Re: PIX Watchguard Firebox VPN - Tunnel Initiation Problem?

dlockerby · ‎07-11-2003

PIX and Watchguard tunnel initiation problem

It seems that our PIX firewall is unable to initiate a tunnel to a remote Watchguard Firebox VPN peer. The Watchguard Firebox can initiate a tunnel to our PIX firewall. Once the tunnel has been initiated via the Watchguard firewall, I can access resources on the remote peer network.

The admin of the Watchguard firewall states that he is not blocking access to the hosts on the peer network.

Is it possible that the Watchguard firewall is not allowing ISAKMP (UDP 500) or ESP (IP 50) being intiated from the PIX firewall?

Is anyone aware of tunnel initiation issues between PIX and Watchguard firewalls?

I can provide debugs if needed.

Thanks in advance for any and all help with this matter.

gfullage · ‎07-16-2003

Can you send the "debug cry ipsec" and "debug cry isa" output from the PIX when it fails? Are the Phase 1 and 2 lifetimes exactly the same, cause this can cause problems, especially if the Phase 1 times are different. Are the crypto access-lists exactly the opposite of each other on both devices?

dlockerby · ‎07-17-2003

Below are two different debugs. The first debug is of the VPN between my PIX firewall and a remote Watchguard firewall that does not work. The second debug is of a VPN between the same PIX firewall and a remote Checkpoint firewall that does work. Thought maybe seeing working and non-working ipsec and isakmp debugs would help.

Thanks.

***************PIX/Watchguard VPN - VPN Not Working***************

VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:x.x.x.x Ref cnt incremented to:1 Total VPN Peer

s:2

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: default group 2

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z

crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.zIPSEC(key_eng

ine): request timer fired: count = 1,

(identity) local= z.z.z.z, remote= x.x.x.x,

local_proxy= 10.120.100.0/255.255.252.0/0/0 (type=4),

remote_proxy= 192.1.1.0/255.255.255.0/0/0 (type=4)

crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z

ISAKMP (0): deleting SA: src z.z.z.z, dst x.x.x.x

ISADB: reaper checking SA 0x8155f7e0, conn_id = 0

ISADB: reaper checking SA 0x815eefb0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.x.x Ref cnt decremented to:0 Total VPN Peer

s:2

VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.x Total VPN peers:1

ISADB: reaper checking SA 0x8155f7e0, conn_id = 0

crypto_isakmp_process_block: src x.x.x.x, dest x.x.x.x

***************PIX/Checkpoint VPN - VPN Working***************

VPN Peer: ISAKMP: Added new peer: ip:Y.Y.Y.Y Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:Y.Y.Y.Y Ref cnt incremented to:1 Total VPN Peers:

1

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src Y.Y.Y.Y, dest 192.168.2.254

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src Y.Y.Y.Y, dest 192.168.2.254

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 1298839477:4d6ab7b5IPSEC(key_

engine): got a queue event...

IPSEC(spi_response): getting spi 0xb9e034cf(3118478543) for SA

from Y.Y.Y.Y to X.X.X.X for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending INITIAL_CONTACT notify

crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X

ISAKMP: reserved not zero on payload 5!

crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1298839477

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part

#1,

(key eng. msg.) dest= Y.Y.Y.Y, src= X.X.X.X,

dest_proxy= 10.15.0.0/255.255.0.0/0/0 (type=4),

src_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 1298839477

ISAKMP (0): processing ID payload. message ID = 1298839477

ISAKMP (0): Creating IPSec SAs

inbound SA from Y.Y.Y.Y to X.X.X.X (proxy 10.15.0.

0 to 10.120.0.0)

has spi 3118478543 and conn_id 1 and flags 4

lifetime of 28800 seconds

lifetime of 4608000 kilobytes

outbound SA from X.X.X.X to Y.Y.Y.Y (proxy 10.120.0

.0 to 10.15.0.0)

has spi 162298278 and conn_id 2 and flags 4

lifetime of 28800 seconds

lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= X.X.X.X, src= Y.Y.Y.Y,

dest_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),

src_proxy= 10.15.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 28800s and 4608000kb,

spi= 0xb9e034cf(3118478543), conn_id= 1, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= X.X.X.X, dest= Y.Y.Y.Y,

src_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),

dest_proxy= 10.15.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 28800s and 4608000kb,

spi= 0x9ac79a6(162298278), conn_id= 2, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:Y.Y.Y.Y Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: IPSEC: Peer ip:Y.Y.Y.Y Ref cnt incremented to:3 Total VPN Peers:1

return status is IKMP_NO_ERROR

ISADB: reaper checking SA 0x8155f7e0, conn_id = 0

dlockerby · ‎07-17-2003

Concerning Phase1 and Phase 2 Settings: The admin of the Watchguard peer states that the VPN settings are an exact mirror of the settings I have on the PIX. I will ask for screen-shots of the Watchguard settings to verify that the settings are indeed the same.

Thanks.