Solved: Pix 515e with Mikrotik

opnineopnine · ‎04-02-2015

HI all,

Im trying to connect the Pix515 with Mikrotik via IPsec vpn, but I is not even doing the Phase 1.

This is the link Im using as reference.

http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

Thanks all.

Pranay Prasoon · ‎04-05-2015

well config on PIX seems to be okay. I would suggest to reconfigure pre-share key (both side should match) and do a "clear crypto isakmp" on PIX and test again.

If you have support contract, you may open a TAC case.

View solution in original post

Pranay Prasoon · ‎04-03-2015

Hi,

Can you provide the "show run" from PIX?

Also share output of "show crypto isakmp sa" and "show crypto IPSec sa" when you try to ping to destination network.

Please see link for more information:-

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/6211-38.html

Thanks

Pranay

opnineopnine · ‎04-04-2015

hello,

the Pix config is the same as the one I posted in the link, and there is no out put for the show commands.

But I have this debug,

debug crypto isakmp 127

debug crypto ipsec 127

pixfirewall# Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, processing SA payload
Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 100
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, All SA proposals found unacceptable
Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, Error processing payload: Payload ID: 1
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, IKE MM Responder FSM error history (struct &0x29452c8) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, IKE SA MM:e430d1d0 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 04 11:05:40 [IKEv1 DEBUG]: IP = 1.0.0.2, sending delete/delete with reason message
Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, Removing peer from peer table failed, no match!
Apr 04 11:05:40 [IKEv1]: IP = 1.0.0.2, Error: Unable to remove PeerTblEntry
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, processing SA payload
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 100
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, All SA proposals found unacceptable
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, Error processing payload: Payload ID: 1
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, IKE MM Responder FSM error history (struct &0x29452c8) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, IKE SA MM:afe0d7b0 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 04 11:05:50 [IKEv1 DEBUG]: IP = 1.0.0.2, sending delete/delete with reason message
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, Removing peer from peer table failed, no match!
Apr 04 11:05:50 [IKEv1]: IP = 1.0.0.2, Error: Unable to remove PeerTblEntry

Thanks.

Jon Marshall · ‎04-04-2015

Well there are typos in that link.

For example the crypto map acl in that link is -

access-list myacl permit ip 172.22.2.0 255.255.255.0 172.22.2.0 255.255.255.0

which clearly doesn't make sense.

Which end are you testing from and how are you testing ie. are you pinging etc.

If you want help then please post your configuration as asked because based on that link it could be wrong if you just did a straight translation to your firewall.

Jon

opnineopnine · ‎04-04-2015

Hi all,

Here is the sh run for my Pix. what Im doing is from a PC in my Pix side network I try to ping and Telnet a PC in the Mikrotik side, and I tried the other way and have the same issue.

pixfirewall# sh run
: Saved
:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 2.0.0.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.22.2.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list myacl extended permit ip 172.22.2.0 255.255.255.0 172.22.2.0 255.255.255.0
access-list nonat extended permit ip 172.22.2.0 255.255.255.0 172.22.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 2.0.0.3
nat (inside) 0 access-list nonat
nat (inside) 1 172.22.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 2.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mymap 21 match address myacl
crypto map mymap 21 set peer 1.0.0.2
crypto map mymap 21 set transform-set ESP-AES-128-SHA
crypto map mymap 21 set security-association lifetime seconds 1800
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 1.0.0.2 type ipsec-l2l
tunnel-group 1.0.0.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:17b3d21f08f0cb92f7270d12594ec75a
: end
pixfirewall#

opnineopnine · ‎04-05-2015

Hi all,

Know I have this after some changes.

1 IKE Peer: 1.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5
2 IKE Peer: 1.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5
3 IKE Peer: 1.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5

I changed in both device the preshared to be sure they where the same.

hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif Outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat_outbound remark PAT all out
access-list inside_nat_outbound extended permit ip 192.168.2.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list inside_nat0_outbound
nat (Inside) 1 access-list inside_nat_outbound
route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 1.1.1.1
crypto map Outside_map 1 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:7ff1118c7dc9b3dfdba57771486733ff
: end

Thanks.

Pranay Prasoon · ‎04-05-2015

MM5 still suggest other end not authenticating pre-shred key, take debug of "crypto isakmp sa" on both router and PIX and see why it fails.

opnineopnine · ‎04-05-2015

Hello Pranay.

This is the output of the debug.

pixfirewall# Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0x2929a98) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:76089618 terminating: flags 0x01004002, refcnt 0, tuncnt 0
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload
Apr 05 14:58:59 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Apr 05 14:58:59 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=4e03b73e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Apr 05 14:58:59 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from peer table failed, no match!
Apr 05 14:58:59 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry
Apr 05 14:59:06 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Received Cisco Unity client VID
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Received DPD VID
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, processing IKE SA payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 3
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload
Apr 05 14:59:06 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
Apr 05 14:59:06 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Apr 05 14:59:07 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload
Apr 05 14:59:07 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 05 14:59:07 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Apr 05 14:59:07 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
Apr 05 14:59:07 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
no deApr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0x292bd58) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:7b8ec6f4 terminating: flags 0x01004002, refcnt 0, tuncnt 0
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload
Apr 05 14:59:09 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Apr 05 14:59:09 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=a5821508) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Apr 05 14:59:09 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from peer table failed, no match!
Apr 05 14:59:09 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry

Pranay Prasoon · ‎04-05-2015

Well not sure why other end is not responding to authentication. Is there any Firewall in between router and firewall?. Also can you share router's config, i can test in my lab.

opnineopnine · ‎04-05-2015

They are connected directly.

And this is the document im using for the config.

http://gregsowell.com/wp-content/uploads/2009/12/GregSowell-mikrotik-vpn1.pdf

No firewall or router in the middle.

Thanks.

Pranay Prasoon · ‎04-05-2015

well config on PIX seems to be okay. I would suggest to reconfigure pre-share key (both side should match) and do a "clear crypto isakmp" on PIX and test again.

If you have support contract, you may open a TAC case.

opnineopnine · ‎04-05-2015

Hello Pranay,

I will open a case, but I tryed with an ASA insted of the pix and it worked with no issue, but I will have to open a case.

Thanks for all your help and support.

opnineopnine · ‎04-09-2015

Hello Pranay,

I finally did it work the phase 1 of the connection, but now the issue is I can't ping from inside to inside of the vpn.

Thanks.

Pranay Prasoon · ‎04-09-2015

do you see ipsec tunnel created?

show crypto ipsec sa

opnineopnine · ‎04-09-2015

the tunnel was created

IKE Peer: 1.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

The issue is that the ping between the insides address is not working.