Re: PIX 501 to PIX 515 Easy VPN not working

dlatvala · ‎02-15-2004

Hello,

I have a PIX 501 at a remote office and a PIX 515 at our central office. I am using the easy VPN feature of the PIX family to establish the VPN. The VPN establishes with no problem and shows an active status.

If I am trying to ping a resource on the internal remote network (10.0.10.0/24), I will get several replies while the IPSEC tunnel is being established. Once the tunnels are established, I get a message in my logs saying "402103: Identity doesn't match negotiated identity (ip) dest_addr=(my local IP from the PIX 515), src_addr=(the remote address I am pinging), prot=udp, (ident) local=(public IP address of 501), remote=(public address of 515), local proxy=(public address of 501).

It is like the PIX 501 does not think the return packets are part of encryption process.

I am also using a split-tunnel on the PIX 515.

Thanks for any ideas; this has been a problem for over a week now.

Dan

jackko · ‎02-16-2004

please post the configs

dlatvala · ‎02-16-2004

PIX 501 Config:

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_access_in permit tcp any any

access-list inside_access_in permit ip any any

access-list inside_access_in permit udp any eq domain any

access-list outside_access_in permit icmp any any

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 208.200.XXX.XXX 255.255.255.192

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.192 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 norandomseq

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 208.200.XXX.XXX 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

vpnclient server 209.83.XXX.XXX

vpnclient mode client-mode

vpnclient vpngroup vpnGroup password ********

vpnclient username dan password ********

vpnclient enable

terminal width 80

: end

[OK]

dlatvala · ‎02-16-2004

PIX 515 Config:

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxencrypted

passwd xxxxencrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 80 permit ip 10.0.10.0 255.255.255.0 10.0.11.0 255.255.255.0

access-list 80 permit ip 10.0.20.0 255.255.255.0 10.0.11.0 255.255.255.0

access-list 80 permit ip 10.0.30.0 255.255.255.0 10.0.11.0 255.255.255.0

access-list 80 permit ip 10.0.50.0 255.255.255.0 10.0.11.0 255.255.255.0

access-list 80 permit ip 10.0.25.0 255.255.255.0 10.0.11.0 255.255.255.0

access-list 80 permit ip 10.0.35.0 255.255.255.0 10.0.11.0 255.255.255.0

access-list 80 permit ip 10.0.55.0 255.255.255.0 10.0.11.0 255.255.255.0

pager lines 24

logging timestamp

logging buffered debugging

logging trap debugging

logging history debugging

logging host inside 10.0.10.41

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 209.83.XXX.XXX 255.255.255.224

ip address inside 10.0.10.5 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool remote 10.0.11.1-10.0.11.254

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 209.83.XXX.XXX netmask 255.255.255.224

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 209.83.XXX.XXX10.0.10.40 netmask 255.255.255.255 0 0

static (inside,outside) 209.83.XXX.XXX 10.0.10.42 netmask 255.255.255.255 0 0

static (inside,outside) 209.83.XXX.XXX 10.0.10.49 netmask 255.255.255.255 0 0

static (inside,outside) 209.83.XXX.XXX 10.0.10.45 netmask 255.255.255.255 0 0

static (inside,outside) 209.83.XXX.XXX 10.0.55.240 netmask 255.255.255.255 0 0

conduit permit tcp host 209.83.XXX.XXX eq ftp any

conduit permit tcp host 209.83.XXX.XXX eq ftp-data any

conduit permit icmp any any

conduit permit tcp host 209.83.XXX.XXX eq www any

conduit permit tcp host 209.83.XXX.XXX eq 443 any

conduit permit tcp host 209.83.XXX.XXX eq pop3 any

conduit permit tcp host 209.83.XXX.XXX eq domain any

conduit permit udp host 209.83.XXX.XXX eq domain any

conduit permit gre host 209.83.XXX.XXX any

conduit permit tcp 209.83.XXX.XXX 255.255.255.224 eq smtp any

conduit permit tcp host 209.83.XXX.XXX eq www any

conduit permit tcp host 209.83.XXX.XXX eq 443 any

conduit permit tcp host 209.83.XXX.XXX eq www any

route outside 0.0.0.0 0.0.0.0 209.83.XXX.XXX 1

route inside 10.0.0.0 255.0.0.0 10.0.10.3 1

route outside 10.0.11.0 255.255.255.0 209.83.XXX.XXX 1

route inside 208.155.181.0 255.255.255.0 10.0.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:20:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server partner protocol tacacs+

aaa-server partner (inside) host 10.0.10.41 strategic timeout 5

aaa authentication exclude tcp/0 inside 10.0.10.42 255.255.255.255 0.0.0.0 0.0.0

.0 partner

aaa authentication exclude tcp/0 inside 10.0.10.40 255.255.255.255 0.0.0.0 0.0.0

.0 partner

aaa authentication exclude tcp/0 inside 10.0.10.49 255.255.255.255 0.0.0.0 0.0.0

.0 partner

aaa authentication exclude tcp/0 inside 10.0.10.36 255.255.255.255 0.0.0.0 0.0.0

.0 partner

aaa authorization exclude tcp/0 inside 10.0.10.42 255.255.255.255 0.0.0.0 0.0.0.

0 partner

aaa authorization exclude tcp/0 inside 10.0.10.40 255.255.255.255 0.0.0.0 0.0.0.

0 partner

aaa authorization exclude tcp/0 inside 10.0.10.49 255.255.255.255 0.0.0.0 0.0.0.

0 partner

aaa authorization exclude tcp/0 inside 10.0.10.36 255.255.255.255 0.0.0.0 0.0.0.

0 partner

aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 partner

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set remotes esp-des esp-md5-hmac

crypto dynamic-map cisco 4 set transform-set remotes

crypto map partner-map 20 ipsec-isakmp dynamic cisco

crypto map partner-map client configuration address initiate

crypto map partner-map client configuration address respond

crypto map partner-map client authentication partner

crypto map partner-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local remote outside

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnGroup address-pool remote

vpngroup vpnGroup dns-server 10.0.10.49 10.0.10.38

vpngroup vpnGroup wins-server 10.0.10.49

vpngroup vpnGroup default-domain mydomain.com

vpngroup vpnGroup split-tunnel 80

vpngroup vpnGroup idle-time 1800

vpngroup vpnGroup password ********

vpngroup dns-server idle-time 1800

telnet 10.0.10.0 255.255.255.0 inside

telnet 10.0.11.0 255.255.255.0 inside

telnet 10.0.0.0 255.255.255.0 inside

telnet 10.0.10.3 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

pixfirewall#

dlatvala · ‎02-16-2004

If I use the VPN Client 3.5 everything works fine; this only happens when I am using the PIX 501 to 515 setup.

Thanks in advance for your help...

d-garnett · ‎02-19-2004

what does the debug output look like in phase 2 IPSec negotiation process?

i would take a hard look at the nat processes on the PIX as it seems LAN traffic (on the remote PIX) is being NAT'd as it comes into the INSIDE interface then sent out the OUTSIDE interface and on through the ipsec tunnel (on to the destination IPSec peer/headend PIX).

This will not work as expected because that traffic (with it's headers re-written) is using the credentials on the external interface the headend PIX balks because it is not part of the current SA (sequence #'s and stuff). The headend PIX may view this as a sequence prediction man in the middle style attempt, thus the following blurb/link.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a008008d275.html#21457

Also since the headend PIX is only 6.1 NAT traversal can't be used.

that's why we use Nat 0 on IPSec traffic, but in the case of ezvpn..............?

also

i know from experience that when configuring ezvpn on the IOS routers you cannot configure NAT on the remote ezvpn routers because all that stuff (split tunnel) gets pushed down in config mode.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094cf8.shtml

it may be a simple matter of removing the NAT statement from the remote PIX (ezvpn) and letting config-mode policy pushdown and split tunneling take care of it.

That would explain why it works fine on the VPN Software Client 3.5. Because it is only doing with the headend PIX tells it during Config-mode.

hope this helps,

Don Garnett

Network Support Specialist

dlatvala · ‎02-23-2004

Removing the NAT didn't work either... I tried using vpnclient mode network-extension-mode, and this didn't work either, but then when I switched the 501 back to vpnclient mode client-mode everything seemed to work smoothly. Thanks for your help on this.

aforjeh · ‎03-15-2004

Another thing to check on this is the release notes! I had some problems last week with a similar setup, you will have problems if you don't run the same major version of the OS on both ends (i.e. 6.3). Without this you get all sorts of strange confusing and inconsistent problems.

I'd suggest upgrading as the version of 6.1 I tried doesn't support the vpnclient command at all. Also 6.3 allows split tunneling to work when the vpn tunnel is down, which previous versions didn't (i believe).

Regards

dlatvala · ‎03-15-2004

Hi Aforjeh,

Yes, you are right. Once we upgraded the 515 to the same major revision 6.3, all of these problems magically went away.

Thanks for the note!

Dan