Solved

PIX Site-to-Site VPN with NetGear and remote access VPN

Posted on 2004-10-13
11
5,302 Views
Last Modified: 2013-11-16
Hi Guys, please help....

I have a PIX 506E at the main location. This PIX was configured for remote access VPN and works flawlessly. The configuration (VPN) is..

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list acme_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
ip local pool acme-vpn 10.0.0.150-10.0.0.160
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup acme address-pool acme-vpn
vpngroup acme dns-server 10.0.0.2
vpngroup acme wins-server 10.0.0.2
vpngroup acme default-domain acme.local
vpngroup acme split-tunnel acme_splitTunnelAcl
vpngroup acme idle-time 1800
vpngroup acme password ********

I now have to add Site-to-Site VPN for a remote location that has a NetGear FVS318 VPN router (no MD5 support, SHA supported). I added the following configuration to the Cisco PIX but that caused my remote access VPN stopped working...what am I doing wrong?..

access-list PROTECT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map REMOTE 10 ipsec-isakmp
crypto map REMOTE 10 match address PROTECT
crypto map REMOTE 10 set pfs group2
crypto map REMOTE 10 set peer 1.1.1.1
crypto map REMOTE 10 set transform-set strong
crypto map REMOTE interface outside
isakmp key ****** address 1.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
Crypto isakmp identity address

Thanks


0
Comment
Question by:netman70
  • 6
  • 5
11 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12306526
isakmp policies are tried in order, so try 'isakmp policy 30' instead of 'isakmp policy 10' as otherwise your remote clients will try and use this.

btw - SHA is more secure than MD5.   Use it where you can.
0
 

Author Comment

by:netman70
ID: 12323498
Does not work...my remote workstations with Cisco VPN clients will not work
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12337614
So, to confirm - your site to site tunnel is working fine, but at the expense of remote clients ?
Could you setup these debugs:

debug crypto ipsec
debug crypto isakmp
term mon

..then try a client connect, and post up the debug output ?

0
 

Author Comment

by:netman70
ID: 12337803
Hi Tim

The site to site VPN tunnel is working great. It's just my remote access VPN that will not work now (it was working prior to configuring the site to site VPN). When connecting using the Cisco VPN client (Ver 4.0.3C), the client stops at 'securing communucations channel'. HELP

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): peer address <remote vpn client external address> not found

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): peer address <remote vpn client external address> not found
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload

:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 4242435063
ISAMKP (0): received DPD_R_U_THERE from peer 216.43.206.133
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<remote vpn client external address>, dest:x.x.x.x spt:500 dpt
:500
ISAKMP (0): processing DELETE payload. message ID = 2517506463, spi size = 4IPSE
C(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12338173
This tells me the client is trying for AES during phase 1, but you're only configured for DES.

Put in another transform set -

crypto ipsec transform-set aes esp-aes esp-sha-hmac

and point to that instead -

crypto map REMOTE 10 set transform-set aes

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:netman70
ID: 12338424
Isn't 'crypto map REMOTE 10 set transform-set aes' for the remote access vpn (which is working fine). remote access vpn works when I remove all settings for site to site vpn. Why would a seperate transform set disrupt access using remote access vpn.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12341078
Agreed, but this is what the debugs are telling me !
You could try running a debug with the site-to-site VPN removed, to see what a successful connection comes up with ?

Do things work any better if you configure the VPN client to use IKE over TCP ?

Cisco config examples are here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Without seeing your whole config, there's not much else I can do.
0
 

Author Comment

by:netman70
ID: 12347842
Got it to work with one transform set (rather than two) and using SHA.

Tim. thanks for a great link
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12348132
>Got it to work with one transform set (rather than two) and using SHA.

That's not much different from what you already had, surely ?

>crypto ipsec transform-set strong esp-3des esp-sha-hmac

I'm a bit confused as to how this was fixed ?  (doesn't take much...)  :)

0
 

Author Comment

by:netman70
ID: 12370159
Tim..sorry about being late in getting back. Not really sure why my previous configuration did not work, but like I said I used just one transform set and BOOM! I was good to go. The working script is pasted below..but if you could help me out with something else, when I setup ssh and connect to it remotely using SSH secure shell client, I get the following error

SSH1 returned exit status -1

(SSH1 Protocol error: can't select cipher type)
*************************************************************************************

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iQzkCEz7Vz7Y6moI encrypted
passwd iQzkCEz7Vz7Y6moI encrypted
hostname ACME-PIX506
domain-name acme.local
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host x.x.x.xeq smtp
access-list outside_access_in permit tcp any host x.x.x.xeq pop3
access-list outside_access_in permit tcp any host x.x.x.xeq 3389
access-list acme_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list 110 permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0
pager lines 24
logging timestamp
logging trap warnings
logging device-id ipaddress inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x255.255.255.0
ip address inside 10.0.0.4 255.255.255.0
ip verify reverse-path interface outside
ip audit name Default-Info info action alarm
ip audit name Default attack action alarm drop reset
pdm location 10.0.0.1 255.255.255.255 inside
pdm location 10.0.0.2 255.255.255.255 inside
pdm history enable
arp timeout 60
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.0.0.1 pop3 netmask 255.255.255.255 0 0
access-acmeoup outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.153.251.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address 110
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address y.y.y.ynetmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 acmeoup 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 acmeoup 2
isakmp policy 20 lifetime 86400
vpnacmeoup acme address-pool acme-vpn
vpnacmeoup acme dns-server 10.0.0.2
vpnacmeoup acme wins-server 10.0.0.2
vpnacmeoup acme default-domain acmei.local
vpnacmeoup acme split-tunnel acme_splitTunnelAcl
vpnacmeoup acme idle-time 1800
vpnacmeoup acme password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1d82dc702194e2c4bda78f9fb7c9814e
: end
[OK]
ACME-PIX506#

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12380097
>enable password iQzkCEz7Vz7Y6moI encrypted
>passwd iQzkCEz7Vz7Y6moI encrypted

Change your passwords.  They can be reverse engineered from these hashes.

To get SSH to work, did you generate a key pair ?
If not, use these commands:

ca generate rsa key 1024

show ca mypubkey rsa

ca save all

The PIX 6.2 ref for the SSH command follows:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a0080104255_4container_ccmigration_09186a00801e8934.html#wp1026535

0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now