RE: IPsec VPN

From: Ryan West <rwest_at_zyedge.com>
Date: Fri, 19 Jun 2009 09:39:46 -0400

Okay, that's good. Can you post the output of show ver, in particular this
section:

Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

I'll have to admit, I haven't seen a PIX running post 6.3(5) that doesn't have
support 3DES-AES, but there's a first for everything. Just to double check
everything on your side, please post the following:

show run nat
show run access-list <list your nat 0 entries>
show run tunnel-group
show run isakmp

If you want to verify your key:

More system:running-config | b tunnel-group

-ryan

From: Ali El Moussaoui [mailto:mousawi.ali_at_gmail.com]
Sent: Friday, June 19, 2009 9:28 AM
To: Ryan West
Cc: alexeim73_at_gmail.com; ccielab_at_groupstudy.com
Subject: Re: IPsec VPN

Oh I see. I am using Cisco PIX Security Appliance Software Version 7.0(6) I
think i dnt need this command right?
On Fri, Jun 19, 2009 at 4:26 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:

Ali,

It's the default in ASA, or at least I believe it ties to the L2L peer
configuration when you setup ISAKMP keys. With the PIX, pre 7.x code, it's
used to indicate that the tunnel will be used for IPSEC. Can you post what
version you're using on the PIX?

-ryan

From: Ali El Moussaoui
[mailto:mousawi.ali_at_gmail.com<mailto:mousawi.ali_at_gmail.com>]
Sent: Friday, June 19, 2009 9:23 AM
To: Ryan West
Cc: alexeim73_at_gmail.com<mailto:alexeim73_at_gmail.com>;
ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Re: IPsec VPN

Thanks for the nice reply ;). I am not a security expert so woupld u please
explain what does this command do :

crypto map OUTSIDE_MAP 20 ipsec-isakmp

I got the following warning when i tried to add it to the config

WARNING: crypto map entry will be incomplete

Thanks,

Ali

On Fri, Jun 19, 2009 at 4:11 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:

Ali,

I know you do not control the ASA side, but it is setup wrong and will never
match a specific peer because the first statement is a dynamic (ANY) peer. As
a good practice, I typically put the dyn map at the last entry, 65535. Also,
if you're running per 7.x code on the PIX, then you'll need to add the
following:

crypto map OUTSIDE_MAP 20 ipsec-isakmp.

A word of caution about your setup as well. DES can be easily cracked, since
both of the devices support 3DES in hardware, you should never run DES. You
also don't appear to be running any hashing algorithm either, here is a lowest
form of encryption with hashing that I would recommend:

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

If you find you're running a PIX with activation-keys that only support DES,
then take 2 minutes to get it upgraded (for free):

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=119

Once all those of items are addressed (or before if you don't care about the
security), have the remote end initiate interesting traffic and put up a 'deb
cry isa 2' and 'deb cry ipsec 2' That should give you most of the information
you'll need to troubleshoot the issue further. If it appears that Phase1 is
working as expected, you can rule out keys and ISAKMP settings. Phase 2 is a
different story, if you see hits in your logs about port map creation failed,
you may not have configured your NAT exempts. A quick check for those is to
make sure you have a similar entry for your interesting traffic in your 'nat
(inside) 0 access-list' statement.

-ryan

From: Ali El Moussaoui
[mailto:mousawi.ali_at_gmail.com<mailto:mousawi.ali_at_gmail.com>]
Sent: Friday, June 19, 2009 3:27 AM
To: alexeim73_at_gmail.com<mailto:alexeim73_at_gmail.com>
Cc: Ryan West; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Re: IPsec VPN

Thanks for the comments. I am responsioble for the PIX side I dnt know why 10
and 5 do exist i will check with the other admin and try to wipe them if
possible.

Regards,

Ali

On Fri, Jun 19, 2009 at 10:12 AM, Alexei Monastyrnyi
<alexeim73_at_gmail.com<mailto:alexeim73_at_gmail.com>> wrote:

Hi Ali.

A quick observation would be to look out for "crypto map interfacemap 10
ipsec-isakmp dynamic dynmap" on your ASA unit. Make sure you know what it is
and its dynamic part is configured correctly. Your VPN tunnel originating from
PIX might land on that crypto may and consequentiality fail if that crypto map
is not for that tunnel/traffic.

You also have "crypto map interfacemap 5" which is either incomplete or you
haven't posted the whole one. If it is incomplete in your config, you'd better
wipe it off.

HTH,
A.

Ali El Moussaoui wrote:

ASA:
access-list vpnbey extended permit ip 192.168.100.0 255.255.255.0
192.168.40.0 255.255.248.0
access-list vpnbey extended permit ip 192.168.3.0 255.255.255.0 192.168.40.0
255.255.248.0
crypto ipsec transform-set dxbbey esp-des esp-none
crypto map interfacemap 5 set security-association lifetime seconds 28800
crypto map interfacemap 5 set security-association lifetime kilobytes
4608000
crypto map interfacemap 10 ipsec-isakmp dynamic dynmap
crypto map interfacemap 20 match address vpnbey
crypto map interfacemap 20 set peer 1.1.1.1
crypto map interfacemap 20 set transform-set dxbbey
crypto map interfacemap 20 set security-association lifetime seconds 28800
crypto map interfacemap 20 set security-association lifetime kilobytes
4608000
crypto map interfacemap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash sha
 group 5
 lifetime 86400
PIX:
Show run | i crypto
crypto ipsec transform-set DXBBEY esp-des esp-none
crypto map OUTSIDE_MAP 20 match address VPNDXB
crypto map OUTSIDE_MAP 20 set peer 2.2.2.2
crypto map OUTSIDE_MAP 20 set transform-set DXBBEY
crypto map OUTSIDE_MAP interface OUTSIDEINT

access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0
192.168.100.0 255.255.255.0
access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0 192.168.3.0
255.255.255.0

Note that i changed the peers IPs ;)

Ali
On
Thu, Jun 18, 2009 at 3:10 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:

Without seeing the relevant information that Phase 2 must match on
(interesting traffic and transform sets), it is hard to tell. Please post
the following:

If you're running post 6.3(5), you can run the ASA commands on the PIX.

ASA:
Show run crypto
Show run access-list <insert interesting traffic ACLs>

PIX:
Show run | i crypto
Show run | i access-list <insert interesting traffic ACLs>

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Ali El Moussaoui
Sent: Thursday, June 18, 2009 4:47 AM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: IPsec VPN

Hello Experts,

I am building an IPsec tunnel between 2 remote sites (ASA and PIX). The
tunnel is comin up only when the ASA initiates the communication. When the
pix initiate the tunnel negotiation the following error shows up:

Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed,
no match!
Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x.
Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No
proposal chosen (14)
Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

Any clue about what could cos the above?

Ali

Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
Received on Fri Jun 19 2009 - 09:39:46 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART