IPSec between CSPM and IDS Sensor

Unanswered Question
Oct 8th, 2001
User Badges:

I set up IPSEC communication between my CSPM 2.3.2i S8 and my 3.0(1)S8 IDS Sensor! I bootstraped the Sensor whit "ipsectool" commands, that was generated by cspm (It is always 2 ipsectool commands!It is ok? which one to use?) and the Sensor started communicate using IPSEC. That is ok. But my cspm doesn't use IPSEC:(. I receive a "IRE registry key acces error"! When I clear the IPSEC on the Sensor whit "ipsectool delete x.x.x.x" command, the communication works again, although the IPSEC config is still on the cspm.

I can't configure my cspm back, because I can't uncheck the Use IPSec to this Sensor check box and delete the new IPSec Tunnel Group. I can restore only whit a cpm file!

Any advice?

Thanks!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bygregory Tue, 10/09/2001 - 12:56
User Badges:

First the "IRE registry key access error" message is a common message that means CSPM is having trouble communicating with the IRE client. Usually this is caused by not having the IRE client installed. It may also have been caused by changing the location of the registry entries for the IRE client or an incorrect installation of the IRE client (among other things). You must install the client before installing CSPM.

In order to undo an IPSec transport between a sensor node and your host node you need to follow these steps in order, keeping track of the nodes as they are found:


1)Click the sensor's "Control" tab and select "none" under the "Use secure IPSec with template" drop-down box. Press OK.


2) Right click the sensor node, select "Find". Press the "Find" button. This will highlight the manual group, under IPSec Tunnel Groups. Click "Close".


3) Right click this group node, select "Find". Press the "Find" button. This will highlight the System Policy node for your host node and the sensor.

Click "Close".


4) Right click this system policy node, select "Find". Press the "Find" button. This will highlight a node under "Security Policy Enforcement" for this policy. Click "Close"


5) Delete the security policy enforcement node.


6) Delete the system policy node.


7) Delete the manual group node.


8) Uncheck the "Use IPSec to this Sensor" checkbox on the sensor node's Properties/Identification tab. Press OK.


9) Update. You will probably see another "IRE registry key access error" in the consistancy check window. When you tear down a security association, just like when you set one up, CSPM tries to communicate with the IRE client. Since your IRE client setup is probably incorrect you will get this message. Just press Update again and this message should go away.


These steps will undo CSPM's IPSec association for your sensor.

Russ

teperjesi Thu, 10/11/2001 - 01:30
User Badges:

The Undo process works fine! Thanks! But.. What is this "IRE client"? How could I install it?


bygregory Thu, 10/11/2001 - 05:54
User Badges:

When you installed CSPM it checked to see if the VPN client had been installed on your system. If not, you would have received a message that states:


"AutoStart has detected that Cisco Secure VPN Client is not installed on this host...."


What I erroneously referred to as the IRE client is now called the Cisco Secure VPN Client. In order to set up IPSec associations it must be installed before installing CSPM. Hope this helps.

teperjesi Thu, 10/11/2001 - 08:30
User Badges:

Sorry, but I have reinstalled my CSPM already, and the issue is the same! Any advice? Should I reinstall my operating system?

bygregory Thu, 10/11/2001 - 12:29
User Badges:

Have you tried re-installing the Cisco Secure VPN client? If not I would follow these steps.

1) Uninstall CSPM.

2) Uninstall the Cisco Secure VPN client (if you have already installed it).

3) Download and install the current version of the Cisco Secure VPN client. You can find it on CCO at: http://www.cisco.com/cgi-bin/tablebuild.pl/cspm

4) Re-install CSPM.

As I stated in an earlier response the "IRE registry key access error" message is most often caused by an incorrect installation of the VPN client (I called it the IRE client). If you install the VPN client correctly before installing CSPM it should take care of the problem.

Good luck.

Russ

teperjesi Tue, 10/30/2001 - 05:40
User Badges:

Thanks! Since I've been installed the Cisco Secure VPN Client the IPSec is working fine, but I receive some warnings when I Save/Update! :

[ire] :Action[s] required:Change Bootstrap settings with new PDP-PEP IPSec tunnel settings,then click Approve to publish

[ire] Control channel IPSec policies changed...updating registry.

[ire] IPSec policy for CSPM traffic to device aaaa.bbbb.cccc.dddd changed.


When I approwe the commands these messages dissapear!

Is this normal!

My CSPM generates 2 ipsectool add commands some like that:

ipsectool add 193.68.36.59 esp 100 .....

ipsectool add 193.68.36.59 esp 101 .....

My system works only with the second command!

Thanks!


sdukart Thu, 10/11/2001 - 13:13
User Badges:

I have the same setup, but am unable to establish secure communications between CSPM and the Sensor. My question is: How did you setup the authentication? Did you use default key or create a custom key? When you where configuring the Sensor via sysconfig what did you put in for "cypher" "authentication" and "SPI"? I also could not deselect the "Use IP Sec" box so I had to import the original configuration prior to adding the Tunnel Group. Now my Sensor states a warning about ipsec and CSPM does not have "Use IP Sec" checked. Any advice? Anyone?

bygregory Fri, 10/12/2001 - 06:19
User Badges:

To setup an IPSec transform between CSPM and a sensor you must allow CSPM to create the CLI command for the sensor. Do not use sysconfig to set up IPSec on the sensor.


IPSec transforms between CSPM hosts and sensors use manual keys. When you follow the process for setting up IPSec on CSPM, it actually generates a command that can be run on the sensor. The command shows up in the Command panel of the sensor node when update is pressed - look for it in the Command/Messages window. It will begin with this sequence:

#ipsectool add


Use this command, by typing the entire line (after the # character) into the CLI of the sensor. This will insure that the security association is set up on the sensor side with the same keys used to set up the association on the CSPM host side.


You can find information about creating an IPSec transform between the CSPM host and a sensor in the "Configuring Administrative Control Communications" section of the CSPM documentation.


teperjesi Fri, 10/19/2001 - 13:56
User Badges:

As I mentioned earlier, my CSPM generates always 2 "#ipsectool add" lines in the Command/Messages window. Which one should I use on the Sensor?

Thanks

Actions

This Discussion