Solved

VPN between Cisco Pix 515E and Firebox XTM515

Posted on 2016-07-29
16
32 Views
Last Modified: 2016-11-06
We are trying to set up a VPN between these two devices.  These are the Firebox settings:

Firebox Gateway General SettingsFirebox Gateway Phase1 SettingsFirebox Tunnel 1Firebox Gateway Phase1 TransformFirebox tunnel phase2
On the Pix side, we have (only showing the relevant sections, can post whole config if requested):
name xxx.xxx.xxx.xxx Apex
name 192.168.2.0 apex-net-1

access-list apex-vpn-1 permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0
sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map 5 ipsec-isakmp
crypto map outside-map 5 match address edenhouse-vpn-2
crypto map outside-map 5 set peer EdenHouse3
crypto map outside-map 5 set transform-set ESP-3DES-SHA
crypto map outside-map 10 ipsec-isakmp
crypto map outside-map 10 match address edenhouse-vpn-1
crypto map outside-map 10 set peer EdenHouse2
crypto map outside-map 10 set transform-set ESP-3DES-SHA
crypto map outside-map 15 ipsec-isakmp
crypto map outside-map 15 match address apex-vpn-1
crypto map outside-map 15 set peer Apex
crypto map outside-map 15 set transform-set ESP-DES-SHA
crypto map outside-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address SAP2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address EdenHouse2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address EdenHouse3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Apex netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400

Open in new window


The ISAKMP SA is created, but the tunnel does not.  Debug crypto ipsec / isakmp sa shows:
crypto_isakmp_process_block: src Apex, dest [IP address removed]
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 23
ISAKMP (0): Total payload length: 27
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Apex, dest [IP address removed]
ISAKMP: reserved not zero on payload 5!

Open in new window


What settings must we alter to make the tunnel connect?  Thanks in advance for any assistance.
0
Comment
Question by:David Haycox
  • 9
  • 3
  • 2
  • +1
16 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I do not use this particular VPN (I use Juniper)

1. Edit Gateway says DH Group 1 whereas Phase 1 Transform says DH Group 2. Use Group 2 and make it consistent everywhere.

2. Make sure Phase 2 is the same as Phase 1.

3. Try NAT Traversal ON (as you have it) and then OFF.

4. Your gateway addresses should likely be subnets, not a single IP address (so you can see all devices).
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Also (obvious VPN check): The subnets on each end cannot be the same.  That is you cannot have 192.168.25.x on each end.
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Hi John,

1. It does actually match, I just took the screen shot while it was set incorrectly, sorry.  They're both on group 2.

2. Why does phase 1 need to have the same settings as phase 2?  I'm sure I've had VPNs working in the past with DES for phase 1 and 3DES for phase 2.  In any case my initial settings were both on 3DES, I only changed them when it didn't work like that (same problem).

3. Will try this, but isn't that just do to with traffic passing over the tunnel, rather than the tunnel being connected in the first place?

4. I don't follow, why would a gateway be a subnet?  It's a device with a single IP, surely?

And yes, the subnets are different at both ends.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I keep basic Phase 1 and 2 settings the same to make things simple.

So use 3DES both phases, NO PFS, DH Group 2 on Phase 1 and SHA1 both phases.

Re: Subnet:  Your gateway and routers is an IP and your device is another IP. So you need to allow for more than one IP and I use a subnet internally. Again, keep it simple.
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Thanks, I'll give that a try.

Does anyone have any specific tips on the Cisco debug errors below?

crypto_isakmp_process_block: src Apex, dest [IP address removed]
ISAKMP: reserved not zero on payload 5!

Open in new window

0
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
Can you post full debug?
Please post sh cry isakmp sa and sh cry ipsec sa
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Sure, here you go.  Ignore the "Edenhouse" stuff, that's for a different VPN.  Have just replaced the Internet IP addresses below.  Here's the SH CRY ISAKMP SA:

Total     : 17
Embryonic : 0
        dst             src          state       pending    created
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]       EdenHouse3    QM_IDLE         0          21

Open in new window


And here's the SH CRY IPSEC SA:
interface: outside
    Crypto map tag: outside-map, local addr. [WAN IP ADDRESS]

   local  ident (addr/mask/prot/port): (net-151/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.247.67.0/255.255.255.0/0/0)
   current_peer: EdenHouse2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [WAN IP ADDRESS], remote crypto endpt.: EdenHouse2
     path mtu 1440, ipsec overhead 0, media mtu 1440
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (net-151/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.246.67.0/255.255.255.0/0/0)
   current_peer: EdenHouse2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [WAN IP ADDRESS], remote crypto endpt.: EdenHouse2
     path mtu 1440, ipsec overhead 0, media mtu 1440
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (net-151/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.247.68.0/255.255.255.0/0/0)
   current_peer: EdenHouse3
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4109, #pkts encrypt: 4109, #pkts digest 4109
    #pkts decaps: 4118, #pkts decrypt: 4118, #pkts verify 4118
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [WAN IP ADDRESS], remote crypto endpt.: EdenHouse3
     path mtu 1440, ipsec overhead 56, media mtu 1440
     current outbound spi: 8c49f37

     inbound esp sas:
      spi: 0x3f461cfd(1061559549)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: outside-map
        sa timing: remaining key lifetime (k/sec): (4608000/3486)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x8c49f37(147103543)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: outside-map
        sa timing: remaining key lifetime (k/sec): (4608000/3486)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (net-151/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.246.68.0/255.255.255.0/0/0)
   current_peer: EdenHouse3
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 59, #pkts encrypt: 59, #pkts digest 59
    #pkts decaps: 70, #pkts decrypt: 70, #pkts verify 70
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [WAN IP ADDRESS], remote crypto endpt.: EdenHouse3
     path mtu 1440, ipsec overhead 56, media mtu 1440
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

Open in new window


So it looks as if there is a successful ISAKMP SA but nothing relating to the IPSEC SA on the VPN we're talking about here - I think.
0
 
LVL 13

Expert Comment

by:SIM50
Comment Utility
According to Cisco documentation, that debug error means ISAKMP keys don't match.
Link: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#zero
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Yes indeed, first thing I checked... but they do match.  I'm assuming we're talking about the pre-shared keys here.  Even tried it temporarily with "test" as the key (in case it didn't like some of the non-alphanumeric characters), no change.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Keys should be OK all your phase 1 state's are at QM_IDLE (ISAKMP Quick mode established and waiting for traffic)

I'm confused which is the matching crytomap on the phase two output

Post

show run cry ipse sa peer xxx.xxx.xxx.xxx

Where peer xxx.xxx.xxx.xxx is the problematic tunnel?

I'm guessing your broken tunnel is the Apex one? If not then your transform set is incorrect.

Pete
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
The cryptomap for this tunnel is (or should be):
crypto map outside-map 15 ipsec-isakmp
crypto map outside-map 15 match address apex-vpn-1
crypto map outside-map 15 set peer Apex
crypto map outside-map 15 set transform-set ESP-DES-SHA

Open in new window

Yes, the Apex tunnel is the broken one.  I've added a name for the local WAN IP for ease.  Sorry, I made a mistake with the SH CRY ISAKMP SA output, it's actually the local WAN IP, not the remote one (which is Apex):
Total     : 14
Embryonic : 0
        dst             src          state       pending    created
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN       EdenHouse3    QM_IDLE         0           2

Open in new window

If I run "show run cry ipse sa peer xxx.xxx.xxx.xxx" it outputs the entire config.

show cry ipse sa peer xxx.xxx.xxx.xxx

gives
Pix# show cry ipsec sa peer Local-WAN
ERROR: unknown subcommand <peer>

Open in new window

So I'm not sure what I'm doing wrong...
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
apologies - I just keep hammering in the commands till it works - I'm rusty on version 6

If you do a 'show cry ipsec'

then remove all the edenhouse junk

I just need to see the phase 2 output of that one tunnel, and above you posted the output for all the other tunnels, and not this one.

P
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
No trouble, I know what you mean!

"show cry ipsec" gives me:
Pix# show cry ipsec
ERROR: incomplete command
usage: [no] crypto ipsec { transform-set | security-association} ...
Type help or '?' for a list of available commands.

Open in new window


But if I do "show cry ipsec sa" missing out the other VPN stuff, I get nothing at all, i.e. there is no SA listed for that peer.
0
 
LVL 1

Accepted Solution

by:
David Haycox earned 0 total points
Comment Utility
Here's how I made it work, plus of course amending the settings at the WatchGuard end.  I think the "security-association lifetime" line was the critical one.

name xxx.xxx.xxx.xxx Apex
name 192.168.2.0 apex-net-1
name xxx.xxx.xxx.xxx Local-WAN

access-list inside_outbound_nat0_acl permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0
access-list apex-vpn-1 permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0

crypto map apex-map 1 ipsec-isakmp
crypto map apex-map 1 match address apex-vpn-1
crypto map apex-map 1 set peer Apex
crypto map apex-map 1 set transform-set ESP-3DES-SHA
crypto map apex-map 1 set security-association lifetime seconds 28800 kilobytes 128000
crypto map apex-map interface outside

isakmp key ********** address Apex netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800

Open in new window

0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Correction: the line
crypto map apex-map interface outside

Open in new window

broke the existing VPNs, as you can only have one crypto map per interface.  Here's the correct config:
name xxx.xxx.xxx.xxx Apex
name 192.168.2.0 apex-net-1
name xxx.xxx.xxx.xxx Local-WAN

access-list inside_outbound_nat0_acl permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0
access-list apex-vpn-1 permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0

crypto map outside-map 20 ipsec-isakmp
crypto map outside-map 20 match address apex-vpn-1
crypto map outside-map 20 set peer Apex
crypto map outside-map 20 set transform-set ESP-3DES-SHA
crypto map outside-map 20 set security-association lifetime seconds 28800 kilobytes 128000

isakmp key ********** address Apex netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800

Open in new window

0
 
LVL 1

Author Closing Comment

by:David Haycox
Comment Utility
Solved problem myself.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now