[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

PIX IPSEC VPN Failing - Authentication Signature

Posted on 2003-11-03
10
Medium Priority
?
1,241 Views
Last Modified: 2012-05-04

I have a PIX to PIX VPN (both running v6.3) that sets up a connection when pinged from either side of the VPN, but fails to work, always showing recieve errors with "sh crypto ipsec sa".

The output of "debug crypto ipsec" and "debug crypto isakmp" running on the destination PIX produces the following

IPSEC(cipher_ipsec_request): decap failed for pix-scotland -> pix-outside
IPSEC(sw_ah_decap): authentication signature does not match

Any ideas where to start hunting?


0
Comment
Question by:stefanf001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670538
Sounds like the pre-shared keys don't match...
0
 

Author Comment

by:stefanf001
ID: 9670735

Unfourtantely not. I was just using "cisco1234" for testing - pasted straight from notepad into HyperTerminal.

Daft thought... One of the PIXs is inside a managed office, where the outside of the firewall is in a Private Address space (10.20.x.x)
There is a further firewall between this PIX and the Internet, with the other PIX set to connect to the Public Address (static) of the firewall.

Pings from one PIX to the other always show the correct Public Address, am I correct in assume IPSEC also follows this - so the pre-shared key is associated with the correct peer?

Many thanks in advance



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9670810
So, you have
PIX1 ---Internet ---PIX2--private 10.20.x.x--PIX3
   PIX2 maps a public IP to PIX3 private outside address..
   You are attempting VPN between PIX1 and PIX3?
  Does PIX2 provide access for ISAKMP and ESP, forwarded to PIX3 from PIX1 public address?
 
Yes, the key is always associated with a peer - using public addresses on each end.
The issue here may be in PIX2 if you don't control it...
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 

Author Comment

by:stefanf001
ID: 9670965
That is correct, although I'm not sure whether PIX2 is a PIX ... Have passed you question on to our ISP and will post when I know. Cheers!





0
 

Author Comment

by:stefanf001
ID: 9671710
I found out the PIX2 is just a straight NAT device (not sure what though) and the ISP reckons it is not possible to use IPSEC over NAT.

What about NAT-T, or are there any other options?

Current relevant PIX1 config is the following (PIX3 is similar)

access-list cd9_vpn permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list cd9_vpn

isakmp enable outside
isakmp key cisco1234 address pix-wandsworth netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 hash md5
isakmp policy 9 encrypt des

crypto ipsec transform-set xtra-ts esp-3des esp-sha-hmac
crypto map xtra-map 1 ipsec-isakmp
crypto map xtra-map 1 match address cd9_vpn
crypto map xtra-map 1 set peer pix-wandsworth
crypto map xtra-map 1 set transform-set xtra-ts
crypto map xtra-map interface outside

sysopt connection permit-ipsec
0
 
LVL 9

Accepted Solution

by:
drev001 earned 500 total points
ID: 9673106
In this setup, I'd configure the NAT device to forward ALL incoming traffic to the PIX's Outside interface. Do you have any control over the NAT device?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 9674077
Agree with drev001.
Whatever this "nat device" is, it needs to have a 1-1 static nat for all traffic, no filters, no port redirection, from a public IP to the PIX3 outside interface.
Nat-Transparency is crucial to the NAT device only if using PAT..
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9675563
It's a question whether the obstacle here is NAT, or just the ISP not being willing to open some ports on his routers for traffic (I've encountered that before).

I can't remember I've ever experienced any problem with PIX VPN via NAT in a situation as the one described (and we're talking 6.3 here) .....
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question