[fw-wiz] PIX-Firewal1 VPN
From: Zulu (zulu_at_thepub.co.za)
Date: 05/29/03
- Previous message: Rama krishna prasad: "Re: [fw-wiz] traffic analysis"
- Next in thread: Sutantyo, Danny: "RE: [fw-wiz] PIX-Firewal1 VPN"
- Maybe reply: Sutantyo, Danny: "RE: [fw-wiz] PIX-Firewal1 VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Thu, 29 May 2003 10:16:59 +0200
HI All,
Sorry 'bout the html mail. (long story)
I am trying to set 'n VPN from my PIx 6.22 tpo a Firewall1 NG fp2.
The NG box will always initiate the vpn.
Here is what I get when I debug ipsec & isakmp:
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
VPN Peer: ISAKMP: Added new peer: ip:NG-FWL_ADDRESS Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:NG-FWL_ADDRESS Ref cnt incremented to:1
Total VPN Peers:1
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP: Created a peer node for NG-FWL_ADDRESS
OAK_QM exchange
ISAKMP (0:0): Need config/address
ISAKMP (0:0): initiating peer config to NG-FWL_ADDRESS. ID =
4174316855 (0xf8cf0537)
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
My Config looks like this:
(There is a cisco-vpn client thingy set up already! AND WORKS)
isakmp enable outside
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set set-2 esp-des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set strong
crypto map partner-map client configuration address initiate
crypto map partner-map interface outside
access-list ipsec permit ip host HOST-A 172.23.1.0 255.255.255.0
access-list ipsec permit ip host HOST_B 172.23.1.0 255.255.255.0
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
ip local pool dealer 172.23.1.1-172.23.1.254
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp client configuration address-pool local dealer outside
crypto map partner-map 20 ipsec-isakmp dynamic cisco
vpngroup vpngroup address-pool dealer
vpngroup vpngroup split-tunnel ipsec
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
(But now I need to set up a Site to Site To a FW1)
access-list SHELL-VPN permit ip host MY_HOST(natted) host
HIS_HOST(no-nat)
access-list SHELL-VPN permit ip host MY_HOST(natted) host
HIS_HOST(natted)
access-list SHELL-VPN permit ip host MY_HOST(no-nat) host
HIS_HOST(no-nat)
access-list SHELL-VPN permit ip host MY_HOST(no-nat) host
HIS_HOST(natted)
access-list SHELL-VPN permit ip host HIS-HOST(no-nat) host
MY_HOST(natted)
access-list SHELL-VPN permit ip host HIS_HOST(no-nat) host
MY_HOST(no-nat)
access-list SHELL-VPN permit ip host HIS-HOST(natted) host
MY_HOST(natted)
access-list SHELL-VPN permit ip host HIS_HOST(natted) host
MY_HOST(no-nat)
(AS you can see I've opened for all possibilities)
access-list NO-NAT permit ip host MY_HOST(no-nat) host
HIS_HOST(no-nat)
access-list NO-NAT permit ip host MY_HOST(no-nat) host
HIS_HOST(natted)
access-list NO-NAT deny ip host MY_HOST(no-nat) any
nat (inside) 0 access-list NO-NAT
static (inside,outside) MY_HOST(natted) MY_HOST(no-nat) netmask
255.255.255.255 0 0
access-group My-outside-acl in interface outside
access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host
MY_HOST(natted) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(natted) host
MY_HOST(natted) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host
MY_HOST(no-nat) eq ftp
access-list My-outside-acl permit tcp host HIS_HOST(natted) host
MY_HOST(no-nat) eq ftp
(AS you can see I've opened for all possibilities)
crypto map partner-map 10 ipsec-isakmp
crypto map partner-map 10 match address SHELL-VPN
crypto map partner-map 10 set pfs group2
crypto map partner-map 10 set peer HIS_FIREWALL_address
crypto map partner-map 10 set transform-set set-2 strong
crypto map partner-map 10 set security-association lifetime seconds
3600 kilobytes 4608000
isakmp key ******** address 196.36.178.114 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1440
What am I overlooking?? Are there compatibility issues with PIX and NG
IPSEC??
Thanks!!
_______________________________________________________________________
Cool Connection, Cool Price, Internet Access for R59 monthly @ WebMail
http://www.webmail.co.za/dialup/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Rama krishna prasad: "Re: [fw-wiz] traffic analysis"
- Next in thread: Sutantyo, Danny: "RE: [fw-wiz] PIX-Firewal1 VPN"
- Maybe reply: Sutantyo, Danny: "RE: [fw-wiz] PIX-Firewal1 VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
