Solved

Cisco PIX 515e VPN to non-cisco peer

Posted on 2004-10-13
15
4,874 Views
Last Modified: 2013-11-16
Hey guys & girls,

I'm having a problem with getting a vpn tunnel setup between our cisco pix and a hosting company's GNATBOX 500.

All the settings, as I can see are setup the same. It seems to do phase 1 ok then starts phase 2 but just can't finish it.

Here is my conf + the latest debug info.

Many thanks,

HT

-----------

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password encrypted
passwd encrypted
hostname pix
domain-name thefirm.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.0.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list VPNBRIM_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list NO_NAT permit ip any 10.0.0.128 255.255.255.192
access-list NO_NAT permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list NO_NAT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 88.88.88.88 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip address DMZ 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool IPSEC 10.0.0.150-10.0.0.160
ip local pool IPSECB 10.0.0.161-10.0.0.162
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 88.88.88.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.0.0.51 XXXXX timeout 5
http server enable
http 10.0.0.67 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 200.20.20.20
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 200.20.20.20 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp keepalive 30
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnusers address-pool IPSEC
vpngroup vpnusers dns-server 10.0.0.51 10.0.0.52
vpngroup vpnusers default-domain omnifone.com
vpngroup vpnusers split-tunnel 101
vpngroup vpnusers idle-time 1800
vpngroup vpnusers password ********
vpngroup VPNBRIM address-pool IPSECB
vpngroup VPNBRIM dns-server 10.0.0.51 10.0.0.52
vpngroup VPNBRIM default-domain omnifone.com
vpngroup VPNBRIM split-tunnel VPNBRIM_splitTunnelAcl
vpngroup VPNBRIM idle-time 36000
vpngroup VPNBRIM password ********
ssh timeout 5
console timeout 0
pix#

-------------------

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

validate_payload: len 80
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_fields: responder
is_auth_policy_configured: auth 4
gen_cookie:
gen_cookie:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0

check_isakmp_proposal:
is_auth_policy_configured: auth 1
is_auth_policy_configured: auth 4
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      auth pre-share
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_parameters: dhset 0x10de40c, phase 0
DH_ALG_PHASE1
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_isakmp_sa: auth 7
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x7
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 200.20.20.20, port 500

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

validate_payload: len 200
valid_payload:
valid_payload:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_SA_SETUP
process_isakmp_packet:
process_ke:
ISAKMP (0): processing KE payload. message ID = 0

crypto_generate_DH_parameters: dhset 0x10de40c, phase 1
DH_ALG_PHASE2
process_isakmp_packet: OAK_MM
process_nonce:
ISAKMP (0): processing NONCE payload. message ID = 0

process_isakmp_packet: OAK_MM
pix_create_skeys:
skey_pre_shar:
process_vendor_id:
ISAKMP (0): processing vendor id payload

not cisco peer
process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
construct_header: message_id 0x0
construct_ke:
need_cert_from_peer:
construct_nonce:
construct_xauthv6_vendor_id:
construct_dpd_vendor_id:
construct_unity_vendor_id:
construct_vendor_id:
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 200.20.20.20, port 500

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7844a8, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x834108, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
SESSION_IDLE_TIMER
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x853c88, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7f3488, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x8cdf88, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
QM_TIMER
ISAKMP (0): deleting SA: src 200.20.20.20, dst 88.88.88.88
REAPER_TIMER
ISADB: reaper checking SA 0x10dcaa4, conn_id = 0
ISADB: reaper checking SA 0x10de154, conn_id = 0  DELETE IT!

crypto_gen_isakmp_delete:
isadb_free_isakmp_sa:
VPN Peer:ISAKMP: Peer Info for 200.20.20.20/500 not found - peers:2

ISADB: reaper checking SA 0x10dcaa4, conn_id = 0
ISADB: reaper checking SA 0x10deafc, conn_id = 0
SESSION_IDLE_TIMER
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

ISAKMP: sa not found for ike msg






0
Comment
Question by:Hightower_8
  • 8
  • 4
  • 3
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Have you tried no-config-mode..

isakmp key ******** address 200.20.20.20 netmask 255.255.255.255 no-xauth no-config-mode
                                                                                                                        ^^^^^
0
 

Author Comment

by:Hightower_8
Comment Utility
Hi Irmoore,

I added the no-config-mode but it still does the same.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You also have a non-existant acl applied to the interface
   >access-group outside_access_in in interface outside

This breaks the sysopt...

Make sure that commands reference defined access-lists.

Since you don't have any inbound access lists defined, how about just removing the acl from the interface?

    no access-group outside_access_in in interface outside
0
 

Author Comment

by:Hightower_8
Comment Utility
Sorry bud there a few access-list for "outside_access_in" - I seem to have taken them out by mistake before posting up the config.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
> ISAKMP: reserved not zero on payload 5!
> ISAKMP: malformed payload
> PEER_REAPER_TIMER

ISAKMP is failing to negotiate between the peers, and the unused ISAKMP session is being reaped (ie removed from the table).
So you're not even getting to phase 2 (IPSEC).

I would turn off this:

isakmp nat-traversal 20

..seeming neither end is behind NAT.

This should be a simple issue to sort out.  All ISAKMP needs is a matching ISAKMP policy at both ends - 3DES, SHA, Group 2, lifetime, pre-shared key.  Once at this stage there should be a tunnel up, so that IPSEC can negotiate.  This we will deal with later... !

I've not seen a Gnatbox before - but is there a place to put these parameters in, or are there some other fields in there, or advanced tabs that contain ISAKMP / IKE parameters that could be upsetting this ?
0
 

Author Comment

by:Hightower_8
Comment Utility
Hi Tim,

Yeah the Gnatbox has a matching policy -3DES-MD5- DH group 2 - life time is the same 3600 and the pre-shared key is the same.

The Gnatbox isn't behind NAT but is running NAT for it's inside network, the PIX is not behind NAT but running NAT for the inside as well.

Removing the "isakmp nat-traversal  20" will that affect my client to PIX vpn users in any way?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 150 total points
Comment Utility
>Removing the "isakmp nat-traversal  20" will that affect my client to PIX vpn users in any way?

This will affect anyone that is inside the PIX using IPSEC VPN client trying to VPN out to an external VPN server..
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Hightower_8
Comment Utility
Hi Tim, Irmoore,

I have taken out the "isakmp nat-traversal  20" line and then run the debug again. The debug is still the same.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
> life time is the same 3600

Make sure this is seconds, and not minutes.  Some firewalls I've seen express this as minutes, which spoils the fun somewhat.

What do the Gnatbox logs say ?  They may hold some useful information.
0
 

Author Comment

by:Hightower_8
Comment Utility
Hi Tim,

I can confirm that the "3600" is in seconds. This Gnatbox is over at our hosting company and I'm told the dubug is very thin on the ground and doesn't show any attempts from the PIX to connect.

It's a tough one to troubleshoot as I really need to get over there and see for myself what it is doing.

 
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
In that case, are there any firewalls in between you and the hosting company that could be blocking the tunnel ?
If the Gnatbox isn't even seeing a connect request then something pretty basic is wrong here.  
0
 

Author Comment

by:Hightower_8
Comment Utility
Hi Tim,

Network connectivity between the two firewalls is ok as we currently access boxes behind the Gnat box. We just can't get the tunnel to work. After explaining this to my manager it looks like we might scrap the Gnatbox as we didn't pay for it and get a PIX in there instead.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 350 total points
Comment Utility
I think you should try to rekey, but use a manual key that is AT LEAST 24 characters in length at both ends.

This is generally what 'ISAKMP: reserved not zero on payload 5!' means, plus some Gnatbox articles on the web all suggest that manual keys should be at least 24 chars in length.  I'm not sure if this is just for security reasons, or for making sure the thing works in the first place ??

0
 

Author Comment

by:Hightower_8
Comment Utility
Well it's worth a go I guess.
0
 

Author Comment

by:Hightower_8
Comment Utility


Hi Tim & Irmoore,

100% sorry for the delay on this, I thought I had closed it down. Must have dreamt it.....too much work on my mind I guess!

Anyway the firm decided to ditch the gant box as it was free and get another Pix 515e.

I guess I can do something worth while with these points for you guys??

Thanks,

HT
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now