IPSec LAN-to-LAN from PIX 501(6.3.5) to VPNC 3000 rejects tunnel.

mattisn0w · ‎04-04-2007

I will post more data once back in the office but this is the error my VPNC3000 is showing when the IPSec tunnel tries to establish:

I've replaced the PIX 501 outside IP with 10.0.0.1, and the concentrator subnet with 10.1.0.0

18890 04/04/2007 15:09:33.190 SEV=6 IKE/201 RPT=2 10.0.0.2

Group [10.0.0.2]

Duplicate Phase 1 packet detected. Retransmitting last packet.

18892 04/04/2007 15:09:33.190 SEV=6 IKE/0 RPT=820 10.0.0.2

Group [10.0.0.2]

Responder resending last msg

18893 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45723 10.0.0.2

RECEIVED Message (msgid=b57613b7) with payloads :

HDR + HASH (8) + NOTIFY (11) + NONE (0)

total length : 76

18895 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45724 10.0.0.2

Group [10.0.0.2]

processing hash

18896 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45725 10.0.0.2

Group [10.0.0.2]

Processing Notify payload

18897 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=821

Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE

18898 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45726 10.0.0.2

RECEIVED Message (msgid=83ab1615) with payloads :

HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)

total length : 164

18901 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45727 10.0.0.2

Group [10.0.0.2]

processing hash

18902 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45728 10.0.0.2

Group [10.0.0.2]

processing SA payload

18903 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5364 10.0.0.2

Group [10.0.0.2]

processing nonce payload

18904 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5365 10.0.0.2

Group [10.0.0.2]

Processing ID

18905 04/04/2007 15:09:33.310 SEV=5 IKE/35 RPT=133 10.0.0.2

Group [10.0.0.2]

Received remote IP Proxy Subnet data in ID Payload:

Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

18908 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5366 10.0.0.2

Group [10.0.0.2]

Processing ID

18909 04/04/2007 15:09:33.310 SEV=5 IKE/34 RPT=233 10.0.0.2

Group [10.0.0.2]

Received local IP Proxy Subnet data in ID Payload:

Address 10.1.0.0, Mask 255.255.255.0, Protocol 0, Port 0

18912 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45729

QM IsRekeyed old sa not found by addr

18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2

Group [10.0.0.2]

Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!

18915 04/04/2007 15:09:33.310 SEV=4 IKEDBG/0 RPT=45730

QM FSM error (P2 struct &0x1e75390, mess id 0x83ab1615)!

18916 04/04/2007 15:09:33.310 SEV=7 IKEDBG/65 RPT=730 10.0.0.2

Group [10.0.0.2]

IKE QM Responder FSM error history (struct &0x1e75390)

<state>, <event>:

QM_DONE, EV_ERROR

QM_BLD_MSG2, EV_NEGO_SA

QM_BLD_MSG2, EV_IS_REKEY

QM_BLD_MSG2, EV_CONFIRM_SA

18921 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45731

sending delete/delete with reason message

18922 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=822 10.0.0.2

Group [10.0.0.2]

Removing peer from correlator table failed, no match!

18923 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45732 10.0.0.2

Group [10.0.0.2]

IKE SA MM:5b0e34cb rcv'd Terminate: state MM_ACTIVE

flags 0x0001c042, refcnt 1, tuncnt 0

18926 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45733 10.0.0.2

Group [10.0.0.2]

IKE SA MM:5b0e34cb terminating:

flags 0x0101c002, refcnt 0, tuncnt 0

18928 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45734

sending delete/delete with reason message

18929 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45735 10.0.0.2

Group [10.0.0.2]

constructing blank hash

18930 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45736

constructing IKE delete payload

18931 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45737 10.0.0.2

Group [10.0.0.2]

constructing qm hash

18932 04/04/2007 15:09:33.320 SEV=8 IKEDBG/0 RPT=45738 10.0.0.2

SENDING Message (msgid=1d5c1587) with payloads :

HDR + HASH (8) + DELETE (12)

total length : 76

18934 04/04/2007 15:09:33.320 SEV=4 AUTH/23 RPT=176 10.0.0.2

User [10.0.0.2], Group [10.0.0.2] disconnected: duration: 0:00:00

mattisn0w · ‎04-04-2007

The error that sticks out to me is:

18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2

Group [10.0.0.2]

Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!

I do not know if this means policy on the Concentrator or the PIX, but I believe this is the cause. Below is my PIX 501 config:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pix3

domain-name mydomain.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol h323 1718-1719

names

access-list 102 permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 102 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 102 permit icmp 192.168.15.0 255.255.255.0 192.168.15.0 255.255.255.0

no pager

logging on

logging timestamp

logging monitor debugging

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.2 255.255.255.240

ip address inside 192.168.15.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 102

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 102

crypto map newmap 10 set peer 10.1.0.1

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key myPSK address 10.1.0.1 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ssh 172.16.0.0 255.255.255.224 inside

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 60

dhcpd address 192.168.15.10-192.168.15.20 inside

dhcpd dns 172.16.1.27 172.16.1.19

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

mattisn0w · ‎04-05-2007

looks like the problem is related to Network Lists. I am able to establish an IPSec tunnel, but can not pass traffic now. :(

mattisn0w · ‎04-05-2007

I've configured the concentrator with the following.

Configuration-> Policy Management-> Traffic Management-> Network Lists

Network List named "matt-corp" containing the following networks

172.16.0.0/0.0.255.255

192.168.30.0/0.0.0.255

Configuration-> System-> Tunneling Protocols-> IPSec-> LAN-to-LAN

LAN-to-LAN connection named "matt" with these settings:

Peers: 68.x.x.243

digital cert: none(use preshared keys)

Preshared Key: cisco123

authentication: ESP/MD5/HMAC-128

Encryption: 3DES-168

IKE Proposal: IKE-3DES-MD5

Filter: none

IPSec NAT-T: Enabled

No bandwitdh policy or routing.

Local Network: Network List "matt-corp"

Remote Network: Network List "matt-corp"

I've not made any changes to SAs(Configuration-> Policy Management-> Traffic Management-> Security Associations), or Rules (Configuration-> Policy Management-> Traffic Management-> Rules).