Re: Pix 501 & Netgear FVS318 VPN Problem... Please help!!!!

From: Ted Mittelstaedt (tedm_at_toybox.placo.com)
Date: 08/30/03


Date: Sat, 30 Aug 2003 09:21:06 -0700

Hi Jamie,

  The NetGear FVS318 is a cheap POS VPN router that is in the same class as
the cheap POS Linksys VPN router BEFSX41. Neither of these is going to work
on a LAN2LAN
connection to a PIX. You want to be using a better quality VPN router like
the
NetGear FVL328 or the Linksys BEFVP41. (I've had no problems with the
BEFVP41
myself, by the way)

Ted

"Jamie Watson" <jamie.watson@nospam.ramsdens.co.uk> wrote in message
news:biqea1$ku1$1$8302bc10@news.demon.co.uk...
I am trying to set a connection between a PIX 501 Firewall and a Netgear
FVS318. The PIX has an public IP address the Netgear has a 192 address, the
Netgear has this because we onlu have one IP address from our ISP, I use the
DMZ feature to point all the incoming traffic to the 'internet' port on the
Firewall. Basically I am not having much joy, it seems to be creating the
tunnel but then not letting any data pass accross. There are all configs and
debugs on the post, I have hilighted a couple of areas where I think it
could be going wrong.

I have then set it up as follows;
The Netgear FVS318

1. Click on VPN Settings
2. Click on the first available radio button and click edit.
3. Enter your vpn settings.

Connection name - Anything you choose
Local IPSec Identifier - IP or FQDN of the FVS318
Remote IPSec Identifier - IP or FQDN of the remote gateway

Click on the LAN radio button

Remote LAN IP - The network range you wish to vpn to.
Remote LAN Subnet Mask - The Subnet of the network range you wish to vpn to.

Remote WAN IP or FQDN - The ip or FQDN of your pix

Security Association - Main Mode

Perfect Forward Security - Enabled

The PIx as (this is not all the config but the majority);
access-list 104 permit ip 10.10.0.0 255.255.0.0 192.168.16.0 255.255.255.0
mtu outside 1500
mtu inside 1500
ip local pool clientpool 192.168.1.1-192.168.1.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
aaa-server partnerauth (inside) host huddersfield01 letscomm timeout 5
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set clientsvpnset esp-des esp-md5-hmac
crypto ipsec transform-set holmfirthvpnset esp-des esp-md5-hmac
crypto ipsec transform-set slaithwaitevpnset esp-des esp-md5-hmac
crypto ipsec transform-set oldhamvpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set clientsvpnset
crypto map VPN 1 ipsec-isakmp
crypto map VPN 1 match address 102
crypto map VPN 1 set peer holmfirthpix
crypto map VPN 1 set transform-set holmfirthvpnset
crypto map VPN 2 ipsec-isakmp
crypto map VPN 2 match address 103
crypto map VPN 2 set peer slaithwaitepix
crypto map VPN 2 set transform-set slaithwaitevpnset
crypto map VPN 3 ipsec-isakmp
crypto map VPN 3 match address 104
crypto map VPN 3 set peer oldhamngear
crypto map VPN 3 set transform-set oldhamvpnset
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN client authentication partnerauth
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address slaithwaitepix netmask 255.255.255.255
isakmp key ******** address holmfirthpix netmask 255.255.255.255
isakmp key ******** address oldhamngear netmask 255.255.255.255
no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup clientsvpn address-pool clientpool
vpngroup clientsvpn dns-server huddersfield01 huddersfield02
vpngroup clientsvpn default-domain ramsdens.co.uk
vpngroup clientsvpn split-tunnel 101
vpngroup clientsvpn idle-time 1800
vpngroup clientsvpn password ********

This is the output of the Netgear syslog;
Aug 30 15:28:35 192.168.16.9 FVS318 IPsec[358]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:28:35 192.168.16.9 FVS318 IPsec[359]:main_inI1_outR1()
Aug 30 15:28:35 192.168.16.9 FVS318 IKE[360]:Peer Initialized IKE Main Mode
Aug 30 15:28:35 192.168.16.9 FVS318 IKE[361]:[Huddersfield] RX << MM_I1 :
62.49.xxx.xxx
Aug 30 15:28:35 192.168.16.9 FVS318 IPsec[362]:New State index:0, sno:10
Aug 30 15:28:35 192.168.16.9 FVS318 IPsec[363]:responding to Main Mode
Aug 30 15:28:35 192.168.16.9 FVS318 IPsec[364]:Oakley Transform 1 accepted
Aug 30 15:28:35 192.168.16.9 FVS318
IKE[365]:OAKLEY_PRESHARED_KEY/OAKLEY_DES_CBC/MODP768
Aug 30 15:28:35 192.168.16.9 FVS318 IKE[366]:[Huddersfield] TX >> MM_R1 :
62.49.xxx.xxx
Aug 30 15:28:35 192.168.16.9 FVS318 IPsec[367]:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #10
Aug 30 15:28:35 192.168.16.9 FVS318 IPsec[368]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:28:35 192.168.16.9 FVS318 IPsec[369]:main_inI2_outR2()
Aug 30 15:28:35 192.168.16.9 FVS318 IKE[370]:[Huddersfield] RX << MM_I2 :
62.49.xxx.xxx
Aug 30 15:28:37 192.168.16.9 FVS318 IKE[371]:[Huddersfield] TX >> MM_R2 :
62.49.xxx.xxx
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[372]:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #10
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[373]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[374]:main_inI3_outR3()
Aug 30 15:28:37 192.168.16.9 FVS318 IKE[375]:[Huddersfield] RX << MM_I3 :
62.49.xxx.xxx
Aug 30 15:28:37 192.168.16.9 FVS318 IKE-DEBUG[376]:NETGEAR-decode-net-id
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[377]:Decoded Peer's ID is
ID_IPV4_ADDR:62.49.xxx.xxx and 62.49.xxx.xxx in st
Aug 30 15:28:37 192.168.16.9 FVS318 IKE-DEBUG[378]:Ignore check ID
Aug 30 15:28:37 192.168.16.9 FVS318
IKE-DEBUG[379]:check_main_authenticator(md, TRUE)
Aug 30 15:28:37 192.168.16.9 FVS318 IKE[380]:[Huddersfield] TX >> MM_R3 :
62.49.xxx.xxx
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[381]:inserting event
EVENT_SA_EXPIRE, timeout in 1180 seconds for #10
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[382]:STATE_MAIN_R3: sent MR3,
ISAKMP SA established
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[383]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[384]:loglog[3] *#hahaha....
exchange type of ISAKMP Message has an unknown value: 6
Aug 30 15:28:37 192.168.16.9 FVS318 IPsec[385]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:28:37 192.168.16.9 FVS318 IKE[386]:[Huddersfield] RX << XCHG_INFO
: 62.49.xxx.xxx
Aug 30 15:28:52 192.168.16.9 FVS318 IPsec[387]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:28:52 192.168.16.9 FVS318 IPsec[388]:loglog[3] *#hahaha....
exchange type of ISAKMP Message has an unknown value: 6
Aug 30 15:29:07 192.168.16.9 FVS318 IPsec[389]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:29:07 192.168.16.9 FVS318 IPsec[390]:loglog[3] *#hahaha....
exchange type of ISAKMP Message has an unknown value: 6
Aug 30 15:29:22 192.168.16.9 FVS318 IPsec[391]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:29:22 192.168.16.9 FVS318 IPsec[392]:loglog[3] *#hahaha....
exchange type of ISAKMP Message has an unknown value: 6
Aug 30 15:29:37 192.168.16.9 FVS318 IPsec[393]:Receive Packet
address:0x1807194 from 62.49.xxx.xxx
Aug 30 15:29:37 192.168.16.9 FVS318 IPsec[394]:loglog[3] *#hahaha....
exchange type of ISAKMP Message has an unknown value:

This is the output from the PIX debug;
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:oldhamngear, dest:62.49.57.114 spt:500
dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:oldhamngear, dest:62.49.57.114 spt:500
dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP: Created a peer struct for oldhamngear, peer port 62465
ISAKMP (0): ID payload
        next-payload : 8
        type : 1
        protocol : 17
        port : 500
        length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:oldhamngear, dest:62.49.57.114 spt:500
dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to oldhamngear. ID = 1807661022
(0x6bbeb7de
)modecfg: sa: 9254fc, new mess id= 6bbeb7de

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:oldhamngear/500 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:oldhamngear/500 Ref cnt incremented to:1 Total VPN
Pee
rs:3
ISAKMP (0): retransmitting Config Mode Request...IPSEC(key_engine): request
time
r fired: count = 1,
  (identity) local= 62.49.57.114, remote= oldhamngear,
    local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 192.168.16.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting Config Mode Request...
ISADB: reaper checking SA 0x927714, conn_id = 0
ISADB: reaper checking SA 0x9254fc, conn_id = 0
ISADB: reaper checking SA 0x91e1d4, conn_id = 0
ISAKMP (0): retransmitting Config Mode Request...IPSEC(key_engine): request
time
r fired: count = 2,
  (identity) local= 62.49.57.114, remote= oldhamngear,
    local_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 192.168.16.0/255.255.255.0/0/0 (type=4)

 crypto_isakmp_process_block:src:oldhamngear, dest:62.49.57.114 spt:500
dpt:500
OAK_QM exchange
ISAKMP (0:0): Need XAUTH
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:oldhamngear, dest:62.49.57.114 spt:500
dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting Config Mode Request...
ISAKMP (0): deleting SA: src 62.49.57.114, dst oldhamngear
ISADB: reaper checking SA 0x927714, conn_id = 0
ISADB: reaper checking SA 0x9254fc, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:oldhamngear/500 Ref cnt decremented to:0 Total VPN
Pee
rs:3
VPN Peer: ISAKMP: Deleted peer: ip:oldhamngear/500 Total VPN peers:2
ISADB: reaper checking SA 0x927714, conn_id = 0
ISADB: reaper checking SA 0x91e1d4, conn_id = 0
crypto_isakmp_process_block:src:oldhamngear, dest:62.49.57.114 spt:500
dpt:500
ISAKMP: sa not found for ike msg

Any help would be graetly appreciated. Spent the wholw of Saturday on thi
already!!!!

Thanks
Jamie