Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
1
Replies

PIX 6.2(2) VPN -> Checkpoint NG Build 52163..

masan
Level 1
Level 1

‎09-12-2002 05:17 AM - edited ‎02-21-2020 12:03 PM

Hi

Having problem with a VPN setup running a PIX that needs to connect to a FW1.

When sessions are initiated from the PIX side(My side) both the IKE and IPSec tunnels get connected and everything works fine.

IP to and from the FW1 works just fine.

When the session are initiated from the FW1 side only the IKE part of the tunnel is established. But no IPSec. Looks like the IPSec SA is not created.

I am the not abel to initiate a new connection from the PIX network, since the IKE session is allready up and running.. (clear crypto IKSAMP SA- then i works again)

What could be wrong. Since I have no access to the remote FW1 I can only speculate..

But since I am able to get the connection to run when initiated from the PIX I would presume that both the IKE and IPSec parameters are OK.

Looks like the “handover “ between IKE and IPSec is not working from the FW1 ??

Any suggestions ?

Logs are included..

Regards,

Mads Storm Andersen

----- LOGS ----

WORKING FROM PIX to FW1

VPN Peer: ISAKMP: Added new peer: ip:REMOTEIP.X.X.X.X Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:REMOTEIP.X.X.X.X Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src REMOTEIP.X.X.X.X, dest LOCALOUTSIDEIP.X.X.X.X

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src REMOTEIP.X.X.X.X, dest LOCALOUTSIDEIP.X.X.X.X

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 28

ISAKMP (0): Total payload length: 32

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src REMOTEIP.X.X.X.X, dest LOCALOUTSIDEIP.X.X.X.X

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 1192269937:47109871IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x5e0a250d(1577723149) for SA

from REMOTEIP.X.X.X.X to LOCALOUTSIDEIP.X.X.X.X for prot 3 return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending INITIAL_CONTACT notify

crypto_isakmp_process_block: src REMOTEIP.X.X.X.X, dest LOCALOUTSIDEIP.X.X.X.X

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1192269937

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 3600

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-SHA

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= REMOTEIP.X.X.X.X, src= LOCALOUTSIDEIP.X.X.X.X,

dest_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),

src_proxy= LOCALINSIDEIP.X.X.X.X/255.255.255.240/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 1192269937

ISAKMP (0): processing ID payload. message ID = 1192269937

ISAKMP (0): processing ID payload. message ID = 1192269937

ISAKMP (0): processing NOTIFY payload 24576 protocol 3

spi 1577723149, message ID = 1192269937

ISAKMP (0): processing responder lifetime

ISAKMP (0): Creating IPSec SAs

inbound SA from REMOTEIP.X.X.X.X to LOCALOUTSIDEIP.X.X.X.X (proxy 10.120.0.0 to LOCALINSIDEIP.X.X.X.X)

has spi 1577723149 and conn_id 1 and flags 4

lifetime of 3600 seconds

lifetime of 4608000 kilobytes

outbound SA from LOCALOUTSIDEIP.X.X.X.X to REMOTEIP.X.X.X.X (proxy LOCALINSIDEIP.X.X.X.X to 10.120.0.0)

has spi 2119708502 and conn_id 2 and flags 4

lifetime of 3600 seconds

lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= LOCALOUTSIDEIP.X.X.X.X, src= REMOTEIP.X.X.X.X,

dest_proxy= LOCALINSIDEIP.X.X.X.X/255.255.255.240/0/0 (type=4),

src_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x5e0a250d(1577723149), conn_id= 1, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= LOCALOUTSIDEIP.X.X.X.X, dest= REMOTEIP.X.X.X.X,

src_proxy= LOCALINSIDEIP.X.X.X.X/255.255.255.240/0/0 (type=4),

dest_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x7e582f56(2119708502), conn_id= 2, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:REMOTEIP.X.X.X.X Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: IPSEC: Peer ip:REMOTEIP.X.X.X.X Ref cnt incremented to:3 Total VPN Peers:1

ERROR: unable to fragment packet pktsize=1500, eff_mtu = 1444

NOT WORKING – FROM FW1 TO PIX.

crypto_isakmp_process_block: src REMOTEIP.X.X.X.X, dest LOCALOUTSIDEIP.X.X.X.X

VPN Peer: ISAKMP: Added new peer: ip:REMOTEIP.X.X.X.X Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:REMOTEIP.X.X.X.X Ref cnt incremented to:1 Total VPN Peers:1

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src REMOTEIP.X.X.X.X, dest LOCALOUTSIDEIP.X.X.X.X

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src REMOTEIP.X.X.X.X, dest LOCALOUTSIDEIP.X.X.X.X

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 28

ISAKMP (0): Total payload length: 32

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending INITIAL_CONTACT notify

crypto_isakmp_process_block: src REMOTEIP.X.X.X.X, dest LOCALOUTSIDEIP.X.X.X.X

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 799239733

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= LOCALOUTSIDEIP.X.X.X.X, src= REMOTEIP.X.X.X.X,

dest_proxy= LOCALINSIDEIP.X.X.X.X/255.255.255.240/0/0 (type=4),

src_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 799239733

ISAKMP (0): processing ID payload. message ID = 799239733

ISAKMP (0): ID_IPV4_ADDR_SUBNET src 10.120.0.0/255.255.0.0 prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 799239733

ISAKMP (0): ID_IPV4_ADDR_SUBNET dst LOCALINSIDEIP.X.X.X.X/255.255.255.240 prot 0 port 0IPSEC(key_engine): g

ot a queue event...

IPSEC(spi_response): getting spi 0xf7b7bb8b(4156013451) for SA

from REMOTEIP.X.X.X.X to LOCALOUTSIDEIP.X.X.X.X for prot 3

return status is IKMP_NO_ERROR

ISADB: reaper checking SA 0x8155d010, conn_id = 0

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

Labels:
0 Helpful
1 Reply 1

ggersch
Level 1
Level 1

‎09-14-2002 12:24 PM

For the isakmp key for the remote fw-1, do you have the 'no-xauth no-config-mode' keywords? It should look something like this:

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

If you don't have these keywords, your pix is waiting for the remote fw-1 to authenticate before handing off to the next step.

Greg

0 Helpful
Customers Also Viewed These Support Documents