12-30-2002 10:39 AM - edited 02-21-2020 12:15 PM
I'm trying to setup a linux to PIX vpn using Linux FreeS/WAN. To complicate things I already have a PIX to PIX VPN setup. When I try to establish the connection from the linux machine it gets past the ISAKMP stage and moves onto IPSEC stage. I ran a debug of ipsec and I am getting this error:
IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2
upported
IPSEC(validate_proposal): transform proposal (prot 3, trans 2, hmac_alg 1
upported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 65.230.113.162, src= 65.230.113.163,
dest_proxy= 192.168.9.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14
IPSEC(validate_transform_proposal): peer address 65.230.113.163 not found
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 65.230.113.162, src= 65.230.113.163,
dest_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.9.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14
IPSEC(validate_transform_proposal): peer address 65.230.113.162 not found
I read something about this happening with VPN 3000 concentrators and having to have the ipsec entries in the correct order, but i'm not sure how it applies to this. Any help would be appreciated.
12-31-2002 01:04 AM
Hi,
Make sure that you do not have overlapping networks as interesting traffic for your ipsec tunnels.
And if possible, can you post your pix config and also use different naming schemes for the routable ip addresses.
Regards,
Arul
01-02-2003 07:58 AM
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ewW2SgQ8v4FnXnHg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name 192.168.0.1
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp strict 21
names
name 192.168.2.0 TF
name 67.41.40.112 out
name 192.168.5.0 IF
access-list 101 permit ip any 192.168.0.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip any 192.168.0.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 102 permit ip 10.5.79.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 110 permit tcp any host 192.168.0.4 eq www
access-list 110 permit ip any any
access-list 109 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 109 permit ip any 192.168.0.0 255.255.255.0
access-list 109 permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging trap debugging
logging history debugging
logging facility 23
logging host inside 192.168.0.85
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 65.230.113.162 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 192.168.0.27 255.255.255.255 inside
pdm location 192.168.0.85 255.255.255.255 inside
pdm location TF 255.255.255.0 inside
pdm location 10.5.79.0 255.255.255.0 inside
pdm location 192.168.0.4 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ident 192.168.0.4 ident netmask 255.255.25
5.255 0 0
access-group 110 in interface outside
conduit permit icmp any any
conduit permit gre any any
conduit permit udp any any eq 1720
conduit permit udp any any eq 1719
conduit permit tcp any any eq h323
conduit permit tcp any any eq 1719
conduit permit tcp any any eq www
conduit permit tcp any eq 1723 any eq 1723
route outside 0.0.0.0 0.0.0.0 63.230.113.161 1
route inside 10.5.79.0 255.255.255.0 192.168.0.254 1
route inside IF 255.255.255.0 192.168.0.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.85 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set linuxbox esp-des esp-sha-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 65.114.226.162
crypto map transam 1 set transform-set chevelle
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 109
crypto map transam 2 set peer 65.230.113.163
crypto map transam 2 set transform-set linuxbox
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 65.114.226.162 netmask 255.255.255.255
isakmp key ******** address 65.230.113.163 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
telnet 192.168.0.85 255.255.255.255 inside
telnet 192.168.0.5 255.255.255.255 inside
telnet 192.168.0.4 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
telnet 192.168.0.85 255.255.255.255 inside
telnet 192.168.0.5 255.255.255.255 inside
telnet 192.168.0.4 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local PPTP-POOL
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxx password xxxxxx
vpdn enable outside
terminal width 80
Cryptochecksum:83762071205b29c5f5307c32892296e6
: end
[OK]
---------------------------------------------------------------------------------------------------------
The linux machine has the inside address scheme of 192.168.9.0 and has the outside address of 65.230.113.163.
Thanks.
01-02-2003 11:17 AM
Hi,
Your match address 101 and 109 are overlapping. Make sure there are no overlapping networks.
access-list 101 permit ip any 192.168.0.0 255.255.255.0
access-list 109 permit ip any 192.168.0.0 255.255.255.0
And the above access-list is also incorrect.
You can follow the below URL for hub and spoke topology of pix.
http://www.cisco.com/warp/public/110/pixhubspoke.html
If there is no specific reason for using the key word "ANY", use a subnet in the config.
For Example, your access-lists should be something like:
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 109 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 109 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 109 permit ip 10.5.79.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 109 permit ip 10.5.79.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 102 permit ip 10.5.79.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 102 permit ip 10.5.79.0 255.255.255.0 172.16.1.0 255.255.255.0
And on the remote pix, you should have the exact mirror images of the access-lists.
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide