[fw-wiz] PIX-Firewal1 VPN

From: Zulu (zulu_at_thepub.co.za)
Date: 05/29/03

  • Next message: Mikael Olsson: "Re: [fw-wiz] help in firewall"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 29 May 2003 10:16:59 +0200
    

    HI All,

    Sorry 'bout the html mail. (long story)

    I am trying to set 'n VPN from my PIx 6.22 tpo a Firewall1 NG fp2.
    The NG box will always initiate the vpn.

    Here is what I get when I debug ipsec & isakmp:

    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    VPN Peer: ISAKMP: Added new peer: ip:NG-FWL_ADDRESS Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:NG-FWL_ADDRESS Ref cnt incremented to:1
    Total VPN Peers:1
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash SHA
    ISAKMP: auth pre-share
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): ID payload
            next-payload : 8
            type : 1
            protocol : 17
            port : 500
            length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    ISAKMP (0): sending NOTIFY message 24576 protocol 1
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP: Created a peer node for NG-FWL_ADDRESS
    OAK_QM exchange
    ISAKMP (0:0): Need config/address
    ISAKMP (0:0): initiating peer config to NG-FWL_ADDRESS. ID =
    4174316855 (0xf8cf0537)
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    ISAKMP (0): retransmitting phase 2...
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    ISAKMP (0): retransmitting phase 2...
    crypto_isakmp_process_block: src NG-FWL_ADDRESS, dest PIX-FWL_ADDRESS
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase 2...

    My Config looks like this:

    (There is a cisco-vpn client thingy set up already! AND WORKS)

    isakmp enable outside
    sysopt connection permit-ipsec

    crypto ipsec transform-set strong esp-des esp-sha-hmac
    crypto ipsec transform-set set-2 esp-des esp-md5-hmac
    crypto dynamic-map cisco 4 set transform-set strong
    crypto map partner-map client configuration address initiate
    crypto map partner-map interface outside

    access-list ipsec permit ip host HOST-A 172.23.1.0 255.255.255.0
    access-list ipsec permit ip host HOST_B 172.23.1.0 255.255.255.0

    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

    ip local pool dealer 172.23.1.1-172.23.1.254
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400
    isakmp client configuration address-pool local dealer outside

    crypto map partner-map 20 ipsec-isakmp dynamic cisco

    vpngroup vpngroup address-pool dealer
    vpngroup vpngroup split-tunnel ipsec
    vpngroup vpngroup idle-time 1800
    vpngroup vpngroup password ********

    (But now I need to set up a Site to Site To a FW1)

    access-list SHELL-VPN permit ip host MY_HOST(natted) host
    HIS_HOST(no-nat)
    access-list SHELL-VPN permit ip host MY_HOST(natted) host
    HIS_HOST(natted)
    access-list SHELL-VPN permit ip host MY_HOST(no-nat) host
    HIS_HOST(no-nat)
    access-list SHELL-VPN permit ip host MY_HOST(no-nat) host
    HIS_HOST(natted)

    access-list SHELL-VPN permit ip host HIS-HOST(no-nat) host
    MY_HOST(natted)
    access-list SHELL-VPN permit ip host HIS_HOST(no-nat) host
    MY_HOST(no-nat)
    access-list SHELL-VPN permit ip host HIS-HOST(natted) host
    MY_HOST(natted)
    access-list SHELL-VPN permit ip host HIS_HOST(natted) host
    MY_HOST(no-nat)

    (AS you can see I've opened for all possibilities)

    access-list NO-NAT permit ip host MY_HOST(no-nat) host
    HIS_HOST(no-nat)
    access-list NO-NAT permit ip host MY_HOST(no-nat) host
    HIS_HOST(natted)
    access-list NO-NAT deny ip host MY_HOST(no-nat) any
    nat (inside) 0 access-list NO-NAT

    static (inside,outside) MY_HOST(natted) MY_HOST(no-nat) netmask
    255.255.255.255 0 0

    access-group My-outside-acl in interface outside

    access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host
    MY_HOST(natted) eq ftp
    access-list My-outside-acl permit tcp host HIS_HOST(natted) host
    MY_HOST(natted) eq ftp
    access-list My-outside-acl permit tcp host HIS_HOST(no-nat) host
    MY_HOST(no-nat) eq ftp
    access-list My-outside-acl permit tcp host HIS_HOST(natted) host
    MY_HOST(no-nat) eq ftp

    (AS you can see I've opened for all possibilities)

    crypto map partner-map 10 ipsec-isakmp
    crypto map partner-map 10 match address SHELL-VPN
    crypto map partner-map 10 set pfs group2
    crypto map partner-map 10 set peer HIS_FIREWALL_address
    crypto map partner-map 10 set transform-set set-2 strong
    crypto map partner-map 10 set security-association lifetime seconds
    3600 kilobytes 4608000

    isakmp key ******** address 196.36.178.114 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 1440

    What am I overlooking?? Are there compatibility issues with PIX and NG
    IPSEC??

    Thanks!!
    _______________________________________________________________________
    Cool Connection, Cool Price, Internet Access for R59 monthly @ WebMail
    http://www.webmail.co.za/dialup/
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mikael Olsson: "Re: [fw-wiz] help in firewall"

    Relevant Pages

    • RE: [fw-wiz] PIX-Firewal1 VPN
      ... ISAKMP: encryption DES-CBC ... : phase 2 packet is a duplicate of a previous packet. ... access-list ipsec permit ip host HOST-A 172.23.1.0 255.255.255.0 access-list ... access-list SHELL-VPN permit ip host MY_HOSThost ...
      (Firewall-Wizards)
    • Re: PIX site-to-site VPN
      ... PIX 1: ... access-list acl_to_city2 ip host 10.y.y.1 host 222.222.222.222 ... isakmp identity hostname ... crypto map map_to_city2 100 set peer 222.222.222.222 ...
      (comp.dcom.sys.cisco)
    • RE: [fw-wiz] Pix to Checkpoint VPN Connectivity
      ... ISAKMP: beginning Main Mode exchange ... Next payload is 0 ... phase 2 packet is a duplicate of a previous packet ...
      (Firewall-Wizards)
    • [EXPL] TCPDUMP ISAKMP Denial of Service Exploit Released
      ... Service Vulnerability in ISAKMP Packet Parsing, ... the parsing of ISAKMP packets that allows an attacker to ... struct isakmpgen * isakmpg; ... int main{ ...
      (Securiteam)