Linux to PIX VPN

chris · ‎12-30-2002

I'm trying to setup a linux to PIX vpn using Linux FreeS/WAN. To complicate things I already have a PIX to PIX VPN setup. When I try to establish the connection from the linux machine it gets past the ISAKMP stage and moves onto IPSEC stage. I ran a debug of ipsec and I am getting this error:

IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2

upported

IPSEC(validate_proposal): transform proposal (prot 3, trans 2, hmac_alg 1

upported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 65.230.113.162, src= 65.230.113.163,

dest_proxy= 192.168.9.0/255.255.255.0/0/0 (type=4),

src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14

IPSEC(validate_transform_proposal): peer address 65.230.113.163 not found

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 65.230.113.162, src= 65.230.113.163,

dest_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

src_proxy= 192.168.9.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14

IPSEC(validate_transform_proposal): peer address 65.230.113.162 not found

I read something about this happening with VPN 3000 concentrators and having to have the ipsec entries in the correct order, but i'm not sure how it applies to this. Any help would be appreciated.

ajagadee · ‎12-31-2002

Hi,

Make sure that you do not have overlapping networks as interesting traffic for your ipsec tunnels.

And if possible, can you post your pix config and also use different naming schemes for the routable ip addresses.

Regards,

Arul

chris · ‎01-02-2003

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ewW2SgQ8v4FnXnHg encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name 192.168.0.1

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp strict 21

names

name 192.168.2.0 TF

name 67.41.40.112 out

name 192.168.5.0 IF

access-list 101 permit ip any 192.168.0.0 255.255.255.0

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 102 permit ip any 192.168.0.0 255.255.255.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 102 permit ip 10.5.79.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list 110 permit tcp any host 192.168.0.4 eq www

access-list 110 permit ip any any

access-list 109 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list 109 permit ip any 192.168.0.0 255.255.255.0

access-list 109 permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging trap debugging

logging history debugging

logging facility 23

logging host inside 192.168.0.85

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 65.230.113.162 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.5 255.255.255.255 inside

pdm location 192.168.0.27 255.255.255.255 inside

pdm location 192.168.0.85 255.255.255.255 inside

pdm location TF 255.255.255.0 inside

pdm location 10.5.79.0 255.255.255.0 inside

pdm location 192.168.0.4 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 102

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ident 192.168.0.4 ident netmask 255.255.25

5.255 0 0

access-group 110 in interface outside

conduit permit icmp any any

conduit permit gre any any

conduit permit udp any any eq 1720

conduit permit udp any any eq 1719

conduit permit tcp any any eq h323

conduit permit tcp any any eq 1719

conduit permit tcp any any eq www

conduit permit tcp any eq 1723 any eq 1723

route outside 0.0.0.0 0.0.0.0 63.230.113.161 1

route inside 10.5.79.0 255.255.255.0 192.168.0.254 1

route inside IF 255.255.255.0 192.168.0.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.85 255.255.255.255 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set linuxbox esp-des esp-sha-hmac

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 65.114.226.162

crypto map transam 1 set transform-set chevelle

crypto map transam 2 ipsec-isakmp

crypto map transam 2 match address 109

crypto map transam 2 set peer 65.230.113.163

crypto map transam 2 set transform-set linuxbox

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 65.114.226.162 netmask 255.255.255.255

isakmp key ******** address 65.230.113.163 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash sha

isakmp policy 2 group 1

isakmp policy 2 lifetime 86400

telnet 192.168.0.85 255.255.255.255 inside

telnet 192.168.0.5 255.255.255.255 inside

telnet 192.168.0.4 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash sha

isakmp policy 2 group 1

isakmp policy 2 lifetime 86400

telnet 192.168.0.85 255.255.255.255 inside

telnet 192.168.0.5 255.255.255.255 inside

telnet 192.168.0.4 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local PPTP-POOL

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username xxxxx password xxxxxx

vpdn enable outside

terminal width 80

Cryptochecksum:83762071205b29c5f5307c32892296e6

: end

[OK]

---------------------------------------------------------------------------------------------------------

The linux machine has the inside address scheme of 192.168.9.0 and has the outside address of 65.230.113.163.

Thanks.

ajagadee · ‎01-02-2003

Hi,

Your match address 101 and 109 are overlapping. Make sure there are no overlapping networks.

access-list 101 permit ip any 192.168.0.0 255.255.255.0

access-list 109 permit ip any 192.168.0.0 255.255.255.0

And the above access-list is also incorrect.

You can follow the below URL for hub and spoke topology of pix.

http://www.cisco.com/warp/public/110/pixhubspoke.html

If there is no specific reason for using the key word "ANY", use a subnet in the config.

For Example, your access-lists should be something like:

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 109 permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list 109 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 109 permit ip 10.5.79.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list 109 permit ip 10.5.79.0 255.255.255.0 172.16.1.0 255.255.255.0