04-30-2003 06:39 AM - edited 02-21-2020 12:30 PM
Hello,
I'm trying to connect a Watchguard Firewall with a router Cisco 827 via ipsec.
I'll call the network behind the firewall Network 1 and the network behind the router Network 2.
After configuring both devices, network 1 and network 2 can access each other.
It seems that ipsec tunnel is ok.
Well, there is another firewall with one ethernet in Network 2 and another ethernet in another Network called Network 3.
Here is the schema:
Network1--[Firewall]--[Internet]--[Cisco 827]--Network2--[Firewall2]--Network3
My problem is that Network 1 can't access to Network3 and Network 3 can't access to Network1.
Network 2 can access to Network 3.
Debugging crypto ipsec, there is the following error each ping I send from Network 1 to Network 3:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Here is the router configuration:
version 12.2
no service pad
no service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname UOCTECADSL
!
logging queue-limit 100
enable secret xxxxxxx
!
username xxxxxxpassword xxxxxx
username xxxxx password xxxxxx
aaa new-model
!
!
aaa authentication login uoc local
aaa session-id common
ip subnet-zero
no ip source-route
ip telnet source-interface Ethernet0
no ip domain lookup
!
no ip bootp server
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key arcan5us2389 address [Firewall External Address]
!
crypto ipsec security-association lifetime kilobytes 32000
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set esp_des_sha esp-des esp-sha-hmac
!
crypto map tecsidel_uoc local-address ATM0.1
crypto map tecsidel_uoc 1 ipsec-isakmp
set peer [Firewall External Address]
set transform-set esp_des_sha
match address 101
!
!
!
!
interface Ethernet0
description Conexion UOC
ip address 192.168.128.86 255.255.255.248
no ip proxy-arp
no ip route-cache
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
ip access-group 11 in
no ip route-cache
no ip mroute-cache
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
bundle-enable
dsl operating-mode auto
hold-queue 208 in
!
interface ATM0.1 point-to-point
ip address [Router External Address]255.255.255.192
ip access-group 11 in
no ip route-cache
no ip mroute-cache
pvc 8/32
encapsulation aal5snap
!
crypto map tecsidel_uoc
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 213.73.32.0 255.255.254.0 192.168.128.81
no ip http server
no ip http secure-server
!
!
access-list 10 permit 172.18.75.254
access-list 10 permit 172.18.136.22
access-list 10 permit 172.18.128.15
access-list 10 permit 192.168.128.78
access-list 10 permit 172.18.66.21
access-list 10 permit 213.73.33.0 0.0.0.255
access-list 10 permit 213.73.32.0 0.0.0.255
access-list 11 permit [Firewall External Address]
access-list 11 deny any
access-list 101 permit ip 192.168.128.80 0.0.0.7 172.18.128.0 0.0.63.255
access-list 101 permit ip 213.73.33.0 0.0.0.255 172.18.128.0 0.0.63.255
no cdp run
!
radius-server authorization permit missing Service-Type
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 10 in
exec-timeout 0 0
login authentication uoc
length 0
!
no scheduler max-task-time
end
Can anybody help me?
Thank you
05-05-2003 07:14 AM
Hello.
It seems that IP packets for IKE phase 1 are undergoing NAT traversal, so there is identity mismatch. Did you try configuration line:
sysopt connection permit-ipsec
This only works with 6.3 version of PIX Firewall Software.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide