Solved

PIX515E to 1710 router VPN tunnel

Posted on 2004-04-30
8
5,471 Views
Last Modified: 2013-11-16
I'm trying to create a PIX 515E to 1710 router VPN tunnel.  I've included the config's for both devices and a schematic (hope that comes through).  I get the following error when trying to bring up the VPN:
PEER_REAPER_TIMERIPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created

Any help would be greatly appreciated!



version 12.3
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key (deleted) address 2.2.2.2
!
!
crypto ipsec transform-set high esp-3des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set high
 match address 120
!
interface Ethernet0
 ip address 3.3.3.3 255.255.255.252
 ip nat outside
 no ip route-cache
 half-duplex
 no cdp enable
 crypto map nolan
!
interface FastEthernet0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
ip nat pool branch 3.3.3.3 3.3.3.3 netmask 255.255.255.252
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source route-map nonat pool branch overload
ip classless
ip route 0.0.0.0 0.0.0.0 3.3.3.254 permanent
ip route 10.1.2.0 255.255.255.0 10.1.1.2 permanent
ip route 10.1.3.0 255.255.255.0 10.1.1.2 permanent
ip route 10.9.0.0 255.255.254.0 3.3.3.254 permanent
no ip http server
no ip http secure-server
!
!
access-list 100 deny   tcp 10.1.3.0 0.0.0.255 eq www any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.1.3.0 0.0.0.255 any
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
access-list 120 permit ip host 10.1.1.10 10.9.0.0 0.0.1.255
access-list 130 deny   ip host 10.1.1.10 10.9.0.0 0.0.1.255
access-list 130 permit ip host 10.1.1.10 any
!
route-map nonat permit 10
 match ip address 130
!




 _____________________
|                                     |
| 10.9.0.0/23 network       |
|_______e_____________|
        |
        |
        |
--------e----------
| 10.9.0.1/23    |
|                      |
| x.x.x.x            |
--------e----------
      |
      |
      |
--------e----------
| 192.168.1.0/24 |
|                        |
| 2.2.2.2 PIX515E|
--------e----------
      |
      |
      |
      Internet
      \
       \
        \
         \e-----------------------
          |3.3.3.3 Cisco 1710 |
                    |                            |
          |          10.1.1.1      |
          -----------e------------          
                                  |
                               eeeeeeeeeeeee-ethernet-eeeeeeeeeeeeeeeeee
                                               |                          |
                                               |                          |
                                               |                          |
                                               |                     -----e---------
                                               |                     |                 |
                                               |                     | 10.1.1.10   |
                                               |                     |   host        |
                                               |                     ---------------
                                          ------e------------
                                          |  10.1.1.2       |
                                          |                     |
                                          |   x.x.x.x         |
                                          -s-------------s---
                                          /               \
                                         /                 \
                                        /                   \
                         -----------------                   -----------------
                         |                   |                  |                  |
                         | 10.1.2.0/24  |                 | 10.1.3.0/24 |
                         |  network      |                 |  network     |
                         -----------------                   -----------------

PIX Version 6.2(2)

access-list nonat permit ip 10.9.0.0 255.255.254.0 host 10.1.1.10
access-list buckeye permit ip 10.9.0.0 255.255.254.0 host 10.1.1.10

global (outside) 1 2.2.2.2 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 2.2.2.254 1
route outside 10.1.1.10 255.255.255.255 2.2.2.254 1
route inside 10.9.0.0 255.255.254.0 192.168.1.254 1

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set udi esp-3des esp-md5-hmac

crypto map focus 11 ipsec-isakmp
crypto map focus 11 match address buckeye
crypto map focus 11 set peer 3.3.3.3
crypto map focus 11 set transform-set udi

isakmp enable outside

isakmp key (deleted) address 3.3.3.3 netmask 255.255.255.255

isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
0
Comment
Question by:lambert1176
  • 3
  • 3
8 Comments
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Change this:

access-list 130 deny   ip host 10.1.1.10 10.9.0.0 0.0.1.255

to this:

access-list 130 accept   ip host 10.1.1.10 10.9.0.0 0.0.1.255

I know you want to deny NAT, but what you're doing is using an ACL that permits these addresses, and then telling your router that you don't want them to be NATted...  ;)

0
 

Author Comment

by:lambert1176
Comment Utility
" access-list 130 accept   ip host 10.1.1.10 10.9.0.0 0.0.1.255 "

This didn't work.

The config I used came from cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Ooops.. sorry.  It's deny on a router, and permit on a PIX....  config is correct !!
Which box gives you these errors ??

Have you this line on the PIX ?

crypto map focus interface outside

On the PIX, can you run:

debug cry isakmp
debug cry ipsec
term mon

then initiate 2-way traffic - eg ICMP from an inside host on one network to an inside host on the other (ie NOT from the PIX itself!) and see what comes up.  

to turn off:

term no mon
no debug all


0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:lambert1176
Comment Utility
Okay, I change access-list 130 back.  Here is the crypto debug:

crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
gen_cookie:
gen_cookie:
isadb_create_sa:
crypto_isakmp_init_phase1_fields: initiator
VPN Peer: ISAKMP: Added new peer: ip:3.3.3.3 Total VPN Peers:4
VPN Peer: ISAKMP: Peer ip:3.3.3.3 Ref cnt incremented to:1 Total VPN Peers4
is_auth_policy_configured: auth 4
gen_cookie:
ipsec_db_add_sa_req:
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
is_auth_policy_configured: auth 4
construct_header: message_id 0x0
construct_isakmp_sa: auth 1
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x1
init_set_oakley_atts:
init_set_oakley_atts:
init_set_oakley_atts:
begin phase one
sa->state 0x0
ISAKMP (0): beginning Main Mode exchange
throw: mess_id 0x0
send_response:
isakmp_send: ip 3.3.3.3, port 500
 
ISAKMP msg received
crypto_isakmp_process_block: src 3.3.3.3, dest 2.2.2.2
gen_cookie:
fill_sa_key:isadb_search returned sa = 0x815a7208
 
validate_payload: len 84
valid_payload:
valid_sa:
valid_transform:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0
 
check_isakmp_proposal:
is_auth_policy_configured: auth 1
is_auth_policy_configured: auth 4
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_ke:
need_cert_from_peer:
construct_nonce:
construct_unity_vendor_id:
construct_dpd_vendor_id:
construct_vendor_id:
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 3.3.3.3, port 500
 
ISAKMP msg received
crypto_isakmp_process_block: src 3.3.3.3, dest 2.2.2.2
gen_cookie:
fill_sa_key:isadb_search returned sa = 0x815a7208
 
validate_payload: len 224
valid_payload:
valid_payload:
valid_payload:
valid_payload:
valid_payload:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_SA_SETUP
process_isakmp_packet:
process_ke:
ISAKMP (0): processing KE payload. message ID = 0
 
process_isakmp_packet: OAK_MM
process_nonce:
ISAKMP (0): processing NONCE payload. message ID = 0
 
process_isakmp_packet: OAK_MM
pix_create_skeys:
skey_pre_shar:
process_vendor_id:
ISAKMP (0): processing vendor id payload
 
not cisco peer
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): remote peer supports dead peer detection
 
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload
 
cisco peer
ISAKMP (0): speaking to another IOS box!
 
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): received xauth v6 vendor id
 
process_isakmp_packet: OAK_MM
construct_header: message_id 0x0
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
construct_hash:
compute_hash:
return status is IKMP_NO_ERROR
throw: mess_id 0x0
isakmp_ce_encrypt_payload: offset 28, length 60
pix_des_encrypt: data 0x8159da38, len 40
des_encdec:
send_response:
isakmp_send: ip 3.3.3.3, port 500
 
ISAKMP msg received
crypto_isakmp_process_block: src 3.3.3.3, dest 2.2.2.2
gen_cookie:
fill_sa_key:isadb_search returned sa = 0x815a7208
 
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x809e5054, len 40
des_encdec:
validate_payload: len 68
valid_payload:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_KEY_EXCH
process_isakmp_packet:
ISAKMP (0): processing ID payload. message ID = 0
process_isakmp_packet: OAK_MM
process_hash:
ISAKMP (0): processing HASH payload. message ID = 0
compute_hash:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA has been authenticated
 
gen_cookie:
gen_cookie:
oakley_begin_qm:
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1458228609:a915327f
compute_quick_mode_iv:
crypto_isakmp_spi_starve:IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x5ed1b0a2(1590800546) for SA
        from    3.3.3.3 to   2.2.2.2 for prot 3
 
crypto_ke_process_block:
return status is IKMP_NO_ERROR
throw: mess_id 0x0
POST_P1_TIMER
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
compute_quick_mode_iv:
construct_header: message_id 0x417f1e8d
ipsec_db_get_ipsec_sa_list:
construct_blank_hash:
construct_notify:
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): sending INITIAL_CONTACT notify
construct_qm_hash:
ipsec_db_get_ipsec_sa_list:
throw: mess_id 0x417f1e8d
ipsec_db_get_ipsec_sa_list:
isakmp_ce_encrypt_payload: offset 28, length 76
pix_des_encrypt: data 0x8159c408, len 56
des_encdec:
send_response:
isakmp_send: ip 3.3.3.3, port 500
throw: no state, delete ipsec sa list
ipsec_db_delete_ipsec_sa_list:
ipsec_db_delete_sa_list_entry:
KE_TIMER
starve:
ipsec_db_get_ipsec_sa_list:
oakley_const_qm:
ipsec_db_get_ipsec_sa_list:
construct_header: message_id 0xa915327f
ipsec_db_get_ipsec_sa_list:
construct_blank_hash:
construct_ipsec_sa:
ipsec_db_get_ipsec_sa_list:
set_ipsec_proposals:
set_proposal: protocol 0x3, proposal_num 1, extra_info 0x0
construct_ipsec_nonce:
ipsec_db_get_ipsec_sa_list:
construct_proxy_id:
ipsec_db_get_ipsec_sa_list:
construct_proxy_id:
ipsec_db_get_ipsec_sa_list:
construct_qm_hash:
ipsec_db_get_ipsec_sa_list:
throw: mess_id 0xa915327f
ipsec_db_get_ipsec_sa_list:
isakmp_ce_encrypt_payload: offset 28, length 160
pix_des_encrypt: data 0x8159f068, len 136
des_encdec:
send_response:
isakmp_send: ip 3.3.3.3, port 500
 
ISAKMP msg received
crypto_isakmp_process_block: src 3.3.3.3, dest 2.2.2.2
gen_cookie:
fill_sa_key:isadb_search returned sa = 0x815a7208
 
ipsec_db_get_ipsec_sa_list:
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x809ed094, len 168
des_encdec:
validate_payload: len 196
valid_payload:
valid_payload:
valid_sa:
valid_transform:
valid_payload:
valid_payload:
valid_payload:
valid_payload:
OAK_QM exchange
oakley_process_quick_mode:
ipsec_db_get_ipsec_sa_list:
verify_qm_hash:
ipsec_db_get_ipsec_sa_list:
OAK_QM_IDLE
process_isakmp_packet:
process_sa: mess_id 0xa915327f
ISAKMP (0): processing SA payload. message ID = 2836738687
 
check_ipsec_proposal:
ISAKMP : Checking IPSec proposal 1
 
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
check_prop: acceptable = 1
snoop_id_payloads:IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 3.3.3.3, src= 2.2.2.2,
    dest_proxy= 10.1.1.10/255.255.255.255/0/0 (type=1),
    src_proxy= 10.9.0.0/255.255.254.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
 
ipsec_db_get_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:check_ah_esp_atts: src 2.2.2.2, dst 3.3.3.3
 
process_sa: DONE - status 0x0
delete_sa_offers:
process_nonce:
ISAKMP (0): processing NONCE payload. message ID = 2836738687
 
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): processing ID payload. message ID = 2836738687
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): processing ID payload. message ID = 2836738687
ipsec_db_get_ipsec_sa_list:
process_notify:
ISAKMP (0): processing NOTIFY payload 24576 protocol 3
        spi 1329121729, message ID = 2836738687
ISAKMP (0): processing responder lifetime
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): responder lifetime of 3600s
oakley_final_qm:
ipsec_db_get_ipsec_sa_list:
construct_header: message_id 0xa915327f
ipsec_db_get_ipsec_sa_list:
prepare_ipsec_sas:
ipsec_db_get_ipsec_sa_list:
GEN_IPSEC_SA::
CREATE IPSEC KEY:
CREATE IPSEC KEY:
stuff_ipsec_sa_in_ke:
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): Creating IPSec SAs
        inbound SA from    3.3.3.3 to   2.2.2.2 (proxy       10.1.1.)
        has spi 1590800546 and conn_id 9 and flags 4
        lifetime of 3600 seconds
        lifetime of 4608000 kilobytes
        outbound SA from   2.2.2.2 to    3.3.3.3 (proxy        10.9.)
        has spi 1329121729 and conn_id 10 and flags 4
        lifetime of 3600 seconds
        lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= 2.2.2.2, src= 3.3.3.3,
    dest_proxy= 10.9.0.0/255.255.254.0/0/0 (type=4),
    src_proxy= 10.1.1.10/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x5ed1b0a2(1590800546), conn_id= 9, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= 2.2.2.2, dest= 3.3.3.3,
    src_proxy= 10.9.0.0/255.255.254.0/0/0 (type=4),
    dest_proxy= 10.1.1.10/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x4f38c9c1(1329121729), conn_id= 10, keysize= 0, flags= 0x4
 
VPN Peer: IPSEC: Peer ip:3.3.3.3 Ref cnt incremented to:2 Total VPN Peers:4
VPN Peer: IPSEC: Peer ip:3.3.3.3 Ref cnt incremented to:3 Total VPN Peers:4
THE END!
return status is IKMP_NO_ERROR
throw: mess_id 0xa915327f
ipsec_db_get_ipsec_sa_list:
isakmp_ce_encrypt_payload: offset 28, length 48
pix_des_encrypt: data 0x8159f068, len 24
des_encdec:
send_response:
isakmp_send: ip 3.3.3.3, port 500
throw: no state, delete ipsec sa list
ipsec_db_get_ipsec_sa_list:
PEER_REAPER_TIMER
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Can I see the full PIX config ?
Either mail it to me tim_holman@hotmail.com or post up here with stuff you don't want seen xxxx'd out.
0
 

Author Comment

by:lambert1176
Comment Utility
I figured the problem out. The 'ip nat inside source list 100' was conflicting with 'ip nat inside source route-map nonat pool branch'

So I removed:

ip nat inside source list 100 interface Ethernet0 overload
&
access-list 100
then added the rules from access-list 100 to access-list 130


BEFORE:

ip nat pool branch 3.3.3.3 3.3.3.3 netmask 255.255.255.252
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source route-map nonat pool branch overload
ip classless
ip route 0.0.0.0 0.0.0.0 3.3.3.254 permanent
ip route 10.1.2.0 255.255.255.0 10.1.1.2 permanent
ip route 10.1.3.0 255.255.255.0 10.1.1.2 permanent
ip route 10.9.0.0 255.255.254.0 3.3.3.254 permanent
no ip http server
no ip http secure-server
!
!
access-list 100 deny   tcp 10.1.3.0 0.0.0.255 eq www any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.1.3.0 0.0.0.255 any
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
access-list 120 permit ip host 10.1.1.10 10.9.0.0 0.0.1.255
access-list 130 deny   ip host 10.1.1.10 10.9.0.0 0.0.1.255
access-list 130 permit ip host 10.1.1.10 any
!
route-map nonat permit 10
 match ip address 130


AFTER:

ip nat pool branch 3.3.3.3 3.3.3.3 netmask 255.255.255.252
ip nat inside source route-map nonat pool branch overload
ip classless
ip route 0.0.0.0 0.0.0.0 3.3.3.254 permanent
ip route 10.1.2.0 255.255.255.0 10.1.1.2 permanent
ip route 10.1.3.0 255.255.255.0 10.1.1.2 permanent
ip route 10.9.0.0 255.255.254.0 3.3.3.254 permanent
no ip http server
no ip http secure-server
!
!
access-list 120 permit ip host 10.1.1.10 10.9.0.0 0.0.1.255
access-list 130 deny ip host 10.1.1.10 10.9.0.0 0.0.1.255
access-list 130 deny tcp 10.1.3.0 0.0.0.255 eq www any
access-list 130 permit ip 10.1.1.0 0.0.0.255 any
access-list 130 permit ip 10.1.3.0 0.0.0.255 any
access-list 130 permit ip 10.1.2.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 130

I just don't know how to close this topic?
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed with points refunded (400)

modulo
Community Support Moderator
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now