Solved

PIX IPSEC VPN Failing - Authentication Signature

Posted on 2003-11-03
10
1,239 Views
Last Modified: 2012-05-04

I have a PIX to PIX VPN (both running v6.3) that sets up a connection when pinged from either side of the VPN, but fails to work, always showing recieve errors with "sh crypto ipsec sa".

The output of "debug crypto ipsec" and "debug crypto isakmp" running on the destination PIX produces the following

IPSEC(cipher_ipsec_request): decap failed for pix-scotland -> pix-outside
IPSEC(sw_ah_decap): authentication signature does not match

Any ideas where to start hunting?


0
Comment
Question by:stefanf001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670538
Sounds like the pre-shared keys don't match...
0
 

Author Comment

by:stefanf001
ID: 9670735

Unfourtantely not. I was just using "cisco1234" for testing - pasted straight from notepad into HyperTerminal.

Daft thought... One of the PIXs is inside a managed office, where the outside of the firewall is in a Private Address space (10.20.x.x)
There is a further firewall between this PIX and the Internet, with the other PIX set to connect to the Public Address (static) of the firewall.

Pings from one PIX to the other always show the correct Public Address, am I correct in assume IPSEC also follows this - so the pre-shared key is associated with the correct peer?

Many thanks in advance



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670810
So, you have
PIX1 ---Internet ---PIX2--private 10.20.x.x--PIX3
   PIX2 maps a public IP to PIX3 private outside address..
   You are attempting VPN between PIX1 and PIX3?
  Does PIX2 provide access for ISAKMP and ESP, forwarded to PIX3 from PIX1 public address?
 
Yes, the key is always associated with a peer - using public addresses on each end.
The issue here may be in PIX2 if you don't control it...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:stefanf001
ID: 9670965
That is correct, although I'm not sure whether PIX2 is a PIX ... Have passed you question on to our ISP and will post when I know. Cheers!





0
 

Author Comment

by:stefanf001
ID: 9671710
I found out the PIX2 is just a straight NAT device (not sure what though) and the ISP reckons it is not possible to use IPSEC over NAT.

What about NAT-T, or are there any other options?

Current relevant PIX1 config is the following (PIX3 is similar)

access-list cd9_vpn permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list cd9_vpn

isakmp enable outside
isakmp key cisco1234 address pix-wandsworth netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 hash md5
isakmp policy 9 encrypt des

crypto ipsec transform-set xtra-ts esp-3des esp-sha-hmac
crypto map xtra-map 1 ipsec-isakmp
crypto map xtra-map 1 match address cd9_vpn
crypto map xtra-map 1 set peer pix-wandsworth
crypto map xtra-map 1 set transform-set xtra-ts
crypto map xtra-map interface outside

sysopt connection permit-ipsec
0
 
LVL 9

Accepted Solution

by:
drev001 earned 125 total points
ID: 9673106
In this setup, I'd configure the NAT device to forward ALL incoming traffic to the PIX's Outside interface. Do you have any control over the NAT device?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 9674077
Agree with drev001.
Whatever this "nat device" is, it needs to have a 1-1 static nat for all traffic, no filters, no port redirection, from a public IP to the PIX3 outside interface.
Nat-Transparency is crucial to the NAT device only if using PAT..
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9675563
It's a question whether the obstacle here is NAT, or just the ISP not being willing to open some ports on his routers for traffic (I've encountered that before).

I can't remember I've ever experienced any problem with PIX VPN via NAT in a situation as the one described (and we're talking 6.3 here) .....
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question