[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN Ipsec from pix to fortinet

Posted on 2004-11-23
9
Medium Priority
?
2,013 Views
Last Modified: 2013-11-16
i need a vpn connection from my firewall (cisco - pix520 - 6.3.4) to a remote firewall (fortinet), which is not configured by me.

config of my pix:
============
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
...
crypto map VPN 31 ipsec-isakmp
crypto map VPN 31 match address *******
crypto map VPN 31 set peer **********
crypto map VPN 31 set transform-set myset
...

crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address *******at netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

=============
Phase 1 is OK:

*****  ******    QM_IDLE         0           0

=========
debug crypto ipsec 1
debug crypto isakmp 1
:


ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0xb70830f8
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x39785152
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0xb70830f8
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x39785152
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0xb70830f8

Thanks for Help !

0
Comment
Question by:aax2ee
  • 4
  • 3
  • 2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12659586
Do you have a nat zero acl?
Do you have something that looks like this in your PIX:
   access-list nat_0 permit ip <local lan> <mask> <remote lan> <mask>
   nat (inside) 0 access-list nat_0

0
 
LVL 13

Expert Comment

by:td_miles
ID: 12659618
Could you post the full output of the crypto debug ?  (change IP addresses of course, easiest way to do this is just a find/replace in a text editor, don't just ***, as we won't be able to match them up).

I'm assuming you have checked with the person configuring the other end and have all the same settings. I have found it useful, that even if you don't have control of the device, to get the person to send you a copy of the config (or screen shots if it is a GUI device) that shows the VPN settings they have configured. This will allow you to check it, just to make sure it looks correct, even though they say it is correct (just don't acuse them of having it wrong, be subtle ;)
0
 
LVL 13

Expert Comment

by:td_miles
ID: 12659639
morning lrmoore :)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:aax2ee
ID: 12663986
===============
@lrmoore,

yes there's a nonat-acl.

access-list nonat line 5 permit ip UNI-NET 255.255.255.0 host its1.xxxxxxx.at (hitcnt=44)
nat (inside) 0 access-list nonat

===============
@ts_miles

full debug:

pix# deb cry ips
pix# deb cry isa
pix#
pix#
pix#
pix#
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:fw.wegraz.at, dest:81.223.127.194 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:fw.wegraz.at, dest:81.223.127.194 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:fw.wegraz.at, dest:81.223.127.194 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 3017347:2e0a83IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x88cd393a(2295150906) for SA
        from    fw.wegraz.at to  81.223.127.194 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:fw.wegraz.at/500 Total VPN Peers:11
VPN Peer: ISAKMP: Peer ip:fw.wegraz.at/500 Ref cnt incremented to:1 Total VPN Peers:11
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x2e0a83IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 81.223.127.194, remote= fw.wegraz.at,
    local_proxy= UNI-NET/255.255.255.0/0/0 (type=4),
    remote_proxy= its1.wegraz.at/255.255.255.255/0/0 (type=1)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -699346336:d650d260IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x93c3a4aa(2479072426) for SA
        from    fw.wegraz.at to  81.223.127.194 for prot 3

ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x2e0a83
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xd650d260
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x2e0a83
pix#
pix# un all
pix#

===============

pix# sh isa sa
Total     : 11
Embryonic : 0
        dst               src        state     pending     created
  fw.haginger.at   81.223.127.194    QM_IDLE         0           3
   fw.l-real.com   81.223.127.194    QM_IDLE         0           3
fw.tbr-engineering.at   81.223.127.194    QM_IDLE         0           3
    fw.pirsch.at   81.223.127.194    QM_IDLE         0           3
    fw.lesser.at   81.223.127.194    QM_IDLE         0           3
fw.kosjek-lesser.at   81.223.127.194    QM_IDLE         0           3
  fw.trausner.at   81.223.127.194    QM_IDLE         0           3
  fw.roschker.at   81.223.127.194    QM_IDLE         0           3
   fw.ra-popp.at   81.223.127.194    QM_IDLE         0           3
       fw.sbg.at   81.223.127.194    QM_IDLE         0           3
    fw.wegraz.at   81.223.127.194    QM_IDLE         0           0
pix#

(see last entry => fw.wegraz.at)

===================================


0
 

Author Comment

by:aax2ee
ID: 12664024
my config:

name 192.168.20.251 its2.wegraz.at
name 81.223.57.162 fw.wegraz.at

access-list inside permit ip UNI-NET 255.255.255.0 host its1.wegraz.at
access-list nonat permit ip UNI-NET 255.255.255.0 host its1.wegraz.at
access-list WEGRAZ permit ip UNI-NET 255.255.255.0 host its1.wegraz.at
nat (inside) 0 access-list nonat


sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map VPN 31 ipsec-isakmp
crypto map VPN 31 match address WEGRAZ
crypto map VPN 31 set peer fw.wegraz.at
crypto map VPN 31 set transform-set myset
crypto map VPN interface outside
isakmp enable outside

isakmp key ******** address fw.wegraz.at netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


0
 

Author Comment

by:aax2ee
ID: 12664078
Screenshot Fortinet:

http://www.aaitx.com/fortinet.jpg

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12665780
The Fortinet has "Enable PFS" Checked, you do not have it  enabled.
Try adding:
   crypto map VPN 31 set pfs group2


0
 

Author Comment

by:aax2ee
ID: 12666658
@ lrmoore

this is the solution!

I have added PFS and the tunnel works!

thanks, the points our yours.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12667012
Good news!
Thanks!
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month17 days, 20 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question