RE: [fw-wiz] Netscreen-pix515 IPsec interop

lordchariot_at_earthlink.net
Date: 09/02/03

  • Next message: David Klein: "FW: [fw-wiz] Netscreen-pix515 IPsec interop"
    To: <sudheermt07@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 2 Sep 2003 10:36:10 -0400
    
    

    Suhdeer,

    A very useful site for interoperability is:
    http://www.vpnc.org/InteropProfiles/

    They have a list of VPN devices setup in a common manner to connect to
    each other. Netscreen is listed, but PIX is not. However, the profile
    for IOS may be useful.
    Good Luck,
    Erik

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Sudheer
    MT
    Sent: Monday, September 01, 2003 11:46 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Netscreen-pix515 IPsec interop

    Hi,

    We are using Netscreen firewall, which is configured
    for site to site VPN.(Both end Netscreen firewall)
    We need to replace netscreen, here.

    We have cisco 515 with IOS 6.2

    We are facing problem with Phase 2 nego.

    Here is detail of VPN. as configured in Netscreen.

    P1 proposal,(pre-g2-3des-sha)
    Main mode,
    Method preshare,
    DH Group 2
    Encrypt/Auth: 3DES/SHA
    Lifetime 28800

    P2 Prpoposal, (g2-esp-3des-sha)

    Replay : Enable replay protection
    PFS : DH Group 2
    Encap : ESP
    Encrypt/Auth:3DES/SHA
    Lifetime 3600

    Here is Pix config for above.
    !
    crypto ipsec transform-set mytranset esp-3des
    esp-sha-hmac
    sysopt ipsec pl-compatible
    sysopt connection permit-ipsec
    no sysopt route dnat
    !
    access-list myvpn permit tcp 192.168.70.0
    255.255.255.224 host 172.16.254.2 eq 2401
    access-list myvpn permit tcp 192.168.70.0
    255.255.255.224 host 172.16.254.2 eq www
    access-list myvpn permit icmp 192.168.70.0
    255.255.255.224 host 172.16.254.2
    !
    isakmp key **** address 194.78.66.32 netmask
    255.255.255.255
    isakmp identity address
    isakmp policy 2 authentication pre-share
    isakmp policy 2 encryption 3des
    isakmp policy 2 hash sha
    isakmp policy 2 group 2
    isakmp policy 2 lifetime 3600
    isakmp enable outside
    !
    crypto map vpn-nk 20 ipsec-isakmp
    crypto map vpn-nk 20 match address myvpn
    crypto map vpn-nk 20 set pfs group2
    crypto map vpn-nk 20 set peer 194.78.66.32
    crypto map vpn-nk 20 set transform-set mytranset
    crypto map vpn-nk interface outside

    =============================
    Here is log:
    NETKRAFT515(config)# show ipsec sa
    VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32
    Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt
    incremented to:1 Total VPN Peers:1
    ISAKMP (0): beginning Main Mode exchange

    crypto_isakmp_process_block: src 194.78.66.32, dest
    203.197.172.62
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against
    priority 1 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 2800
    ISAKMP (0): atts are not acceptable. Next payload is 0
    ISAKMP (0): Checking ISAKMP transform 1 against
    priority 2 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 2800
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): SA is doing pre-shared key authentication
    using id type ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src 194.78.66.32, dest
    203.197.172.62
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0
    ISAKMP (0): processing NONCE payload. message ID = 0
    ISAKMP (0): ID payload
            next-payload : 8
            type : 1
            protocol : 17
            port : 500
            length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src 194.78.66.32, dest
    203.197.172.62
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated
    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    -645140618:d98bef76IPSEC(key_engine): got a queue
    event...
    IPSEC(spi_response): getting spi
    0xdc107272(3692065394) for SA
            from 194.78.66.32 to 203.197.172.62 for prot 3
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): retransmitting phase
    2...IPSEC(key_engine): request timer fired: count = 1,
      (identity) local= 203.197.172.62, remote=
    194.78.66.32,
        local_proxy= 192.168.70.0/255.255.255.224/6/0
    (type=4),
        remote_proxy= 172.16.254.2/255.255.255.255/6/2401
    (type=1)
    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    1524565892:5adf0784IPSEC(key_engine): got a queue
    event...
    IPSEC(spi_response): getting spi
    0xfc1bf72c(4229691180) for SA
            from 194.78.66.32 to 203.197.172.62 for prot 3
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase
    2...IPSEC(key_engine): request timer fired: count = 2,
      (identity) local= 203.197.172.62, remote=
    194.78.66.32,
        local_proxy= 192.168.70.0/255.255.255.224/6/0
    (type=4),
        remote_proxy= 172.16.254.2/255.255.255.255/6/2401
    (type=1)
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): deleting SA: src 203.197.172.62, dst
    194.78.66.32
    ISADB: reaper checking SA 0x812c2790, conn_id = 0
    DELETE IT!
    VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt
    decremented to:0 Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:194.78.66.32 Total
    VPN peers:0
    VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32
    Total VPN Peers:1

    Sudheer

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: David Klein: "FW: [fw-wiz] Netscreen-pix515 IPsec interop"

    Relevant Pages

    • Re: IPSec VPN with c2600 router
      ... Configuring Cisco VPN Client and Cisco IOS Easy VPN Server ... Configuring Cisco VPN Client and Easy VPN Server with Xauth ... 4d19h: ISAKMP: local port 500, ... 4d19h: ISAKMP: Encryption algorithm offered does not match policy! ...
      (comp.dcom.sys.cisco)
    • Re: pix 501 remote access vpn problem
      ... client I use is a cisco vpn client version 5.0.00.0340. ... Always set your vpn pool addresses to be -outside- your current network, ... isakmp policy 10 authentication pre-share ... vpdn group skynet request dialout pppoe ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] VPN Client <> PIX 515 with certificates (long!)
      ... isakmp identity address ... isakmp policy 10 authentication rsa-sig ... Organization Unit: Evangelischer Oberkirchenrat IT ... remote peer supports dead peer detection ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Netscreen-pix515 IPsec interop]
      ... Here is detail of VPN. ... isakmp identity address ... isakmp policy 2 authentication pre-share ... crypto map vpn-nk 20 set peer 194.78.66.32 ...
      (Firewall-Wizards)
    • [fw-wiz] Pix to Vigor VPN
      ... I'm having some problems setting up a VPN between a Pix 501 and a Vigor 2600 ... I've attached the output from a debug crypto isakmp trace and a copy of the ... fixup protocol http 80 ... logging timestamp ...
      (Firewall-Wizards)