Ipsec configuration problems

jorge.ramirez · ‎04-30-2003

Hello,

I'm trying to connect a Watchguard Firewall with a router Cisco 827 via ipsec.

I'll call the network behind the firewall Network 1 and the network behind the router Network 2.

After configuring both devices, network 1 and network 2 can access each other.

It seems that ipsec tunnel is ok.

Well, there is another firewall with one ethernet in Network 2 and another ethernet in another Network called Network 3.

Here is the schema:

Network1--[Firewall]--[Internet]--[Cisco 827]--Network2--[Firewall2]--Network3

My problem is that Network 1 can't access to Network3 and Network 3 can't access to Network1.

Network 2 can access to Network 3.

Debugging crypto ipsec, there is the following error each ping I send from Network 1 to Network 3:

IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Here is the router configuration:

version 12.2

no service pad

no service timestamps debug uptime

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname UOCTECADSL

!

logging queue-limit 100

enable secret xxxxxxx

!

username xxxxxxpassword xxxxxx

username xxxxx password xxxxxx

aaa new-model

!

aaa authentication login uoc local

aaa session-id common

ip subnet-zero

no ip source-route

ip telnet source-interface Ethernet0

no ip domain lookup

!

no ip bootp server

!

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key arcan5us2389 address [Firewall External Address]

!

crypto ipsec security-association lifetime kilobytes 32000

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set esp_des_sha esp-des esp-sha-hmac

!

crypto map tecsidel_uoc local-address ATM0.1

crypto map tecsidel_uoc 1 ipsec-isakmp

set peer [Firewall External Address]

set transform-set esp_des_sha

match address 101

!

interface Ethernet0

description Conexion UOC

ip address 192.168.128.86 255.255.255.248

no ip proxy-arp

no ip route-cache

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

ip access-group 11 in

no ip route-cache

no ip mroute-cache

no atm auto-configuration

no atm ilmi-keepalive

no atm address-registration

no atm ilmi-enable

bundle-enable

dsl operating-mode auto

hold-queue 208 in

!

interface ATM0.1 point-to-point

ip address [Router External Address]255.255.255.192

ip access-group 11 in

no ip route-cache

no ip mroute-cache

pvc 8/32

encapsulation aal5snap

!

crypto map tecsidel_uoc

!

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip route 213.73.32.0 255.255.254.0 192.168.128.81

no ip http server

no ip http secure-server

!

access-list 10 permit 172.18.75.254

access-list 10 permit 172.18.136.22

access-list 10 permit 172.18.128.15

access-list 10 permit 192.168.128.78

access-list 10 permit 172.18.66.21

access-list 10 permit 213.73.33.0 0.0.0.255

access-list 10 permit 213.73.32.0 0.0.0.255

access-list 11 permit [Firewall External Address]

access-list 11 deny any

access-list 101 permit ip 192.168.128.80 0.0.0.7 172.18.128.0 0.0.63.255

access-list 101 permit ip 213.73.33.0 0.0.0.255 172.18.128.0 0.0.63.255

no cdp run

!

radius-server authorization permit missing Service-Type

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

access-class 10 in

exec-timeout 0 0

login authentication uoc

length 0

!

no scheduler max-task-time

end

Can anybody help me?

Thank you

a.lysyuk · ‎05-05-2003

Hello.

It seems that IP packets for IKE phase 1 are undergoing NAT traversal, so there is identity mismatch. Did you try configuration line:

sysopt connection permit-ipsec

This only works with 6.3 version of PIX Firewall Software.