Re: IPsec VPN from Ali El Moussaoui on 2009-06-19 (Ccielab archives 06/2009)

From: Ali El Moussaoui <mousawi.ali_at_gmail.com>
Date: Fri, 19 Jun 2009 16:28:01 +0300

Oh I see. I am using Cisco PIX Security Appliance Software Version 7.0(6) I
think i dnt need this command right?

On Fri, Jun 19, 2009 at 4:26 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Ali,
>
>
>
> Its the default in ASA, or at least I believe it ties to the L2L peer
> configuration when you setup ISAKMP keys. With the PIX, pre 7.x code,
its
> used to indicate that the tunnel will be used for IPSEC. Can you post what
> version youre using on the PIX?
>
>
>
> -ryan
>
>
>
> *From:* Ali El Moussaoui [mailto:mousawi.ali_at_gmail.com]
> *Sent:* Friday, June 19, 2009 9:23 AM
> *To:* Ryan West
> *Cc:* alexeim73_at_gmail.com; ccielab_at_groupstudy.com
> *Subject:* Re: IPsec VPN
>
>
>
> Thanks for the nice reply ;). I am not a security expert so woupld u please
> explain what does this command do :
>
> crypto map OUTSIDE_MAP 20 ipsec-isakmp
>
>
>
> I got the following warning when i tried to add it to the config
>
> WARNING: crypto map entry will be incomplete
>
> Thanks,
>
> Ali
>
> On Fri, Jun 19, 2009 at 4:11 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> Ali,
>
>
>
> I know you do not control the ASA side, but it is setup wrong and will
> never match a specific peer because the first statement is a dynamic (ANY)
> peer. As a good practice, I typically put the dyn map at the last entry,
> 65535. Also, if youre running per 7.x code on the PIX, then youll need
to
> add the following:
>
>
>
> crypto map OUTSIDE_MAP 20 ipsec-isakmp.
>
>
>
> A word of caution about your setup as well. DES can be easily cracked,
> since both of the devices support 3DES in hardware, you should never run
> DES. You also dont appear to be running any hashing algorithm either,
here
> is a lowest form of encryption with hashing that I would recommend:
>
>
>
> crypto ipsec transform-set vpn esp-3des esp-md5-hmac
>
>
>
> If you find youre running a PIX with activation-keys that only support
> DES, then take 2 minutes to get it upgraded (for free):
>
>
>
>
>
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=119
>
>
>
> Once all those of items are addressed (or before if you dont care about
> the security), have the remote end initiate interesting traffic and put up
a
> deb cry isa 2 and deb cry ipsec 2 That should give you most of the
> information youll need to troubleshoot the issue further. If it appears
> that Phase1 is working as expected, you can rule out keys and ISAKMP
> settings. Phase 2 is a different story, if you see hits in your logs
about
> port map creation failed, you may not have configured your NAT exempts. A
> quick check for those is to make sure you have a similar entry for your
> interesting traffic in your nat (inside) 0 access-list statement.
>
>
>
> -ryan
>
>
>
> *From:* Ali El Moussaoui [mailto:mousawi.ali_at_gmail.com]
> *Sent:* Friday, June 19, 2009 3:27 AM
> *To:* alexeim73_at_gmail.com
> *Cc:* Ryan West; ccielab_at_groupstudy.com
> *Subject:* Re: IPsec VPN
>
>
>
> Thanks for the comments. I am responsioble for the PIX side I dnt know why
> 10 and 5 do exist i will check with the other admin and try to wipe them if
> possible.
>
>
>
> Regards,
>
> Ali
>
> On Fri, Jun 19, 2009 at 10:12 AM, Alexei Monastyrnyi <alexeim73_at_gmail.com>
> wrote:
>
> Hi Ali.
>
> A quick observation would be to look out for "crypto map interfacemap 10
> ipsec-isakmp dynamic dynmap" on your ASA unit. Make sure you know what it
is
> and its dynamic part is configured correctly. Your VPN tunnel originating
> from PIX might land on that crypto may and consequentiality fail if that
> crypto map is not for that tunnel/traffic.
>
> You also have "crypto map interfacemap 5" which is either incomplete or you
> haven't posted the whole one. If it is incomplete in your config, you'd
> better wipe it off.
>
> HTH,
> A.
>
>
> Ali El Moussaoui wrote:
>
> ASA:
> access-list vpnbey extended permit ip 192.168.100.0 255.255.255.0
> 192.168.40.0 255.255.248.0
> access-list vpnbey extended permit ip 192.168.3.0 255.255.255.0
> 192.168.40.0
> 255.255.248.0
> crypto ipsec transform-set dxbbey esp-des esp-none
> crypto map interfacemap 5 set security-association lifetime seconds 28800
> crypto map interfacemap 5 set security-association lifetime kilobytes
> 4608000
> crypto map interfacemap 10 ipsec-isakmp dynamic dynmap
> crypto map interfacemap 20 match address vpnbey
> crypto map interfacemap 20 set peer 1.1.1.1
> crypto map interfacemap 20 set transform-set dxbbey
> crypto map interfacemap 20 set security-association lifetime seconds 28800
> crypto map interfacemap 20 set security-association lifetime kilobytes
> 4608000
> crypto map interfacemap interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 20
> authentication pre-share
> encryption des
> hash sha
> group 5
> lifetime 86400
> PIX:
> Show run | i crypto
> crypto ipsec transform-set DXBBEY esp-des esp-none
> crypto map OUTSIDE_MAP 20 match address VPNDXB
> crypto map OUTSIDE_MAP 20 set peer 2.2.2.2
> crypto map OUTSIDE_MAP 20 set transform-set DXBBEY
> crypto map OUTSIDE_MAP interface OUTSIDEINT
>
> access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0
> 192.168.100.0 255.255.255.0
> access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0
> 192.168.3.0
> 255.255.255.0
>
>
> Note that i changed the peers IPs ;)
>
> Ali
> On
> Thu, Jun 18, 2009 at 3:10 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>
>
> Without seeing the relevant information that Phase 2 must match on
> (interesting traffic and transform sets), it is hard to tell. Please post
> the following:
>
> If you're running post 6.3(5), you can run the ASA commands on the PIX.
>
> ASA:
> Show run crypto
> Show run access-list <insert interesting traffic ACLs>
>
> PIX:
> Show run | i crypto
> Show run | i access-list <insert interesting traffic ACLs>
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Ali El Moussaoui
> Sent: Thursday, June 18, 2009 4:47 AM
> To: ccielab_at_groupstudy.com
> Subject: IPsec VPN
>
> Hello Experts,
>
> I am building an IPsec tunnel between 2 remote sites (ASA and PIX). The
> tunnel is comin up only when the ASA initiates the communication. When the
> pix initiate the tunnel negotiation the following error shows up:
>
> Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed,
> no match!
> Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x.
> Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
> Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No
> proposal chosen (14)
> Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
>
> Any clue about what could cos the above?
>
> Ali
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 19 2009 - 16:28:01 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART