Solved

PIX Site-to-Site VPN with NetGear and remote access VPN

Posted on 2004-10-13
11
5,330 Views
Last Modified: 2013-11-16
Hi Guys, please help....

I have a PIX 506E at the main location. This PIX was configured for remote access VPN and works flawlessly. The configuration (VPN) is..

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list acme_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
ip local pool acme-vpn 10.0.0.150-10.0.0.160
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup acme address-pool acme-vpn
vpngroup acme dns-server 10.0.0.2
vpngroup acme wins-server 10.0.0.2
vpngroup acme default-domain acme.local
vpngroup acme split-tunnel acme_splitTunnelAcl
vpngroup acme idle-time 1800
vpngroup acme password ********

I now have to add Site-to-Site VPN for a remote location that has a NetGear FVS318 VPN router (no MD5 support, SHA supported). I added the following configuration to the Cisco PIX but that caused my remote access VPN stopped working...what am I doing wrong?..

access-list PROTECT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map REMOTE 10 ipsec-isakmp
crypto map REMOTE 10 match address PROTECT
crypto map REMOTE 10 set pfs group2
crypto map REMOTE 10 set peer 1.1.1.1
crypto map REMOTE 10 set transform-set strong
crypto map REMOTE interface outside
isakmp key ****** address 1.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
Crypto isakmp identity address

Thanks


0
Comment
Question by:netman70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12306526
isakmp policies are tried in order, so try 'isakmp policy 30' instead of 'isakmp policy 10' as otherwise your remote clients will try and use this.

btw - SHA is more secure than MD5.   Use it where you can.
0
 

Author Comment

by:netman70
ID: 12323498
Does not work...my remote workstations with Cisco VPN clients will not work
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12337614
So, to confirm - your site to site tunnel is working fine, but at the expense of remote clients ?
Could you setup these debugs:

debug crypto ipsec
debug crypto isakmp
term mon

..then try a client connect, and post up the debug output ?

0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:netman70
ID: 12337803
Hi Tim

The site to site VPN tunnel is working great. It's just my remote access VPN that will not work now (it was working prior to configuring the site to site VPN). When connecting using the Cisco VPN client (Ver 4.0.3C), the client stops at 'securing communucations channel'. HELP

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): peer address <remote vpn client external address> not found

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): peer address <remote vpn client external address> not found
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload

:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 4242435063
ISAMKP (0): received DPD_R_U_THERE from peer 216.43.206.133
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP (0): processing DELETE payload. message ID = 2517506463, spi size = 4IPSE
C(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12338173
This tells me the client is trying for AES during phase 1, but you're only configured for DES.

Put in another transform set -

crypto ipsec transform-set aes esp-aes esp-sha-hmac

and point to that instead -

crypto map REMOTE 10 set transform-set aes

0
 

Author Comment

by:netman70
ID: 12338424
Isn't 'crypto map REMOTE 10 set transform-set aes' for the remote access vpn (which is working fine). remote access vpn works when I remove all settings for site to site vpn. Why would a seperate transform set disrupt access using remote access vpn.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12341078
Agreed, but this is what the debugs are telling me !
You could try running a debug with the site-to-site VPN removed, to see what a successful connection comes up with ?

Do things work any better if you configure the VPN client to use IKE over TCP ?

Cisco config examples are here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Without seeing your whole config, there's not much else I can do.
0
 

Author Comment

by:netman70
ID: 12347842
Got it to work with one transform set (rather than two) and using SHA.

Tim. thanks for a great link
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12348132
>Got it to work with one transform set (rather than two) and using SHA.

That's not much different from what you already had, surely ?

>crypto ipsec transform-set strong esp-3des esp-sha-hmac

I'm a bit confused as to how this was fixed ?  (doesn't take much...)  :)

0
 

Author Comment

by:netman70
ID: 12370159
Tim..sorry about being late in getting back. Not really sure why my previous configuration did not work, but like I said I used just one transform set and BOOM! I was good to go. The working script is pasted below..but if you could help me out with something else, when I setup ssh and connect to it remotely using SSH secure shell client, I get the following error

SSH1 returned exit status -1

(SSH1 Protocol error: can't select cipher type)
*************************************************************************************

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iQzkCEz7Vz7Y6moI encrypted
passwd iQzkCEz7Vz7Y6moI encrypted
hostname ACME-PIX506
domain-name acme.local
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host x.x.x.xeq smtp
access-list outside_access_in permit tcp any host x.x.x.xeq pop3
access-list outside_access_in permit tcp any host x.x.x.xeq 3389
access-list acme_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list 110 permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0
pager lines 24
logging timestamp
logging trap warnings
logging device-id ipaddress inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x255.255.255.0
ip address inside 10.0.0.4 255.255.255.0
ip verify reverse-path interface outside
ip audit name Default-Info info action alarm
ip audit name Default attack action alarm drop reset
pdm location 10.0.0.1 255.255.255.255 inside
pdm location 10.0.0.2 255.255.255.255 inside
pdm history enable
arp timeout 60
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.0.0.1 pop3 netmask 255.255.255.255 0 0
access-acmeoup outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.153.251.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address 110
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address y.y.y.ynetmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 acmeoup 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 acmeoup 2
isakmp policy 20 lifetime 86400
vpnacmeoup acme address-pool acme-vpn
vpnacmeoup acme dns-server 10.0.0.2
vpnacmeoup acme wins-server 10.0.0.2
vpnacmeoup acme default-domain acmei.local
vpnacmeoup acme split-tunnel acme_splitTunnelAcl
vpnacmeoup acme idle-time 1800
vpnacmeoup acme password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1d82dc702194e2c4bda78f9fb7c9814e
: end
[OK]
ACME-PIX506#

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12380097
>enable password iQzkCEz7Vz7Y6moI encrypted
>passwd iQzkCEz7Vz7Y6moI encrypted

Change your passwords.  They can be reverse engineered from these hashes.

To get SSH to work, did you generate a key pair ?
If not, use these commands:

ca generate rsa key 1024

show ca mypubkey rsa

ca save all

The PIX 6.2 ref for the SSH command follows:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a0080104255_4container_ccmigration_09186a00801e8934.html#wp1026535

0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question