04-02-2015 04:14 PM - edited 03-11-2019 10:43 PM
HI all,
This is the link
http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC
Thanks all.
Solved! Go to Solution.
04-05-2015 02:54 PM
well config on PIX seems to be okay. I would suggest to reconfigure pre-share key (both side should match) and do a "clear crypto isakmp" on PIX and test again.
If you have support contract, you may open a TAC case.
04-03-2015 07:51 PM
Hi,
Can you provide the "show run" from PIX?
Also share output of "show crypto isakmp sa" and "show crypto IPSec sa" when you try to ping to destination network.
Please see link for more information:-
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/6211-38.html
Thanks
Pranay
04-04-2015 04:06 AM
But I have this
pixfirewall# Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, processing SA payload
Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, All SA proposals found unacceptable
Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, Error processing payload: Payload ID: 1
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, IKE MM Responder FSM error history (struct &0x29452c8) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, IKE SA MM:e430d1d0 terminating: flags 0x01000002,
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, sending delete/delete with reason message
Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, Removing peer from peer table failed, no match!
Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, Error: Unable to remove PeerTblEntry
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, processing SA payload
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, All SA proposals found unacceptable
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, Error processing payload: Payload ID: 1
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, IKE MM Responder FSM error history (struct &0x29452c8) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, IKE SA MM:afe0d7b0 terminating: flags 0x01000002,
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, sending delete/delete with reason message
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, Removing peer from peer table failed, no match!
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, Error: Unable to remove PeerTblEntry
Thanks.
04-04-2015 04:09 AM
Well there are typos in that link.
For example the crypto map acl in that link is -
access-list myacl permit ip 172.22.2.0 255.255.255.0 172.22.2.0 255.255.255.0
which clearly doesn't make sense.
Which end are you testing from and how are you testing ie. are you pinging etc.
If you want help then please post your configuration as asked because based on that link it could be wrong if you just did a straight translation to your firewall.
Jon
04-04-2015 07:11 AM
Hi all,
Here is the sh run for my Pix.
pixfirewall# sh run
: Saved
:
PIX Version 7.2
!
!
!
!
!
!
!
passwd 2KFQnbNIdI.2KYOU encrypted
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
pre-shared-key *
!
!
Cryptochecksum:17b3d21f08f0cb92f7270d12594ec75a
: end
pixfirewall#
04-05-2015 06:18 AM
Hi all,
1 IKE Peer: 1.1.1.1
Type
Rekey
2 IKE Peer: 1.1.1.1
Type
Rekey
3 IKE Peer: 1.1.1.1
Type
Rekey
I changed in both device the
!
!
!
!
!
!
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:7ff1118c7dc9b3dfdba57771486733ff
: end
Thanks.
04-05-2015 07:43 AM
MM5 still suggest other end not authenticating pre-shred key, take debug of "crypto isakmp sa" on both router and PIX and see why it fails.
04-05-2015 08:01 AM
Hello Pranay.
This is the output of the debug.
pixfirewall# Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0x2929a98) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:76089618 terminating: flags 0x01004002,
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing
Apr 05 14:58:59 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=4e03b73e) with payloads
Apr 05 14:58:59 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from peer table failed, no match!
Apr 05 14:58:59 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry
Apr 05 14:59:06 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Received Cisco Unity client VID
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Received DPD VID
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, processing IKE SA payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 3
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
Apr 05 14:59:06 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Apr 05 14:59:07 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 05 14:59:07 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Apr 05 14:59:07 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
Apr 05 14:59:07 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
no deApr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0x292bd58) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:7b8ec6f4 terminating: flags 0x01004002, refcnt 0, tuncnt 0
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Apr 05 14:59:09 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=a5821508) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Apr 05 14:59:09 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from peer table failed, no match!
Apr 05 14:59:09 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry
04-05-2015 08:58 AM
Well not sure why other end is not responding to authentication. Is there any Firewall in between router and firewall?. Also can you share router's config, i can test in my lab.
04-05-2015 09:41 AM
They are connected directly.
And this is the document
http://gregsowell.com/wp-content/uploads/2009/12/GregSowell-mikrotik-vpn1.pdf
No firewall or router in the middle.
Thanks.
04-05-2015 02:54 PM
well config on PIX seems to be okay. I would suggest to reconfigure pre-share key (both side should match) and do a "clear crypto isakmp" on PIX and test again.
If you have support contract, you may open a TAC case.
04-05-2015 03:05 PM
Hello Pranay,
I will open a case, but I
Thanks for all your help and support.
04-09-2015 06:25 AM
Hello Pranay,
I finally did it work the phase 1 of the connection, but now the issue is I can't ping from inside to inside of the
Thanks.
04-09-2015 07:13 AM
do you see ipsec tunnel created?
show crypto ipsec sa
04-09-2015 07:39 AM
IKE Peer: 1.1.1.1
Type
Rekey
The issue is that the ping between the insides address is not working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide