FW: [fw-wiz] Netscreen-pix515 IPsec interop

From: David Klein (dklein_at_netscreen.com)
Date: 09/02/03

  • Next message: Luke Butcher: "Re: [fw-wiz] Followup: An interesting VPN problem"
    To: "'mtsudheer75@yahoo.com'" <mtsudheer75@yahoo.com>
    Date: Tue, 2 Sep 2003 07:43:10 -0700
    
    

    Sudheer,

    I suspect your IKE phase 2 proxy ID's are not matching.

    On the Cisco you are seeing:
    ISAKMP (0): retransmitting phase
    2...IPSEC(key_engine): request timer fired: count = 1,
      (identity) local= 203.197.172.62, remote=
    194.78.66.32,
        local_proxy= 192.168.70.0/255.255.255.224/6/0
    (type=4),
        remote_proxy= 172.16.254.2/255.255.255.255/6/2401
    (type=1)

    If you were to look at the Netscreen event log (or debug IKE output) you'll
    probably see phase 2 mismatch errors.

    You need to make sure the access policies/rules match up between the cisco
    and the netscreen. You included the access lists from the cisco but you did
    not include the policy statements from the netscreen. In a nutshell, if
    using a policy-based VPN on the Netscreen then the policy statements need to
    match with the above proxy id's. If using a route-based VPN on the
    Netscreen then you can just set these proxy ID's in the ("set vpn ..." CLI
    or AutoKey IKE WebUI) VPN settings.

    Dave Klein
    NetScreen

    -----Original Message-----
    From: Sudheer MT [mailto:mtsudheer75@yahoo.com]
    Sent: Monday, September 01, 2003 10:46 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Netscreen-pix515 IPsec interop

    Hi,

    We are using Netscreen firewall, which is configured
    for site to site VPN.(Both end Netscreen firewall)
    We need to replace netscreen, here.

    We have cisco 515 with IOS 6.2

    We are facing problem with Phase 2 nego.

    Here is detail of VPN. as configured in Netscreen.

    P1 proposal,(pre-g2-3des-sha)
    Main mode,
    Method preshare,
    DH Group 2
    Encrypt/Auth: 3DES/SHA
    Lifetime 28800

    P2 Prpoposal, (g2-esp-3des-sha)

    Replay : Enable replay protection
    PFS : DH Group 2
    Encap : ESP
    Encrypt/Auth:3DES/SHA
    Lifetime 3600

    Here is Pix config for above.
    !
    crypto ipsec transform-set mytranset esp-3des
    esp-sha-hmac
    sysopt ipsec pl-compatible
    sysopt connection permit-ipsec
    no sysopt route dnat
    !
    access-list myvpn permit tcp 192.168.70.0
    255.255.255.224 host 172.16.254.2 eq 2401
    access-list myvpn permit tcp 192.168.70.0
    255.255.255.224 host 172.16.254.2 eq www
    access-list myvpn permit icmp 192.168.70.0
    255.255.255.224 host 172.16.254.2
    !
    isakmp key **** address 194.78.66.32 netmask
    255.255.255.255
    isakmp identity address
    isakmp policy 2 authentication pre-share
    isakmp policy 2 encryption 3des
    isakmp policy 2 hash sha
    isakmp policy 2 group 2
    isakmp policy 2 lifetime 3600
    isakmp enable outside
    !
    crypto map vpn-nk 20 ipsec-isakmp
    crypto map vpn-nk 20 match address myvpn
    crypto map vpn-nk 20 set pfs group2
    crypto map vpn-nk 20 set peer 194.78.66.32
    crypto map vpn-nk 20 set transform-set mytranset
    crypto map vpn-nk interface outside

    =============================
    Here is log:
    NETKRAFT515(config)# show ipsec sa
    VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32
    Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt
    incremented to:1 Total VPN Peers:1
    ISAKMP (0): beginning Main Mode exchange

    crypto_isakmp_process_block: src 194.78.66.32, dest
    203.197.172.62
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against
    priority 1 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 2800
    ISAKMP (0): atts are not acceptable. Next payload is 0
    ISAKMP (0): Checking ISAKMP transform 1 against
    priority 2 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 2800
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): SA is doing pre-shared key authentication
    using id type ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src 194.78.66.32, dest
    203.197.172.62
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0
    ISAKMP (0): processing NONCE payload. message ID = 0
    ISAKMP (0): ID payload
            next-payload : 8
            type : 1
            protocol : 17
            port : 500
            length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block: src 194.78.66.32, dest
    203.197.172.62
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated
    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    -645140618:d98bef76IPSEC(key_engine): got a queue
    event...
    IPSEC(spi_response): getting spi
    0xdc107272(3692065394) for SA
            from 194.78.66.32 to 203.197.172.62 for prot 3
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): retransmitting phase
    2...IPSEC(key_engine): request timer fired: count = 1,
      (identity) local= 203.197.172.62, remote=
    194.78.66.32,
        local_proxy= 192.168.70.0/255.255.255.224/6/0
    (type=4),
        remote_proxy= 172.16.254.2/255.255.255.255/6/2401
    (type=1)
    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    1524565892:5adf0784IPSEC(key_engine): got a queue
    event...
    IPSEC(spi_response): getting spi
    0xfc1bf72c(4229691180) for SA
            from 194.78.66.32 to 203.197.172.62 for prot 3
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase
    2...IPSEC(key_engine): request timer fired: count = 2,
      (identity) local= 203.197.172.62, remote=
    194.78.66.32,
        local_proxy= 192.168.70.0/255.255.255.224/6/0
    (type=4),
        remote_proxy= 172.16.254.2/255.255.255.255/6/2401
    (type=1)
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): retransmitting phase 2...
    ISAKMP (0): deleting SA: src 203.197.172.62, dst
    194.78.66.32
    ISADB: reaper checking SA 0x812c2790, conn_id = 0
    DELETE IT!
    VPN Peer: ISAKMP: Peer ip:194.78.66.32 Ref cnt
    decremented to:0 Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:194.78.66.32 Total
    VPN peers:0
    VPN Peer: ISAKMP: Added new peer: ip:194.78.66.32
    Total VPN Peers:1

    Sudheer

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Luke Butcher: "Re: [fw-wiz] Followup: An interesting VPN problem"

    Relevant Pages

    • RE: [fw-wiz] Netscreen-pix515 IPsec interop]
      ... Here is detail of VPN. ... isakmp identity address ... isakmp policy 2 authentication pre-share ... crypto map vpn-nk 20 set peer 194.78.66.32 ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Netscreen-pix515 IPsec interop
      ... Here is detail of VPN. ... isakmp identity address ... isakmp policy 2 authentication pre-share ... crypto map vpn-nk 20 set peer 194.78.66.32 ...
      (Firewall-Wizards)
    • [fw-wiz] Netscreen-pix515 IPsec interop
      ... Here is detail of VPN. ... isakmp identity address ... isakmp policy 2 authentication pre-share ... crypto map vpn-nk 20 set peer 194.78.66.32 ...
      (Firewall-Wizards)
    • Re: Site to site VPN - PIX to Checkpoint
      ... I am getting the following errors - first error with ISAKMP NAT-T, ... ISAKMP: retransmitting phase 1... ... the middle blocking the setup of the VPN. ... Cisco VPN client into the PIX rather than site to site. ...
      (comp.dcom.sys.cisco)
    • Re: Site to site VPN - PIX to Checkpoint
      ... I am getting the following errors - first error with ISAKMP NAT-T, ... ISAKMP: retransmitting phase 1... ... the middle blocking the setup of the VPN. ... yes I have a router between the ISP connection and my PIX. ...
      (comp.dcom.sys.cisco)