07-11-2003 06:27 AM - edited 02-21-2020 12:39 PM
PIX and Watchguard tunnel initiation problem
It seems that our PIX firewall is unable to initiate a tunnel to a remote Watchguard Firebox VPN peer. The Watchguard Firebox can initiate a tunnel to our PIX firewall. Once the tunnel has been initiated via the Watchguard firewall, I can access resources on the remote peer network.
The admin of the Watchguard firewall states that he is not blocking access to the hosts on the peer network.
Is it possible that the Watchguard firewall is not allowing ISAKMP (UDP 500) or ESP (IP 50) being intiated from the PIX firewall?
Is anyone aware of tunnel initiation issues between PIX and Watchguard firewalls?
I can provide debugs if needed.
Thanks in advance for any and all help with this matter.
07-16-2003 04:08 PM
Can you send the "debug cry ipsec" and "debug cry isa" output from the PIX when it fails? Are the Phase 1 and 2 lifetimes exactly the same, cause this can cause problems, especially if the Phase 1 times are different. Are the crypto access-lists exactly the opposite of each other on both devices?
07-17-2003 04:17 AM
Below are two different debugs. The first debug is of the VPN between my PIX firewall and a remote Watchguard firewall that does not work. The second debug is of a VPN between the same PIX firewall and a remote Checkpoint firewall that does work. Thought maybe seeing working and non-working ipsec and isakmp debugs would help.
Thanks.
***************PIX/Watchguard VPN - VPN Not Working***************
VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:x.x.x.x Ref cnt incremented to:1 Total VPN Peer
s:2
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z
crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.zIPSEC(key_eng
ine): request timer fired: count = 1,
(identity) local= z.z.z.z, remote= x.x.x.x,
local_proxy= 10.120.100.0/255.255.252.0/0/0 (type=4),
remote_proxy= 192.1.1.0/255.255.255.0/0/0 (type=4)
crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z
crypto_isakmp_process_block: src x.x.x.x, dest z.z.z.z
ISAKMP (0): deleting SA: src z.z.z.z, dst x.x.x.x
ISADB: reaper checking SA 0x8155f7e0, conn_id = 0
ISADB: reaper checking SA 0x815eefb0, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:x.x.x.x Ref cnt decremented to:0 Total VPN Peer
s:2
VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.x Total VPN peers:1
ISADB: reaper checking SA 0x8155f7e0, conn_id = 0
crypto_isakmp_process_block: src x.x.x.x, dest x.x.x.x
***************PIX/Checkpoint VPN - VPN Working***************
VPN Peer: ISAKMP: Added new peer: ip:Y.Y.Y.Y Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:Y.Y.Y.Y Ref cnt incremented to:1 Total VPN Peers:
1
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src Y.Y.Y.Y, dest 192.168.2.254
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Y.Y.Y.Y, dest 192.168.2.254
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1298839477:4d6ab7b5IPSEC(key_
engine): got a queue event...
IPSEC(spi_response): getting spi 0xb9e034cf(3118478543) for SA
from Y.Y.Y.Y to X.X.X.X for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1298839477
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
(key eng. msg.) dest= Y.Y.Y.Y, src= X.X.X.X,
dest_proxy= 10.15.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (0): processing NONCE payload. message ID = 1298839477
ISAKMP (0): processing ID payload. message ID = 1298839477
ISAKMP (0): processing ID payload. message ID = 1298839477
ISAKMP (0): Creating IPSec SAs
inbound SA from Y.Y.Y.Y to X.X.X.X (proxy 10.15.0.
0 to 10.120.0.0)
has spi 3118478543 and conn_id 1 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
outbound SA from X.X.X.X to Y.Y.Y.Y (proxy 10.120.0
.0 to 10.15.0.0)
has spi 162298278 and conn_id 2 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= X.X.X.X, src= Y.Y.Y.Y,
dest_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 10.15.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0xb9e034cf(3118478543), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= X.X.X.X, dest= Y.Y.Y.Y,
src_proxy= 10.120.0.0/255.255.0.0/0/0 (type=4),
dest_proxy= 10.15.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x9ac79a6(162298278), conn_id= 2, keysize= 0, flags= 0x4
VPN Peer: IPSEC: Peer ip:Y.Y.Y.Y Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:Y.Y.Y.Y Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERROR
ISADB: reaper checking SA 0x8155f7e0, conn_id = 0
07-17-2003 04:31 AM
Concerning Phase1 and Phase 2 Settings: The admin of the Watchguard peer states that the VPN settings are an exact mirror of the settings I have on the PIX. I will ask for screen-shots of the Watchguard settings to verify that the settings are indeed the same.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide