Solved

VPN between Cisco Pix 515E and Firebox XTM515

Posted on 2016-07-29
16
38 Views
Last Modified: 2016-11-06
We are trying to set up a VPN between these two devices.  These are the Firebox settings:

Firebox Gateway General SettingsFirebox Gateway Phase1 SettingsFirebox Tunnel 1Firebox Gateway Phase1 TransformFirebox tunnel phase2
On the Pix side, we have (only showing the relevant sections, can post whole config if requested):
name xxx.xxx.xxx.xxx Apex
name 192.168.2.0 apex-net-1

access-list apex-vpn-1 permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0
sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map 5 ipsec-isakmp
crypto map outside-map 5 match address edenhouse-vpn-2
crypto map outside-map 5 set peer EdenHouse3
crypto map outside-map 5 set transform-set ESP-3DES-SHA
crypto map outside-map 10 ipsec-isakmp
crypto map outside-map 10 match address edenhouse-vpn-1
crypto map outside-map 10 set peer EdenHouse2
crypto map outside-map 10 set transform-set ESP-3DES-SHA
crypto map outside-map 15 ipsec-isakmp
crypto map outside-map 15 match address apex-vpn-1
crypto map outside-map 15 set peer Apex
crypto map outside-map 15 set transform-set ESP-DES-SHA
crypto map outside-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address SAP2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address EdenHouse2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address EdenHouse3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Apex netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400

Open in new window


The ISAKMP SA is created, but the tunnel does not.  Debug crypto ipsec / isakmp sa shows:
crypto_isakmp_process_block: src Apex, dest [IP address removed]
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 23
ISAKMP (0): Total payload length: 27
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Apex, dest [IP address removed]
ISAKMP: reserved not zero on payload 5!

Open in new window


What settings must we alter to make the tunnel connect?  Thanks in advance for any assistance.
0
Comment
Question by:David Haycox
  • 9
  • 3
  • 2
  • +1
16 Comments
 
LVL 93

Expert Comment

by:John Hurst
ID: 41734601
I do not use this particular VPN (I use Juniper)

1. Edit Gateway says DH Group 1 whereas Phase 1 Transform says DH Group 2. Use Group 2 and make it consistent everywhere.

2. Make sure Phase 2 is the same as Phase 1.

3. Try NAT Traversal ON (as you have it) and then OFF.

4. Your gateway addresses should likely be subnets, not a single IP address (so you can see all devices).
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41734622
Also (obvious VPN check): The subnets on each end cannot be the same.  That is you cannot have 192.168.25.x on each end.
0
 
LVL 1

Author Comment

by:David Haycox
ID: 41734638
Hi John,

1. It does actually match, I just took the screen shot while it was set incorrectly, sorry.  They're both on group 2.

2. Why does phase 1 need to have the same settings as phase 2?  I'm sure I've had VPNs working in the past with DES for phase 1 and 3DES for phase 2.  In any case my initial settings were both on 3DES, I only changed them when it didn't work like that (same problem).

3. Will try this, but isn't that just do to with traffic passing over the tunnel, rather than the tunnel being connected in the first place?

4. I don't follow, why would a gateway be a subnet?  It's a device with a single IP, surely?

And yes, the subnets are different at both ends.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 93

Expert Comment

by:John Hurst
ID: 41734649
I keep basic Phase 1 and 2 settings the same to make things simple.

So use 3DES both phases, NO PFS, DH Group 2 on Phase 1 and SHA1 both phases.

Re: Subnet:  Your gateway and routers is an IP and your device is another IP. So you need to allow for more than one IP and I use a subnet internally. Again, keep it simple.
0
 
LVL 1

Author Comment

by:David Haycox
ID: 41734651
Thanks, I'll give that a try.

Does anyone have any specific tips on the Cisco debug errors below?

crypto_isakmp_process_block: src Apex, dest [IP address removed]
ISAKMP: reserved not zero on payload 5!

Open in new window

0
 
LVL 14

Expert Comment

by:SIM50
ID: 41734827
Can you post full debug?
Please post sh cry isakmp sa and sh cry ipsec sa
0
 
LVL 1

Author Comment

by:David Haycox
ID: 41737087
Sure, here you go.  Ignore the "Edenhouse" stuff, that's for a different VPN.  Have just replaced the Internet IP addresses below.  Here's the SH CRY ISAKMP SA:

Total     : 17
Embryonic : 0
        dst             src          state       pending    created
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]             Apex    QM_IDLE         0           0
   [REMOTE IP]       EdenHouse3    QM_IDLE         0          21

Open in new window


And here's the SH CRY IPSEC SA:
interface: outside
    Crypto map tag: outside-map, local addr. [WAN IP ADDRESS]

   local  ident (addr/mask/prot/port): (net-151/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.247.67.0/255.255.255.0/0/0)
   current_peer: EdenHouse2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [WAN IP ADDRESS], remote crypto endpt.: EdenHouse2
     path mtu 1440, ipsec overhead 0, media mtu 1440
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (net-151/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.246.67.0/255.255.255.0/0/0)
   current_peer: EdenHouse2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [WAN IP ADDRESS], remote crypto endpt.: EdenHouse2
     path mtu 1440, ipsec overhead 0, media mtu 1440
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (net-151/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.247.68.0/255.255.255.0/0/0)
   current_peer: EdenHouse3
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4109, #pkts encrypt: 4109, #pkts digest 4109
    #pkts decaps: 4118, #pkts decrypt: 4118, #pkts verify 4118
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [WAN IP ADDRESS], remote crypto endpt.: EdenHouse3
     path mtu 1440, ipsec overhead 56, media mtu 1440
     current outbound spi: 8c49f37

     inbound esp sas:
      spi: 0x3f461cfd(1061559549)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: outside-map
        sa timing: remaining key lifetime (k/sec): (4608000/3486)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x8c49f37(147103543)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: outside-map
        sa timing: remaining key lifetime (k/sec): (4608000/3486)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (net-151/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.246.68.0/255.255.255.0/0/0)
   current_peer: EdenHouse3
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 59, #pkts encrypt: 59, #pkts digest 59
    #pkts decaps: 70, #pkts decrypt: 70, #pkts verify 70
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [WAN IP ADDRESS], remote crypto endpt.: EdenHouse3
     path mtu 1440, ipsec overhead 56, media mtu 1440
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

Open in new window


So it looks as if there is a successful ISAKMP SA but nothing relating to the IPSEC SA on the VPN we're talking about here - I think.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41737383
According to Cisco documentation, that debug error means ISAKMP keys don't match.
Link: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#zero
0
 
LVL 1

Author Comment

by:David Haycox
ID: 41737390
Yes indeed, first thing I checked... but they do match.  I'm assuming we're talking about the pre-shared keys here.  Even tried it temporarily with "test" as the key (in case it didn't like some of the non-alphanumeric characters), no change.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41737417
Keys should be OK all your phase 1 state's are at QM_IDLE (ISAKMP Quick mode established and waiting for traffic)

I'm confused which is the matching crytomap on the phase two output

Post

show run cry ipse sa peer xxx.xxx.xxx.xxx

Where peer xxx.xxx.xxx.xxx is the problematic tunnel?

I'm guessing your broken tunnel is the Apex one? If not then your transform set is incorrect.

Pete
0
 
LVL 1

Author Comment

by:David Haycox
ID: 41737451
The cryptomap for this tunnel is (or should be):
crypto map outside-map 15 ipsec-isakmp
crypto map outside-map 15 match address apex-vpn-1
crypto map outside-map 15 set peer Apex
crypto map outside-map 15 set transform-set ESP-DES-SHA

Open in new window

Yes, the Apex tunnel is the broken one.  I've added a name for the local WAN IP for ease.  Sorry, I made a mistake with the SH CRY ISAKMP SA output, it's actually the local WAN IP, not the remote one (which is Apex):
Total     : 14
Embryonic : 0
        dst             src          state       pending    created
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN             Apex    QM_IDLE         0           0
       Local-WAN       EdenHouse3    QM_IDLE         0           2

Open in new window

If I run "show run cry ipse sa peer xxx.xxx.xxx.xxx" it outputs the entire config.

show cry ipse sa peer xxx.xxx.xxx.xxx

gives
Pix# show cry ipsec sa peer Local-WAN
ERROR: unknown subcommand <peer>

Open in new window

So I'm not sure what I'm doing wrong...
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41737484
apologies - I just keep hammering in the commands till it works - I'm rusty on version 6

If you do a 'show cry ipsec'

then remove all the edenhouse junk

I just need to see the phase 2 output of that one tunnel, and above you posted the output for all the other tunnels, and not this one.

P
0
 
LVL 1

Author Comment

by:David Haycox
ID: 41737543
No trouble, I know what you mean!

"show cry ipsec" gives me:
Pix# show cry ipsec
ERROR: incomplete command
usage: [no] crypto ipsec { transform-set | security-association} ...
Type help or '?' for a list of available commands.

Open in new window


But if I do "show cry ipsec sa" missing out the other VPN stuff, I get nothing at all, i.e. there is no SA listed for that peer.
0
 
LVL 1

Accepted Solution

by:
David Haycox earned 0 total points
ID: 41750122
Here's how I made it work, plus of course amending the settings at the WatchGuard end.  I think the "security-association lifetime" line was the critical one.

name xxx.xxx.xxx.xxx Apex
name 192.168.2.0 apex-net-1
name xxx.xxx.xxx.xxx Local-WAN

access-list inside_outbound_nat0_acl permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0
access-list apex-vpn-1 permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0

crypto map apex-map 1 ipsec-isakmp
crypto map apex-map 1 match address apex-vpn-1
crypto map apex-map 1 set peer Apex
crypto map apex-map 1 set transform-set ESP-3DES-SHA
crypto map apex-map 1 set security-association lifetime seconds 28800 kilobytes 128000
crypto map apex-map interface outside

isakmp key ********** address Apex netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800

Open in new window

0
 
LVL 1

Author Comment

by:David Haycox
ID: 41752501
Correction: the line
crypto map apex-map interface outside

Open in new window

broke the existing VPNs, as you can only have one crypto map per interface.  Here's the correct config:
name xxx.xxx.xxx.xxx Apex
name 192.168.2.0 apex-net-1
name xxx.xxx.xxx.xxx Local-WAN

access-list inside_outbound_nat0_acl permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0
access-list apex-vpn-1 permit ip net-151 255.255.0.0 apex-net-1 255.255.254.0

crypto map outside-map 20 ipsec-isakmp
crypto map outside-map 20 match address apex-vpn-1
crypto map outside-map 20 set peer Apex
crypto map outside-map 20 set transform-set ESP-3DES-SHA
crypto map outside-map 20 set security-association lifetime seconds 28800 kilobytes 128000

isakmp key ********** address Apex netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800

Open in new window

0
 
LVL 1

Author Closing Comment

by:David Haycox
ID: 41875967
Solved problem myself.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA version 8.2 NAT to version 9 NAT 3 37
nexus filter logs 3 44
eigrp routing loop 5 42
VXLAN - same in VMWare NSX and Cisco Environments? 2 60
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question