Cisco PIX 515e VPN to non-cisco peer

Hey guys & girls,

I'm having a problem with getting a vpn tunnel setup between our cisco pix and a hosting company's GNATBOX 500.

All the settings, as I can see are setup the same. It seems to do phase 1 ok then starts phase 2 but just can't finish it.

Here is my conf + the latest debug info.

Many thanks,

HT

-----------

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password encrypted
passwd encrypted
hostname pix
domain-name thefirm.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.0.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list VPNBRIM_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list NO_NAT permit ip any 10.0.0.128 255.255.255.192
access-list NO_NAT permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list NO_NAT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 88.88.88.88 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip address DMZ 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool IPSEC 10.0.0.150-10.0.0.160
ip local pool IPSECB 10.0.0.161-10.0.0.162
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 88.88.88.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.0.0.51 XXXXX timeout 5
http server enable
http 10.0.0.67 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 200.20.20.20
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 200.20.20.20 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp keepalive 30
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnusers address-pool IPSEC
vpngroup vpnusers dns-server 10.0.0.51 10.0.0.52
vpngroup vpnusers default-domain omnifone.com
vpngroup vpnusers split-tunnel 101
vpngroup vpnusers idle-time 1800
vpngroup vpnusers password ********
vpngroup VPNBRIM address-pool IPSECB
vpngroup VPNBRIM dns-server 10.0.0.51 10.0.0.52
vpngroup VPNBRIM default-domain omnifone.com
vpngroup VPNBRIM split-tunnel VPNBRIM_splitTunnelAcl
vpngroup VPNBRIM idle-time 36000
vpngroup VPNBRIM password ********
ssh timeout 5
console timeout 0
pix#

-------------------

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

validate_payload: len 80
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_fields: responder
is_auth_policy_configured: auth 4
gen_cookie:
gen_cookie:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0

check_isakmp_proposal:
is_auth_policy_configured: auth 1
is_auth_policy_configured: auth 4
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      auth pre-share
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_parameters: dhset 0x10de40c, phase 0
DH_ALG_PHASE1
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_isakmp_sa: auth 7
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x7
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 200.20.20.20, port 500

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

validate_payload: len 200
valid_payload:
valid_payload:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_SA_SETUP
process_isakmp_packet:
process_ke:
ISAKMP (0): processing KE payload. message ID = 0

crypto_generate_DH_parameters: dhset 0x10de40c, phase 1
DH_ALG_PHASE2
process_isakmp_packet: OAK_MM
process_nonce:
ISAKMP (0): processing NONCE payload. message ID = 0

process_isakmp_packet: OAK_MM
pix_create_skeys:
skey_pre_shar:
process_vendor_id:
ISAKMP (0): processing vendor id payload

not cisco peer
process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
construct_header: message_id 0x0
construct_ke:
need_cert_from_peer:
construct_nonce:
construct_xauthv6_vendor_id:
construct_dpd_vendor_id:
construct_unity_vendor_id:
construct_vendor_id:
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 200.20.20.20, port 500

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7844a8, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x834108, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
SESSION_IDLE_TIMER
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x853c88, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:500
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7f3488, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x8cdf88, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
QM_TIMER
ISAKMP (0): deleting SA: src 200.20.20.20, dst 88.88.88.88
REAPER_TIMER
ISADB: reaper checking SA 0x10dcaa4, conn_id = 0
ISADB: reaper checking SA 0x10de154, conn_id = 0  DELETE IT!

crypto_gen_isakmp_delete:
isadb_free_isakmp_sa:
VPN Peer:ISAKMP: Peer Info for 200.20.20.20/500 not found - peers:2

ISADB: reaper checking SA 0x10dcaa4, conn_id = 0
ISADB: reaper checking SA 0x10deafc, conn_id = 0
SESSION_IDLE_TIMER
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block:src:200.20.20.20, dest:88.88.88.88 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

ISAKMP: sa not found for ike msg






Hightower_8Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Tim HolmanConnect With a Mentor Commented:
I think you should try to rekey, but use a manual key that is AT LEAST 24 characters in length at both ends.

This is generally what 'ISAKMP: reserved not zero on payload 5!' means, plus some Gnatbox articles on the web all suggest that manual keys should be at least 24 chars in length.  I'm not sure if this is just for security reasons, or for making sure the thing works in the first place ??

0
 
lrmooreCommented:
Have you tried no-config-mode..

isakmp key ******** address 200.20.20.20 netmask 255.255.255.255 no-xauth no-config-mode
                                                                                                                        ^^^^^
0
 
Hightower_8Author Commented:
Hi Irmoore,

I added the no-config-mode but it still does the same.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
lrmooreCommented:
You also have a non-existant acl applied to the interface
   >access-group outside_access_in in interface outside

This breaks the sysopt...

Make sure that commands reference defined access-lists.

Since you don't have any inbound access lists defined, how about just removing the acl from the interface?

    no access-group outside_access_in in interface outside
0
 
Hightower_8Author Commented:
Sorry bud there a few access-list for "outside_access_in" - I seem to have taken them out by mistake before posting up the config.
0
 
Tim HolmanCommented:
> ISAKMP: reserved not zero on payload 5!
> ISAKMP: malformed payload
> PEER_REAPER_TIMER

ISAKMP is failing to negotiate between the peers, and the unused ISAKMP session is being reaped (ie removed from the table).
So you're not even getting to phase 2 (IPSEC).

I would turn off this:

isakmp nat-traversal 20

..seeming neither end is behind NAT.

This should be a simple issue to sort out.  All ISAKMP needs is a matching ISAKMP policy at both ends - 3DES, SHA, Group 2, lifetime, pre-shared key.  Once at this stage there should be a tunnel up, so that IPSEC can negotiate.  This we will deal with later... !

I've not seen a Gnatbox before - but is there a place to put these parameters in, or are there some other fields in there, or advanced tabs that contain ISAKMP / IKE parameters that could be upsetting this ?
0
 
Hightower_8Author Commented:
Hi Tim,

Yeah the Gnatbox has a matching policy -3DES-MD5- DH group 2 - life time is the same 3600 and the pre-shared key is the same.

The Gnatbox isn't behind NAT but is running NAT for it's inside network, the PIX is not behind NAT but running NAT for the inside as well.

Removing the "isakmp nat-traversal  20" will that affect my client to PIX vpn users in any way?
0
 
lrmooreConnect With a Mentor Commented:
>Removing the "isakmp nat-traversal  20" will that affect my client to PIX vpn users in any way?

This will affect anyone that is inside the PIX using IPSEC VPN client trying to VPN out to an external VPN server..
0
 
Hightower_8Author Commented:
Hi Tim, Irmoore,

I have taken out the "isakmp nat-traversal  20" line and then run the debug again. The debug is still the same.
0
 
Tim HolmanCommented:
> life time is the same 3600

Make sure this is seconds, and not minutes.  Some firewalls I've seen express this as minutes, which spoils the fun somewhat.

What do the Gnatbox logs say ?  They may hold some useful information.
0
 
Hightower_8Author Commented:
Hi Tim,

I can confirm that the "3600" is in seconds. This Gnatbox is over at our hosting company and I'm told the dubug is very thin on the ground and doesn't show any attempts from the PIX to connect.

It's a tough one to troubleshoot as I really need to get over there and see for myself what it is doing.

 
0
 
Tim HolmanCommented:
In that case, are there any firewalls in between you and the hosting company that could be blocking the tunnel ?
If the Gnatbox isn't even seeing a connect request then something pretty basic is wrong here.  
0
 
Hightower_8Author Commented:
Hi Tim,

Network connectivity between the two firewalls is ok as we currently access boxes behind the Gnat box. We just can't get the tunnel to work. After explaining this to my manager it looks like we might scrap the Gnatbox as we didn't pay for it and get a PIX in there instead.
0
 
Hightower_8Author Commented:
Well it's worth a go I guess.
0
 
Hightower_8Author Commented:


Hi Tim & Irmoore,

100% sorry for the delay on this, I thought I had closed it down. Must have dreamt it.....too much work on my mind I guess!

Anyway the firm decided to ditch the gant box as it was free and get another Pix 515e.

I guess I can do something worth while with these points for you guys??

Thanks,

HT
0
All Courses

From novice to tech pro — start learning today.