Solved

PIX Site-to-Site VPN with NetGear and remote access VPN

Posted on 2004-10-13
11
5,322 Views
Last Modified: 2013-11-16
Hi Guys, please help....

I have a PIX 506E at the main location. This PIX was configured for remote access VPN and works flawlessly. The configuration (VPN) is..

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list acme_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
ip local pool acme-vpn 10.0.0.150-10.0.0.160
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup acme address-pool acme-vpn
vpngroup acme dns-server 10.0.0.2
vpngroup acme wins-server 10.0.0.2
vpngroup acme default-domain acme.local
vpngroup acme split-tunnel acme_splitTunnelAcl
vpngroup acme idle-time 1800
vpngroup acme password ********

I now have to add Site-to-Site VPN for a remote location that has a NetGear FVS318 VPN router (no MD5 support, SHA supported). I added the following configuration to the Cisco PIX but that caused my remote access VPN stopped working...what am I doing wrong?..

access-list PROTECT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map REMOTE 10 ipsec-isakmp
crypto map REMOTE 10 match address PROTECT
crypto map REMOTE 10 set pfs group2
crypto map REMOTE 10 set peer 1.1.1.1
crypto map REMOTE 10 set transform-set strong
crypto map REMOTE interface outside
isakmp key ****** address 1.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
Crypto isakmp identity address

Thanks


0
Comment
Question by:netman70
  • 6
  • 5
11 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12306526
isakmp policies are tried in order, so try 'isakmp policy 30' instead of 'isakmp policy 10' as otherwise your remote clients will try and use this.

btw - SHA is more secure than MD5.   Use it where you can.
0
 

Author Comment

by:netman70
ID: 12323498
Does not work...my remote workstations with Cisco VPN clients will not work
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12337614
So, to confirm - your site to site tunnel is working fine, but at the expense of remote clients ?
Could you setup these debugs:

debug crypto ipsec
debug crypto isakmp
term mon

..then try a client connect, and post up the debug output ?

0
 

Author Comment

by:netman70
ID: 12337803
Hi Tim

The site to site VPN tunnel is working great. It's just my remote access VPN that will not work now (it was working prior to configuring the site to site VPN). When connecting using the Cisco VPN client (Ver 4.0.3C), the client stops at 'securing communucations channel'. HELP

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): peer address <remote vpn client external address> not found

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): peer address <remote vpn client external address> not found
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload

:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 4242435063
ISAMKP (0): received DPD_R_U_THERE from peer 216.43.206.133
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP (0): processing DELETE payload. message ID = 2517506463, spi size = 4IPSE
C(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12338173
This tells me the client is trying for AES during phase 1, but you're only configured for DES.

Put in another transform set -

crypto ipsec transform-set aes esp-aes esp-sha-hmac

and point to that instead -

crypto map REMOTE 10 set transform-set aes

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:netman70
ID: 12338424
Isn't 'crypto map REMOTE 10 set transform-set aes' for the remote access vpn (which is working fine). remote access vpn works when I remove all settings for site to site vpn. Why would a seperate transform set disrupt access using remote access vpn.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12341078
Agreed, but this is what the debugs are telling me !
You could try running a debug with the site-to-site VPN removed, to see what a successful connection comes up with ?

Do things work any better if you configure the VPN client to use IKE over TCP ?

Cisco config examples are here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Without seeing your whole config, there's not much else I can do.
0
 

Author Comment

by:netman70
ID: 12347842
Got it to work with one transform set (rather than two) and using SHA.

Tim. thanks for a great link
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12348132
>Got it to work with one transform set (rather than two) and using SHA.

That's not much different from what you already had, surely ?

>crypto ipsec transform-set strong esp-3des esp-sha-hmac

I'm a bit confused as to how this was fixed ?  (doesn't take much...)  :)

0
 

Author Comment

by:netman70
ID: 12370159
Tim..sorry about being late in getting back. Not really sure why my previous configuration did not work, but like I said I used just one transform set and BOOM! I was good to go. The working script is pasted below..but if you could help me out with something else, when I setup ssh and connect to it remotely using SSH secure shell client, I get the following error

SSH1 returned exit status -1

(SSH1 Protocol error: can't select cipher type)
*************************************************************************************

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iQzkCEz7Vz7Y6moI encrypted
passwd iQzkCEz7Vz7Y6moI encrypted
hostname ACME-PIX506
domain-name acme.local
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host x.x.x.xeq smtp
access-list outside_access_in permit tcp any host x.x.x.xeq pop3
access-list outside_access_in permit tcp any host x.x.x.xeq 3389
access-list acme_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list 110 permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0
pager lines 24
logging timestamp
logging trap warnings
logging device-id ipaddress inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x255.255.255.0
ip address inside 10.0.0.4 255.255.255.0
ip verify reverse-path interface outside
ip audit name Default-Info info action alarm
ip audit name Default attack action alarm drop reset
pdm location 10.0.0.1 255.255.255.255 inside
pdm location 10.0.0.2 255.255.255.255 inside
pdm history enable
arp timeout 60
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.0.0.1 pop3 netmask 255.255.255.255 0 0
access-acmeoup outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.153.251.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address 110
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address y.y.y.ynetmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 acmeoup 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 acmeoup 2
isakmp policy 20 lifetime 86400
vpnacmeoup acme address-pool acme-vpn
vpnacmeoup acme dns-server 10.0.0.2
vpnacmeoup acme wins-server 10.0.0.2
vpnacmeoup acme default-domain acmei.local
vpnacmeoup acme split-tunnel acme_splitTunnelAcl
vpnacmeoup acme idle-time 1800
vpnacmeoup acme password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1d82dc702194e2c4bda78f9fb7c9814e
: end
[OK]
ACME-PIX506#

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12380097
>enable password iQzkCEz7Vz7Y6moI encrypted
>passwd iQzkCEz7Vz7Y6moI encrypted

Change your passwords.  They can be reverse engineered from these hashes.

To get SSH to work, did you generate a key pair ?
If not, use these commands:

ca generate rsa key 1024

show ca mypubkey rsa

ca save all

The PIX 6.2 ref for the SSH command follows:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a0080104255_4container_ccmigration_09186a00801e8934.html#wp1026535

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now