Solved

PIX IPSEC VPN Failing - Authentication Signature

Posted on 2003-11-03
10
1,238 Views
Last Modified: 2012-05-04

I have a PIX to PIX VPN (both running v6.3) that sets up a connection when pinged from either side of the VPN, but fails to work, always showing recieve errors with "sh crypto ipsec sa".

The output of "debug crypto ipsec" and "debug crypto isakmp" running on the destination PIX produces the following

IPSEC(cipher_ipsec_request): decap failed for pix-scotland -> pix-outside
IPSEC(sw_ah_decap): authentication signature does not match

Any ideas where to start hunting?


0
Comment
Question by:stefanf001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670538
Sounds like the pre-shared keys don't match...
0
 

Author Comment

by:stefanf001
ID: 9670735

Unfourtantely not. I was just using "cisco1234" for testing - pasted straight from notepad into HyperTerminal.

Daft thought... One of the PIXs is inside a managed office, where the outside of the firewall is in a Private Address space (10.20.x.x)
There is a further firewall between this PIX and the Internet, with the other PIX set to connect to the Public Address (static) of the firewall.

Pings from one PIX to the other always show the correct Public Address, am I correct in assume IPSEC also follows this - so the pre-shared key is associated with the correct peer?

Many thanks in advance



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670810
So, you have
PIX1 ---Internet ---PIX2--private 10.20.x.x--PIX3
   PIX2 maps a public IP to PIX3 private outside address..
   You are attempting VPN between PIX1 and PIX3?
  Does PIX2 provide access for ISAKMP and ESP, forwarded to PIX3 from PIX1 public address?
 
Yes, the key is always associated with a peer - using public addresses on each end.
The issue here may be in PIX2 if you don't control it...
0
How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

 

Author Comment

by:stefanf001
ID: 9670965
That is correct, although I'm not sure whether PIX2 is a PIX ... Have passed you question on to our ISP and will post when I know. Cheers!





0
 

Author Comment

by:stefanf001
ID: 9671710
I found out the PIX2 is just a straight NAT device (not sure what though) and the ISP reckons it is not possible to use IPSEC over NAT.

What about NAT-T, or are there any other options?

Current relevant PIX1 config is the following (PIX3 is similar)

access-list cd9_vpn permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list cd9_vpn

isakmp enable outside
isakmp key cisco1234 address pix-wandsworth netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 hash md5
isakmp policy 9 encrypt des

crypto ipsec transform-set xtra-ts esp-3des esp-sha-hmac
crypto map xtra-map 1 ipsec-isakmp
crypto map xtra-map 1 match address cd9_vpn
crypto map xtra-map 1 set peer pix-wandsworth
crypto map xtra-map 1 set transform-set xtra-ts
crypto map xtra-map interface outside

sysopt connection permit-ipsec
0
 
LVL 9

Accepted Solution

by:
drev001 earned 125 total points
ID: 9673106
In this setup, I'd configure the NAT device to forward ALL incoming traffic to the PIX's Outside interface. Do you have any control over the NAT device?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 9674077
Agree with drev001.
Whatever this "nat device" is, it needs to have a 1-1 static nat for all traffic, no filters, no port redirection, from a public IP to the PIX3 outside interface.
Nat-Transparency is crucial to the NAT device only if using PAT..
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9675563
It's a question whether the obstacle here is NAT, or just the ISP not being willing to open some ports on his routers for traffic (I've encountered that before).

I can't remember I've ever experienced any problem with PIX VPN via NAT in a situation as the one described (and we're talking 6.3 here) .....
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question