Solved

PIX to Checkpoint VPN not completing phase 2 IKE

Posted on 2004-10-12
12
11,091 Views
Last Modified: 2011-08-18
I can't get a a LAN-LAN VPN tom complete phase 2 IKE.

My side PIX 515E 6.1(2). Their side CheckPoint FW-1 NG FP3 firewall.

xxx.xxx.xxx.xxx = their public IP
yyy.yyy.yyy.yyy = my public IP

I've opened up isakmp on my outside from their network:
access-list 100 permit udp host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy eq isakmp
access-list 100 permit esp host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy

We've made sure the pre-shared key is correct on both ends.

There is a policy on their end that matches my highest priority policy:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400  

I try to ping them and it looks like is completes phase 1 but phase 2 keeps re-trying. I don't see any obvious error in the PIX debug.

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
 
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
 
ISAKMP (0): processing NONCE payload. message ID = 0
 
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
 
ISAKMP: Created a peer node for xxx.xxx.xxx.xxx
ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to xxx.xxx.xxx.xxx. ID = xxxxxxxxxx (zzzzzzzzzz
)modecfg: sa: qqqqqqqq, new mess id= pppppppp
 
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: cou
nt = 1,
  (identity) local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,
    local_proxy= 172.21.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.25.9.0/255.255.255.0/0/0 (type=4)
 
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: cou
nt = 2,
  (identity) local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,
    local_proxy= 172.21.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.25.9.0/255.255.255.0/0/0 (type=4)
 
ISAKMP (0): retransmitting phase 2...



0
Comment
Question by:devehf
  • 5
  • 4
  • 3
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
Reference document:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

Do you have any potential routing issues? Does the host on the PIX side point to the PIX as the default gateway, and does the hosts on the CP side point to the CP as the default gateway?

If you upgrade your PIX OS version, you can use no-xauth, no config-mode (as you would for pix-pix vpn)

isakmp key ******** address 172.18.124.157 netmask 255.255.255.255 no-xauth no-config-mode
0
 

Author Comment

by:devehf
Comment Utility
Yes I am familiar with that cisco doc and followed it to set up my config.

I think we should be routing OK. I can ping the outside interface of their CheckPoint. We have been able to connect  to their checkpoint via the SecuRemote client.

The host on the PIX side definitely points to the PIX as the default gateway. Everything goes through it. I can't imagine their side not being correct.

I don't have a Cisco support contract so I can't upgrade my OS AFAIK.

What does no-xauth mean?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Xauth is extended authentication, meaning once the tunnel is established, there is another exchange for username/password (like if you are using Radius authentication for clients). You do not want this in a LAN-LAN tunnel.

I see this in the exchange, so disabling it might help you:
>ISAKMP (0:0): Need XAUTH
0
 

Author Comment

by:devehf
Comment Utility
I re-entered the isakmp key config line with no-xauth and no-config-mode
 
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
 
What does this mean, "IKMP_NO_ERR_NO_TRANS"?

The following is my debug. Still doesn't create the tunnel. (see "show isa sa" below).

VPN Peer: ISAKMP: Added new peer: ip:xxx.xxx.xxx.xxx Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:xxx.xxx.xxx.xxx Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
 
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
 
ISAKMP (0): processing NONCE payload. message ID = 0
 
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
 
ISAKMP: Created a peer node for xxx.xxx.xxx.xxx
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1061470206:c0bb4002IPSEC(key
_engine): got a queue event...
IPSEC(spi_response): getting spi 0x37500c7d(927992957) for SA
        from     xxx.xxx.xxx.xxx to    yyy.yyy.yyy.yyy for prot 3
 
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
ISAKMP (0): processing NOTIFY payload 18 protocol 3
        spi 927992957, message ID = 1176345705
ISAKMP (0): deleting spi 2097958967 message ID = 3233497090
return status is IKMP_NO_ERR_NO_TRANS
Delta-PIX(config)# IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,
    local_proxy= 172.21.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.25.9.0/255.255.255.0/0/0 (type=4)
 
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1116989248:bd6c18c0IPSEC(key
_engine): got a queue event...
IPSEC(spi_response): getting spi 0x7caba5c7(2091623879) for SA
        from     xxx.xxx.xxx.xxx to    yyy.yyy.yyy.yyy for prot 3
 
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
ISAKMP (0): processing NOTIFY payload 18 protocol 3
        spi 2091623879, message ID = 1969206303
ISAKMP (0): deleting spi 3349523324 message ID = 3177978048
return status is IKMP_NO_ERR_NO_TRANS
 
ISAKMP (0): beginning Quick Mode exchange, M-ID of 589268053:231f8455IPSEC(key_e
ngine): got a queue event...
IPSEC(spi_response): getting spi 0x1a1477ee(437549038) for SA
        from     xxx.xxx.xxx.xxx to    yyy.yyy.yyy.yyy for prot 3
 
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
ISAKMP (0): processing NOTIFY payload 18 protocol 3
        spi 437549038, message ID = 2273129329
ISAKMP (0): deleting spi 4000781338 message ID = 589268053
return status is IKMP_NO_ERR_NO_TRANS
IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,
    local_proxy= 172.21.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.25.9.0/255.255.255.0/0/0 (type=4)
 
ISAKMP (0): beginning Quick Mode exchange, M-ID of -264694791:f03913f9IPSEC(key_
engine): got a queue event...
IPSEC(spi_response): getting spi 0xf891318a(4170264970) for SA
        from     xxx.xxx.xxx.xxx to    yyy.yyy.yyy.yyy for prot 3
 
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
ISAKMP (0): processing NOTIFY payload 18 protocol 3
        spi 4170264970, message ID = 3260674997
ISAKMP (0): deleting spi 2318504440 message ID = 4030272505
return status is IKMP_NO_ERR_NO_TRANS      
 
Delta-PIX(config)# show isa sa
Total     : 3
Embryonic : 0
        dst            src         state     pending    created
     xxx.xxx.xxx.xxx    yyy.yyy.yyy.yyy    QM_IDLE        0           0

0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
>What does this mean, "IKMP_NO_ERR_NO_TRANS"?

Nothing wrong with the tunnel, but nobody's transmitting anything down it.  VPNs need BOTH ends to be transmitting something before they are successfully established.
What do the NG error logs have to say ?  Is a tunnel established, or not ?
I suspect routing / NAT may be playing you up....
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Embryonic : 0
        dst            src         state     pending    created
     xxx.xxx.xxx.xxx    yyy.yyy.yyy.yyy    QM_IDLE        0           0 <=== Tunnel is UP and waiting for traffic

It does appear to be a routing issue at this point....
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
0
 

Author Comment

by:devehf
Comment Utility
There may be a routing issue as well, but I still don't think the VPN tunnel is set up correctly. At one point there were 3 sa's for the same peer. One for the network and 2 more for separete hosts on my network that I was test pinging from. Is that normal? I cleared isa sa and now there is only 1 sa for the whole network.


   local  ident (addr/mask/prot/port): (172.21.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.25.9.0/255.255.255.0/0/0)
   current_peer: XXX.XXX.XXX.XXX
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 47, #recv errors 0

     local crypto endpt.: YYY.YYY.YYY.YYY, remote crypto endpt.: XXX.XXX.XXX.XXX
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (172.21.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.25.9.11/255.255.255.255/0/0)
   current_peer: XXX.XXX.XXX.XXX
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: YYY.YYY.YYY.YYY, remote crypto endpt.: XXX.XXX.XXX.XXX
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 54b3a48e

     inbound esp sas:
      spi: 0x235a1ef9(593108729)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 11, crypto map: vpnclient
        sa timing: remaining key lifetime (k/sec): (4607999/22477)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x54b3a48e(1421059214)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 12, crypto map: vpnclient
        sa timing: remaining key lifetime (k/sec): (4608000/22477)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (172.21.1.128/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.25.9.11/255.255.255.255/0/0)
   current_peer: XXX.XXX.XXX.XXX
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: YYY.YYY.YYY.YYY, remote crypto endpt.: XXX.XXX.XXX.XXX
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 54b3a48d

     inbound esp sas:
      spi: 0x2b3e3f4c(725499724)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 9, crypto map: vpnclient
        sa timing: remaining key lifetime (k/sec): (4608000/23495)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x54b3a48d(1421059213)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 10, crypto map: vpnclient
        sa timing: remaining key lifetime (k/sec): (4608000/23504)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


Why would there be 4 sa's when I show isa?

show isa sa
Total     : 3
Embryonic : 0
        dst                  src                 state     pending    created
     XXX.XXX.XXX.XXX    YYY.YYY.YYY.YYY    QM_IDLE        0           4


To test I am pinging 172.25.9.X from 172.21.1.X. I don't see how this wouldn't be routing correctly. My outside of the PIX is connected right to the Internet.

on my inside access list I have:
access-list 101 permit icmp any any

on my crypto map match access list I have:
access-list ddmi permit ip 172.21.1.0 255.255.255.0 172.25.9.0 255.255.255.0

I'm not NAting that traffic:
access-list 104 permit ip 172.21.1.0 255.255.255.0 172.25.9.0 255.255.255.0
nat (inside) 0 access-list 104


And the Crypto map is linked to the peer and the ACL
Crypto Map "vpnclient" 30 ipsec-isakmp
        Peer = XXX.XXX.XXX.XXX
        access-list ddmi permit ip 172.21.1.0 255.255.255.0 172.25.9.0 255.255.2
55.0 (hitcnt=73)
        Current peer: XXX.XXX.XXX.XXX
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ vpnclient, }
0
 

Author Comment

by:devehf
Comment Utility
When they ping from their side they get good IKE and encrypts to my LAN.  They do not get ping replies.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
One way encrypts is DEFINITELY a routing problem.  By routing, I mean internal routing and not routing between the 2 external peers, as they can evidently see each other...
Routing may also get upset with NAT.  Double check Check Point's address translation rules aren't interfering - there's usually a global hide rule in there somewhere, but we don't want that to be invoked.
0
 

Author Comment

by:devehf
Comment Utility
Actually the problem was on the CheckPoint side. They didn't have "allow key exchange on subnets" checked in the policy for this VPN connection. So we weren't completing phase 2 of the VPN setup.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Cool.... don't forget to close this one out.
The 'allow key exchange for subnets' is pretty much common knowledge, and is referenced everywhere, including the link that lrmoore posted up, and you did say you'd read it !  :0)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Need to connect two offices together... 9 116
AT&T aircard VPN disconnects"WiFi works fine" 35 69
VPN doubts 4 21
Windows 10 VPN? 6 40
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now