Aug 14 13:17:47.391: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
    Aug 14 13:17:47.391: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:47.391: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=96
    Aug 14 13:17:47.407: UDP: rcvd src=[fir.ebo.x.ip](500),
    dst=[cis.co.ip.xxx](500), length=192
    Aug 14 13:17:47.407: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:47.407: ISAKMP (0:1): phase 1 packet is a duplicate of a
    previous packet.
    Aug 14 13:17:47.407: ISAKMP (0:1): retransmission skipped for phase 1
    (time since last transmission 16)
    Aug 14 13:17:56.208: IPSEC(key_engine): request timer fired: count =
    2,
    (identity) local= [cis.co.ip.xxx], remote= [fir.ebo.x.ip],
    local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
    Aug 14 13:17:56.208: ISAKMP: received ke message (3/1)
    Aug 14 13:17:56.208: ISAKMP (0:1): ignoring request to send delete
    notify (sa not authenticated) src [cis.co.ip.xxx] dst [fir.ebo.x.ip]
    Aug 14 13:17:57.408: ISAKMP (0:1): retransmitting phase 1
    MM_KEY_EXCH...
    Aug 14 13:17:57.408: ISAKMP (0:1): incrementing error counter on sa:
    retransmit phase 1
    Aug 14 13:17:57.408: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
    Aug 14 13:17:57.408: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:57.408: UDP: sent src=[cis.co.ip.xxx](500),
    dst=[fir.ebo.x.ip](500), length=96
    Aug 14 13:17:57.416: UDP: rcvd src=[fir.ebo.x.ip](500),
    dst=[cis.co.ip.xxx](500), length=192
    Aug 14 13:17:57.420: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
    (I) MM_KEY_EXCH
    Aug 14 13:17:57.420: ISAKMP (0:1): phase 1 packet is a duplicate of a
    previous packet.
    Aug 14 13:17:57.420: ISAKMP (0:1): retransmission skipped for phase 1
    (time since last transmission 12)
    Aug 14 13:18:07.420: ISAKMP (0:1): retransmitting phase 1
    MM_KEY_EXCH...
    Aug 14 13:18:07.420: ISAKMP (0:1): peer does not do paranoid
    keepalives.

    Aug 14 13:18:07.420: ISAKMP (0:1): deleting SA reason "death by
    retransmission P1" state (I) MM_KEY_EXCH (peer [fir.ebo.x.ip]) input
    queue 0
    Aug 14 13:18:07.420: ISAKMP (0:1): deleting node 506435737 error TRUE
    reason "death by retransmission P1"
    Aug 14 13:18:07.420: ISAKMP (0:1): deleting node 147192259 error TRUE
    reason "death by retransmission P1"

    And the Cisco config:

    !
    ! Last configuration change at 11:32:12 PDT Thu Aug 14 2008
    ! NVRAM config last updated at 11:32:13 PDT Thu Aug 14 2008
    !
    version 12.2
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    boot system flash:c3640-ik9o3s-mz.122-46a.bin
    logging buffered 32768 debugging
    !
    clock timezone PST -8
    clock summer-time PDT recurring
    ip subnet-zero
    ip cef
    !
    !
    ip dhcp excluded-address 192.168.100.2 192.168.100.30
    !
    ip dhcp pool LAN
    import all
    network 192.168.100.0 255.255.255.0
    default-router 192.168.100.1
    dns-server 4.2.2.2
    !
    ip audit notify log
    ip audit po max-events 100
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key zzzzzzzzz address zzz.zzz.zzz.zzz
    !
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map VPN-Map-1 10 ipsec-isakmp
    set peer zzz.zzz.zzz.zzz
    set transform-set 3DES-SHA
    set pfs group2
    match address 101
    !
    call rsvp-sync
    !
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0/0
    no ip address
    shutdown
    half-duplex
    !
    interface Ethernet0/1
    no ip address
    shutdown
    half-duplex
    !
    interface Ethernet1/0
    ip address xxx.xxx.xxx.xxx 255.255.255.224
    ip nat outside
    full-duplex
    crypto map VPN-Map-1
    !
    interface Ethernet1/1
    ip address 192.168.100.1 255.255.255.0
    ip nat inside
    half-duplex
    !
    ip nat pool branch xxx.xxx.xxx.xxy xxx.xxx.xxx.xxy netmask
    255.255.255.224
    ip nat inside source list acl_nat pool branch overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
    no ip http server
    !
    !
    ip access-list extended acl_nat
    deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.100.0 0.0.0.255 any
    access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0
    0.0.0.255
    route-map nonat permit 10
    match ip address 130
    !
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    ntp clock-period 17180080
    ntp server 67.19.103.173
    end
     
    , Aug 14, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Lee

    Cisco 827 -> Watchguard VPN

    David Lee, Sep 18, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,923
    Harri Suomalainen
    Sep 18, 2003
  2. Andy Low
    Replies:
    5
    Views:
    3,978
    Walter Roberson
    May 10, 2004
  3. haydude
    Replies:
    0
    Views:
    568
    haydude
    Jun 18, 2006
  4. John Strow
    Replies:
    0
    Views:
    398
    John Strow
    May 23, 2007
  5. Ian

    Lenovo ThinkPad EDGE 13: Bleeding Edge

    Ian, Feb 28, 2011, in forum: Front Page News
    Replies:
    0
    Views:
    1,198
Loading...

Share This Page