Re: Pix to Linksys VPN issue

jwolford76 · ‎11-08-2004

I've looked at a ton of info about this, but I'm new to VPN and still have trouble making a connection. I'll post my config and if anyone sees any problems with it(I'm positive there is) please post a replay. Thanks in advance.

PIX Version 6.3(3)

.........

names

name 192.168.0.4 EAGLE

access-list inside_outbound_nat0_acl permit ip any 172.16.0.96 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 172.16.0.96 255.255.255.224

access-list outside_access_in permit icmp any any

access-list outside_access_in permit ip any 172.16.0.96 255.255.255.254

access-list outside_access_in permit tcp any host x.x.x.x eq www

access-list outside_access_in permit tcp any host x.x.x.x eq smtp

access-list outside_access_in permit tcp any host x.x.x.x eq 5900

access-list outside_access_in permit tcp any host x.x.x.x eq pop3

access-list splittunnel permit ip 192.168.0.0 255.255.255.0 any

access-list vpn_in permit ip host x.x.x.x any >IP address of branch office

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.0 >Pix Wan address

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPOOL 172.16.0.100-172.16.0.125

pdm location 192.168.0.0 255.255.0.0 inside

pdm location EAGLE 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www EAGLE www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp EAGLE smtp netmask 255.255.255.255 0

0

static (inside,outside) tcp interface 5900 192.168.0.190 5900 netmask 255.255.25

5.255 0 0

static (inside,outside) tcp interface pop3 EAGLE pop3 netmask 255.255.255.255 0

0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 >Wan Gateway

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address vpn_in

crypto map outside_map 20 set peer x.x.x.x >IP address of branch office

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 >IP of branch office

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup xxxx address-pool VPNPOOL

vpngroup xxxx dns-server 192.168.0.3

vpngroup xxxx default-domain xxxx.com

vpngroup xxxx split-tunnel splittunnel

vpngroup xxxx idle-time 1800

vpngroup xxxx password ********

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

: end

On the linksys, I have 3DES and SHA selected. The correct key is in there and all addresses are correct. I want to also mention that seperate employees also connect to the VPN from home. It has to have that functionality (which it currently does) but also allow a VPN to VPN connection.

scoclayton · ‎11-08-2004

Capture the output on the PIX with the follwing debugs turned on:

debug crypto ipsec

debug crypto isa

Then try initiating the tunnel from the Linksys side. Post this info so we can take a look. There are no obvious issues with your config.

Scott

jwolford76 · ‎11-09-2004

ISAKMP (0): deleting SA: src x.x.x.98, dst x.x.x.101

ISAKMP (0): retransmitting phase 1 (0)...

ISADB: reaper checking SA 0xf36724, conn_id = 0

ISADB: reaper checking SA 0xf3f6ec, conn_id = 0

ISADB: reaper checking SA 0xf3ed94, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for x.x.x.98/500 not found - peers:0

ISADB: reaper checking SA 0xf36724, conn_id = 0

ISADB: reaper checking SA 0xf3f6ec, conn_id = 0

ISADB: reaper checking SA 0xf2eb9c, conn_id = 0

crypto_isakmp_process_block:src:x.x.x.98, dest:x.x.x.101 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.98, dest:x.x.x.101 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): deleting SA: src x.x.x.98, dst x.x.x.101

ISAKMP (0): retransmitting phase 1 (0)...

ISADB: reaper checking SA 0xf36724, conn_id = 0

ISADB: reaper checking SA 0xf3f6ec, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for x.x.x.98/500 not found - peers:0

ISADB: reaper checking SA 0xf36724, conn_id = 0

ISADB: reaper checking SA 0xf3dd2c, conn_id = 0

ISADB: reaper checking SA 0xf400ac, conn_id = 0

ISADB: reaper checking SA 0xf2eb9c, conn_id = 0

ISAKMP (0): retransmitting phase 1 (1)...

ehirsel · ‎11-08-2004

Is the connection to the Linksys at the branch office a site-to-site (aka lan-to-lan) vpn?

If so, then recode the isakmp key for the linksys as follows:

isakmp key *** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

This is to tell the pix that the remote peer does not get an ip address assignment nor prompted for user authen as the peer is a multi-user gateway instead of a single-access device. The vpn clients that do not connect via the Linksys will still get prompted for user authen and will get an ip address.

Let me know if this helps.

jwolford76 · ‎11-09-2004

It is a site-to-site, but this config did not help.

jwolford76 · ‎11-09-2004

On the Linksys system log, I also get this:

Rx << Notify : NO-PROPOSAL-CHOSEN

2004-11-09 11:20:22 IKE[1] **Check your Encryption, Authentication method and PFS settings !

scoclayton · ‎11-10-2004

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): deleting SA: src x.x.x.98, dst x.x.x.101

ISAKMP (0): retransmitting phase 1 (0)...

ISADB: reaper checking SA 0xf36724, conn_id = 0

ISADB: reaper checking SA 0xf3f6ec, conn_id = 0 DELETE IT!

Based on these messages from your PIX debugs, it would appear that the UDP port 500 messages are not making it back to the Linksys side. Is there anymore detailed logging you can enable on the Linksys router that may clue us in as to where the issue is? Also, do you know of anything between the PIX and the Linksys that would be blocking UDP port 500 packets? Would seem kinda odd that the UDP packets would be allowed into the PIX but not out of the PIX.

Scott