Solved

PIX IPSEC VPN Failing - Authentication Signature

Posted on 2003-11-03
10
1,235 Views
Last Modified: 2012-05-04

I have a PIX to PIX VPN (both running v6.3) that sets up a connection when pinged from either side of the VPN, but fails to work, always showing recieve errors with "sh crypto ipsec sa".

The output of "debug crypto ipsec" and "debug crypto isakmp" running on the destination PIX produces the following

IPSEC(cipher_ipsec_request): decap failed for pix-scotland -> pix-outside
IPSEC(sw_ah_decap): authentication signature does not match

Any ideas where to start hunting?


0
Comment
Question by:stefanf001
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670538
Sounds like the pre-shared keys don't match...
0
 

Author Comment

by:stefanf001
ID: 9670735

Unfourtantely not. I was just using "cisco1234" for testing - pasted straight from notepad into HyperTerminal.

Daft thought... One of the PIXs is inside a managed office, where the outside of the firewall is in a Private Address space (10.20.x.x)
There is a further firewall between this PIX and the Internet, with the other PIX set to connect to the Public Address (static) of the firewall.

Pings from one PIX to the other always show the correct Public Address, am I correct in assume IPSEC also follows this - so the pre-shared key is associated with the correct peer?

Many thanks in advance



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670810
So, you have
PIX1 ---Internet ---PIX2--private 10.20.x.x--PIX3
   PIX2 maps a public IP to PIX3 private outside address..
   You are attempting VPN between PIX1 and PIX3?
  Does PIX2 provide access for ISAKMP and ESP, forwarded to PIX3 from PIX1 public address?
 
Yes, the key is always associated with a peer - using public addresses on each end.
The issue here may be in PIX2 if you don't control it...
0
 

Author Comment

by:stefanf001
ID: 9670965
That is correct, although I'm not sure whether PIX2 is a PIX ... Have passed you question on to our ISP and will post when I know. Cheers!





0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:stefanf001
ID: 9671710
I found out the PIX2 is just a straight NAT device (not sure what though) and the ISP reckons it is not possible to use IPSEC over NAT.

What about NAT-T, or are there any other options?

Current relevant PIX1 config is the following (PIX3 is similar)

access-list cd9_vpn permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list cd9_vpn

isakmp enable outside
isakmp key cisco1234 address pix-wandsworth netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 hash md5
isakmp policy 9 encrypt des

crypto ipsec transform-set xtra-ts esp-3des esp-sha-hmac
crypto map xtra-map 1 ipsec-isakmp
crypto map xtra-map 1 match address cd9_vpn
crypto map xtra-map 1 set peer pix-wandsworth
crypto map xtra-map 1 set transform-set xtra-ts
crypto map xtra-map interface outside

sysopt connection permit-ipsec
0
 
LVL 9

Accepted Solution

by:
drev001 earned 125 total points
ID: 9673106
In this setup, I'd configure the NAT device to forward ALL incoming traffic to the PIX's Outside interface. Do you have any control over the NAT device?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 9674077
Agree with drev001.
Whatever this "nat device" is, it needs to have a 1-1 static nat for all traffic, no filters, no port redirection, from a public IP to the PIX3 outside interface.
Nat-Transparency is crucial to the NAT device only if using PAT..
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9675563
It's a question whether the obstacle here is NAT, or just the ISP not being willing to open some ports on his routers for traffic (I've encountered that before).

I can't remember I've ever experienced any problem with PIX VPN via NAT in a situation as the one described (and we're talking 6.3 here) .....
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now