?
Solved

PIX IPSEC VPN Failing - Authentication Signature

Posted on 2003-11-03
10
Medium Priority
?
1,240 Views
Last Modified: 2012-05-04

I have a PIX to PIX VPN (both running v6.3) that sets up a connection when pinged from either side of the VPN, but fails to work, always showing recieve errors with "sh crypto ipsec sa".

The output of "debug crypto ipsec" and "debug crypto isakmp" running on the destination PIX produces the following

IPSEC(cipher_ipsec_request): decap failed for pix-scotland -> pix-outside
IPSEC(sw_ah_decap): authentication signature does not match

Any ideas where to start hunting?


0
Comment
Question by:stefanf001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670538
Sounds like the pre-shared keys don't match...
0
 

Author Comment

by:stefanf001
ID: 9670735

Unfourtantely not. I was just using "cisco1234" for testing - pasted straight from notepad into HyperTerminal.

Daft thought... One of the PIXs is inside a managed office, where the outside of the firewall is in a Private Address space (10.20.x.x)
There is a further firewall between this PIX and the Internet, with the other PIX set to connect to the Public Address (static) of the firewall.

Pings from one PIX to the other always show the correct Public Address, am I correct in assume IPSEC also follows this - so the pre-shared key is associated with the correct peer?

Many thanks in advance



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670810
So, you have
PIX1 ---Internet ---PIX2--private 10.20.x.x--PIX3
   PIX2 maps a public IP to PIX3 private outside address..
   You are attempting VPN between PIX1 and PIX3?
  Does PIX2 provide access for ISAKMP and ESP, forwarded to PIX3 from PIX1 public address?
 
Yes, the key is always associated with a peer - using public addresses on each end.
The issue here may be in PIX2 if you don't control it...
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:stefanf001
ID: 9670965
That is correct, although I'm not sure whether PIX2 is a PIX ... Have passed you question on to our ISP and will post when I know. Cheers!





0
 

Author Comment

by:stefanf001
ID: 9671710
I found out the PIX2 is just a straight NAT device (not sure what though) and the ISP reckons it is not possible to use IPSEC over NAT.

What about NAT-T, or are there any other options?

Current relevant PIX1 config is the following (PIX3 is similar)

access-list cd9_vpn permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list cd9_vpn

isakmp enable outside
isakmp key cisco1234 address pix-wandsworth netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 hash md5
isakmp policy 9 encrypt des

crypto ipsec transform-set xtra-ts esp-3des esp-sha-hmac
crypto map xtra-map 1 ipsec-isakmp
crypto map xtra-map 1 match address cd9_vpn
crypto map xtra-map 1 set peer pix-wandsworth
crypto map xtra-map 1 set transform-set xtra-ts
crypto map xtra-map interface outside

sysopt connection permit-ipsec
0
 
LVL 9

Accepted Solution

by:
drev001 earned 500 total points
ID: 9673106
In this setup, I'd configure the NAT device to forward ALL incoming traffic to the PIX's Outside interface. Do you have any control over the NAT device?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 9674077
Agree with drev001.
Whatever this "nat device" is, it needs to have a 1-1 static nat for all traffic, no filters, no port redirection, from a public IP to the PIX3 outside interface.
Nat-Transparency is crucial to the NAT device only if using PAT..
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9675563
It's a question whether the obstacle here is NAT, or just the ISP not being willing to open some ports on his routers for traffic (I've encountered that before).

I can't remember I've ever experienced any problem with PIX VPN via NAT in a situation as the one described (and we're talking 6.3 here) .....
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question