08-25-2003 10:37 AM - edited 02-21-2020 12:44 PM
Hi all you learned VPN/tunnel junkies,
Here's the scenario I've been losing sleep over lately:
From my main PIX (SE440BX2, 128 MB RAM, CPU Pentium II 350 MHz, running 6.2(2)) in the office, I already have an IPSEC vpn tunnel up ans working with a vendor of ours. This weekend I started to add another tunnel to another off-site host using a PIX 501 (running 6.3.2). It seems the ISAKMP part will hook up just fine, but I can't get the phase 2 part of IPSEC to work. Following are configs for both PIX(ies?) with the first octet of any IP address changed to protect the ignorant. Here's a key:
dmz = refers to office, internal dmz address
in = refers to office, internal network address
out = refers to office, internet network address
oldin = refers to office, working vendor VPN inside address
oldout = refers to office, working vendor VPN internet address
newin = refers to new remote site, new VPN inside address
newold = refers to new remote site, new VPN external address
PIX Config for office (non-relevant parts removed):
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
access-list acl_out permit tcp any host out.66.77.150 eq www
access-list acl_out permit tcp any host out.66.77.151 eq https
access-list acl_out permit tcp any host out.66.77.253 eq domain
access-list acl_out permit udp any host out.66.77.253 eq domain
access-list acl_out permit gre any host out.66.77.253
access-list acl_out permit esp any host out.66.77.253
access-list acl_out permit tcp any host out.66.77.253 eq 1723
access-list acl_out deny icmp any any
access-list 101 permit ip in.165.54.0 255.255.255.0 oldin.15.0.0 255.255.0.0
access-list 101 permit ip in.165.54.0 255.255.254.0 newin.168.222.0 255.255.255.0
access-list 101 permit ip in.165.54.0 255.255.255.0 newin.168.222.0 255.255.255.0
access-list 102 permit ip in.165.54.0 255.255.255.0 newin.168.222.0 255.255.255.0
icmp deny any outside
global (outside) 1 out.66.77.150-out.66.77.229
global (outside) 1 out.66.77.251 netmask 255.255.255.128
global (DMZ) 1 dmz.168.111.240-dmz.168.111.250
nat (inside) 0 access-list 101
nat (inside) 1 in.165.0.0 255.255.0.0 0 0
nat (DMZ) 1 dmz.168.111.0 255.255.255.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 out.66.77.254 1
route inside in.165.0.0 255.255.0.0 in.165.55.254 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer oldout.56.8.8
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 102
crypto map newmap 20 set peer newout.112.66.214
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address oldout.56.8.8 netmask 255.255.255.255
isakmp key ******** address newout.112.66.214 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
PIX Config for remote site:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 102 permit ip newin.168.222.0 255.255.255.0 in.165.54.0 255.255.255.0
access-list acl_out permit tcp out.66.77.128 255.255.255.128 host newout.112.66.214 eq ssh access-list acl_out deny icmp any any
access-list 101 permit ip newin.168.222.0 255.255.255.0 in.165.54.0 255.255.255.0
ip address outside pppoe setroute
ip address inside newin.168.222.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 newin.168.222.0 255.255.255.0 0 0
access-group acl_out in interface outside
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto map toSBD 20 ipsec-isakmp
crypto map toSBD 20 match address 102
crypto map toSBD 20 set peer out.66.77.129
crypto map toSBD 20 set transform-set strong
crypto map toSBD interface outside
isakmp enable outside
isakmp key ******** address out.66.77.129 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
And here's the interesting "debug crypto ipsec" messages from the office PIX:
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x77bca3ae(2008851374) for SA
from 66.112.66.214 to 65.66.77.129 for prot 3
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,
dest_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),
src_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address newout.112.66.214 not found
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,
dest_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),
src_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address out.66.77.129 not found
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= out.66.77.129, remote= newout.112.66.214,
local_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),
remote_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4)
And finally the interesting "debug crypto ipsec" messages from the remote PIX:
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,
dest_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),
src_proxy= in.165.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,
dest_proxy= in.165.0.0/255.255.0.0/0/0 (type=4),
src_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,
dest_proxy= oldin.15.0.0/255.255.0.0/0/0 (type=4),
src_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,
dest_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),
src_proxy= oldin.15.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,
dest_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),
src_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
So why is the new remote PIX processing an address list for the old VPN (working) on the new VPN (not-working)?
Also, notice that it's using a 16-bit mask instead of the 24-bit mask SPECIFIED EVERYWHERE ELSE! Any suggestions or comments would be appreciated as I'm nearing the point where I'm ready to quit my job and join a cult.
-(Mr.) Kelly Adams
Yet another software developer roped into learning PIX security...
08-25-2003 07:01 PM
OK, on the existing PIX you have the following:
access-list 101 permit ip in.165.54.0 255.255.255.0 oldin.15.0.0 255.255.0.0
access-list 101 permit ip in.165.54.0 255.255.254.0 newin.168.222.0 255.255.255.0
access-list 101 permit ip in.165.54.0 255.255.255.0 newin.168.222.0 255.255.255.0
access-list 102 permit ip in.165.54.0 255.255.255.0 newin.168.222.0 255.255.255.0
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer oldout.56.8.8
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 102
crypto map newmap 20 set peer newout.112.66.214
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
Crypto maps are read from top down, so crypto map 10 will be read before crypto map 20, therefore access-list 101 will be checked before access-list 102. Note that access-list 102 is the same as one of th lines in ACL 101, therefore ACL 102 and crypto map 20 will NEVER be used, because ACL 101 and crypto map 10 will always match first. This why you're getting the "proxy identities not supported" error, cause you the old PIX is trying to build a tunnel to the other old PIX, rather than to the new 501.
You need to make ACL 102 different to ACL 101, and make sure you make both of them more specific to exactly match the traffic that you want to go over each tunnel. Then change the other ends of the tunnel (the 501 and the other PIX) so that there ACL's are the exact opposite of what you've defined on this old PIX.
08-26-2003 12:39 PM
Woohoo! It took a little bit of caffeine to get my head around having three separate ACLs, but it's up and working with the following changes:
Office PIX:
access-list 101 permit ip in.165.0.0 255.255.0.0 oldin.15.0.0 255.255.0.0
access-list 101 permit ip in.165.0.0 255.255.0.0 newin.168.222.0 255.255.255.0
access-list 102 permit ip in.165.0.0 255.255.0.0 newin.168.222.0 255.255.255.0
access-list 103 permit ip in.165.0.0 255.255.0.0 oldin.15.0.0 255.255.0.0
nat (inside) 0 access-list 101
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 103
crypto map newmap 10 set peer oldout.56.8.8
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 102
crypto map newmap 20 set peer newout.112.66.214
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
And on the new remote PIX:
access-list 102 permit ip newin.168.222.0 255.255.255.0 in.165.0.0 255.255.0.0
access-list 101 permit ip newin.168.222.0 255.255.255.0 in.165.0.0 255.255.0.0
No changes were needed on the existing remote IPSEC connection. Thanks for your help Glenn!
-Kelly
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: