RE: [fw-wiz] Problem getting vpn to work between netscreen 208 an d cisco 1721

From: David Klein (dklein@netscreen.com)
Date: 11/27/02 

From: David Klein <dklein@netscreen.com>
To: "'esger@bumblebeast.com'" <esger@bumblebeast.com>, firewall-wizards@honor.icsalabs.com
Date: Wed Nov 27 17:45:02 2002

You have the following in your Netscreen config:
        set vpn "IA-vpn" monitor
Turn that off.

When that is on, an ICMP echo request is occasionally sent through the
tunnel to see if it is active. But by default it is sourced from the
Netscreen tunnel end-point (20.1.1.2) and destined to the cisco tunnel
endpoint (192.168.80.10). These IP addresses are outside of the negotiated
P2 proxy id of (10.1.1.0/24 and 192.0.0.0/24).

Some VPN boxes will accept encapsulated packets outside of the P2 proxy id
range if they are the tunnel end-points themselves. Cisco is not one of
them. So turn off the VPN monitor feature on the Netscreen.

If you really do want to use VPN monitor on a Netscreen with a Cisco, you
need to upgrade the Netscreen to 4.0.1r1 and reset the VPN monitor's source
and destination with the following:
 set vpn IA-vpn monitor source-int eth1 destination-ip 10.1.1.10

Dave Klein

> -----Original Message-----
> From: Esger Abbink [mailto:esger@vesc.nl]
> Sent: Wednesday, November 27, 2002 9:17 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Problem getting vpn to work between
> netscreen 208 and cisco 1721
>
>
> Hello,
>
> I'm having quite a bit of trouble getting these two devices
> to 'vpn' well
> together and I'm currently grasping for straws, hence the
> post to this list.
>
> The situation is as follows:
>
> internal net is 192.0.0.0/24 protected by ns208
> external net is 10.1.1.0/24 protected by 1721
>
> transit networks are 20.1.1.0/24 (ethernet) and
> 192.168.80.0/24 (ISDN). The
> isdn dialup is done by an other cisco router.
>
> the VPN is supposed to run between the ns208 and the 1721.
>
> With some digging through documentation I've configured both
> devices and when
> initiated by traffic they negotiate a vpn link.
>
> The problem is that when a packet is actually received on the
> cisco it
> discards it with the following error message:
>
> 02:23:38: %CRYPTO-4-RECVD_PKT_INV_IDENTITY: identity doesn't
> match negotiated
> identity
> (ip) dest_addr= 192.168.80.10, src_addr= 20.1.1.2, prot= 1
> (ident) local=192.168.80.10, remote=20.1.1.2
> local proxy=10.1.1.10/255.255.255.255/0/0,
> remote_proxy=192.0.0.0/255.255.255.0/0/0
> 02:23:38: IPSEC(epa_des_crypt): decrypted packet failed SA
> identity check
> 02:23:49: IPSEC(epa_des_crypt): decrypted packet failed SA
> identity check
> 02:24:00: IPSEC(epa_des_crypt): decrypted packet failed SA
> identity check
> 02:24:10: IPSEC(epa_des_crypt): decrypted packet failed SA
> identity check
>
> the netscreen displays no errors and thinks the vpn is up
> although it does
> change that opinion after a while to 'down'.
>
> the netscreen has OS release 4.0.0r1, the cisco has 12.2(8)T5.
>
> At the moment I'm quite stuck with this. I've been in touch
> with both support
> desks and although they are working on it (for several days
> already) they
> both think their respective configs are fine and dont
> understand why its not
> working. :(
>
> I've included the config of both devices below.
>
> If there's anyone who could offer some assistence or better
> yet has a similar
> set-up in operation and is willing to provide working configs
> that would be
> very much appreciated!
>
> thanks in advance,
>
> Esger
>
>
>
> cisco config:
>
> Current configuration : 1625 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname 1721B
> !
> enable secret 5 $1$nNH6$E4BctAYoaohhGO1A3jzi40
> enable password XXXXXXXX
> !
> username 1721A password 0 XXXXXXXXX
> mmi polling-interval 60
> no mmi auto-configure
> no mmi pvc
> mmi snmp-timeout 180
> ip subnet-zero
> !
> !
> !
> ip audit notify log
> isdn switch-type basic-net3
> !
> crypto isakmp policy 25
> encr 3des
> authentication pre-share
> lifetime 28800
> crypto isakmp key XXXXXX address 20.1.1.2
> !
> crypto ipsec security-association lifetime seconds 28800
> !
> crypto ipsec transform-set paalA esp-3des esp-sha-hmac
> !
> crypto map tunnelmap 10 ipsec-isakmp
> set peer 20.1.1.2
> set transform-set paalA
> set pfs group1
>
> match address 101
> !
> !
> !
> !
> interface BRI0
> no ip address
> encapsulation ppp
> no ip mroute-cache
> dialer pool-member 1
> isdn switch-type basic-net3
> isdn spid1 25
> isdn spid2 26
> isdn answer1 25
> isdn answer2 26
> no cdp enable
> ppp authentication chap
> !
> interface FastEthernet0
> ip address 10.1.1.10 255.255.255.0
> no ip mroute-cache
> speed auto
> half-duplex
> !
> interface Dialer1
> ip address 192.168.80.10 255.255.255.0
> encapsulation ppp
> authentication chap
> dialer pool 1
> dialer idle-timeout 3600
> no cdp enable
> crypto map tunnelmap
> !
> ip classless
> ip route 20.1.1.0 255.255.255.0 192.168.80.1
> no ip http server
> ip pim bidir-enable
> !
> !
> access-list 1 permit any
> access-list 2 permit any
> access-list 3 permit any
> access-list 101 permit ip 10.1.1.0 0.0.0.255 192.0.0.0 0.0.0.255
> dialer-list 1 protocol ip permit
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> password makkie1
> login
> !
> no scheduler allocate
> end
>
>
> netscreen config:
>
> set auth-server "Local" id 0
> set auth-server "Local" server-name "Local"
> set auth-server "DefL2TPAuthServer" id 1
> set auth-server "DefL2TPAuthServer" account-type l2tp
> set auth default auth server "Local"
> set clock "timezone" 1
> set admin format dos
> set admin name "netscreen"
> set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
> set admin auth timeout 10
> set admin auth server "Local"
> unset vrouter trust-vr sharable
> unset vrouter "trust-vr" auto-route-export
> set zone id 1000 "3rdparty"
> set zone id 1001 "IA_palen"
> set zone "Trust" vrouter "trust-vr"
> set zone "Trust" tcp-rst
> set zone "Untrust" vrouter "untrust-vr"
> set zone "Untrust" block
> unset zone "Untrust" tcp-rst
> set zone "DMZ" vrouter "untrust-vr"
> set zone "DMZ" tcp-rst
> set zone "MGT" block
> set zone "MGT" tcp-rst
> set zone "3rdparty" vrouter "trust-vr"
> set zone "3rdparty" block
> set zone "3rdparty" tcp-rst
> set zone "IA_palen" vrouter "trust-vr"
> set zone "IA_palen" block
> set zone "IA_palen" tcp-rst
> set zone Untrust screen tear-drop
> set zone Untrust screen syn-flood
> set zone Untrust screen ping-death
> set zone Untrust screen ip-filter-src
> set zone Untrust screen land
> set zone V1-Untrust screen tear-drop
> set zone V1-Untrust screen syn-flood
> set zone V1-Untrust screen ping-death
> set zone V1-Untrust screen ip-filter-src
> set zone V1-Untrust screen land
> set interface "ethernet1" zone "Trust"
> set interface "ethernet2" zone "3rdparty"
> set interface "ethernet3" zone "Untrust"
> set interface "ethernet5" zone "Trust"
> set interface vlan1 ip 192.0.0.2/24
> set interface ethernet1 ip 192.0.0.2/24
> set interface ethernet1 route
> set interface ethernet2 ip 20.1.1.2/24
> set interface ethernet2 route
> unset interface ethernet3 ip manageable
> unset interface vlan1 bypass-others-ipsec
> unset interface vlan1 bypass-non-ip
> set interface ethernet3 manage-ip 192.168.1.1
> set interface ethernet2 manage ping
> set address Trust "192.0.0.0/24" 192.0.0.0 255.255.255.0
> set address Trust "192.0.0.12" 192.0.0.12 255.255.255.255
> set address 3rdparty "10.1.1.0/24" 10.1.1.0 255.255.255.0
> set address 3rdparty "1721" 192.168.80.10 255.255.255.255
> set firewall log-self
> set snmp name "ns208"
> set ike p1-proposal "pre-g1-3des-sha" Preshare Group1 esp
> 3DES SHA-1 second
> 28800
> set ike p2-proposal "g1-esp-3des-sha" Group1 ESP 3DES SHA-1
> second 28800
> set ike gateway "1721B" ip 192.168.80.10 Main
> outgoing-interface "ethernet2"
> preshare "secret" proposal "pre-g1-3
> des-sha"
> unset ike policy-checking
> set ike respond-bad-spi 1
> set vpn "IA-vpn" id 6 gateway "1721B" replay tunnel idletime
> 0 proposal
> "g1-esp-3des-sha"
> set vpn "IA-vpn" monitor
> set ike id-mode subnet
> set xauth lifetime 480
> set xauth default auth server Local
> set policy id 0 name "vpn-test" from "Trust" to "3rdparty"
> "192.0.0.0/24"
> "10.1.1.0/24" "ANY" Tunnel vpn "IA-vpn
> " id 9 pair-policy 1 no-session-backup
> set policy id 1 name "vpn-test" from "3rdparty" to "Trust"
> "10.1.1.0/24"
> "192.0.0.0/24" "ANY" Tunnel vpn "IA-vpn" id 9 pair-policy 0
> no-session-backup
> unset global-pro policy-manager primary outgoing-interface
> unset global-pro policy-manager secondary outgoing-interface
> set nsrp track-ip ip
> set pki authority default scep mode "auto"
> set pki x509 default cert-path partial
> set vrouter "untrust-vr"
> exit
> set vrouter "trust-vr"
> set add-default-route vrouter untrust-vr
> set route 192.168.80.0/24 interface ethernet2 gateway 20.1.1.20
> set route 10.1.1.0/24 interface ethernet2
> exit
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>