02-15-2004 03:09 PM
Hello,
I have a PIX 501 at a remote office and a PIX 515 at our central office. I am using the easy VPN feature of the PIX family to establish the VPN. The VPN establishes with no problem and shows an active status.
If I am trying to ping a resource on the internal remote network (10.0.10.0/24), I will get several replies while the IPSEC tunnel is being established. Once the tunnels are established, I get a message in my logs saying "402103: Identity doesn't match negotiated identity (ip) dest_addr=(my local IP from the PIX 515), src_addr=(the remote address I am pinging), prot=udp, (ident) local=(public IP address of 501), remote=(public address of 515), local proxy=(public address of 501).
It is like the PIX 501 does not think the return packets are part of encryption process.
I am also using a split-tunnel on the PIX 515.
Thanks for any ideas; this has been a problem for over a week now.
Dan
02-16-2004 04:13 PM
please post the configs
02-16-2004 06:20 PM
PIX 501 Config:
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit tcp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any eq domain any
access-list outside_access_in permit icmp any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 208.200.XXX.XXX 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.192 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 norandomseq
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 208.200.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient server 209.83.XXX.XXX
vpnclient mode client-mode
vpnclient vpngroup vpnGroup password ********
vpnclient username dan password ********
vpnclient enable
terminal width 80
: end
[OK]
02-16-2004 06:36 PM
PIX 515 Config:
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxencrypted
passwd xxxxencrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 80 permit ip 10.0.10.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list 80 permit ip 10.0.20.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list 80 permit ip 10.0.30.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list 80 permit ip 10.0.50.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list 80 permit ip 10.0.25.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list 80 permit ip 10.0.35.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list 80 permit ip 10.0.55.0 255.255.255.0 10.0.11.0 255.255.255.0
pager lines 24
logging timestamp
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside 10.0.10.41
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 209.83.XXX.XXX 255.255.255.224
ip address inside 10.0.10.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 10.0.11.1-10.0.11.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 209.83.XXX.XXX netmask 255.255.255.224
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.83.XXX.XXX10.0.10.40 netmask 255.255.255.255 0 0
static (inside,outside) 209.83.XXX.XXX 10.0.10.42 netmask 255.255.255.255 0 0
static (inside,outside) 209.83.XXX.XXX 10.0.10.49 netmask 255.255.255.255 0 0
static (inside,outside) 209.83.XXX.XXX 10.0.10.45 netmask 255.255.255.255 0 0
static (inside,outside) 209.83.XXX.XXX 10.0.55.240 netmask 255.255.255.255 0 0
conduit permit tcp host 209.83.XXX.XXX eq ftp any
conduit permit tcp host 209.83.XXX.XXX eq ftp-data any
conduit permit icmp any any
conduit permit tcp host 209.83.XXX.XXX eq www any
conduit permit tcp host 209.83.XXX.XXX eq 443 any
conduit permit tcp host 209.83.XXX.XXX eq pop3 any
conduit permit tcp host 209.83.XXX.XXX eq domain any
conduit permit udp host 209.83.XXX.XXX eq domain any
conduit permit gre host 209.83.XXX.XXX any
conduit permit tcp 209.83.XXX.XXX 255.255.255.224 eq smtp any
conduit permit tcp host 209.83.XXX.XXX eq www any
conduit permit tcp host 209.83.XXX.XXX eq 443 any
conduit permit tcp host 209.83.XXX.XXX eq www any
route outside 0.0.0.0 0.0.0.0 209.83.XXX.XXX 1
route inside 10.0.0.0 255.0.0.0 10.0.10.3 1
route outside 10.0.11.0 255.255.255.0 209.83.XXX.XXX 1
route inside 208.155.181.0 255.255.255.0 10.0.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:20:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partner protocol tacacs+
aaa-server partner (inside) host 10.0.10.41 strategic timeout 5
aaa authentication exclude tcp/0 inside 10.0.10.42 255.255.255.255 0.0.0.0 0.0.0
.0 partner
aaa authentication exclude tcp/0 inside 10.0.10.40 255.255.255.255 0.0.0.0 0.0.0
.0 partner
aaa authentication exclude tcp/0 inside 10.0.10.49 255.255.255.255 0.0.0.0 0.0.0
.0 partner
aaa authentication exclude tcp/0 inside 10.0.10.36 255.255.255.255 0.0.0.0 0.0.0
.0 partner
aaa authorization exclude tcp/0 inside 10.0.10.42 255.255.255.255 0.0.0.0 0.0.0.
0 partner
aaa authorization exclude tcp/0 inside 10.0.10.40 255.255.255.255 0.0.0.0 0.0.0.
0 partner
aaa authorization exclude tcp/0 inside 10.0.10.49 255.255.255.255 0.0.0.0 0.0.0.
0 partner
aaa authorization exclude tcp/0 inside 10.0.10.36 255.255.255.255 0.0.0.0 0.0.0.
0 partner
aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 partner
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set remotes esp-des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set remotes
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client configuration address respond
crypto map partner-map client authentication partner
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local remote outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnGroup address-pool remote
vpngroup vpnGroup dns-server 10.0.10.49 10.0.10.38
vpngroup vpnGroup wins-server 10.0.10.49
vpngroup vpnGroup default-domain mydomain.com
vpngroup vpnGroup split-tunnel 80
vpngroup vpnGroup idle-time 1800
vpngroup vpnGroup password ********
vpngroup dns-server idle-time 1800
telnet 10.0.10.0 255.255.255.0 inside
telnet 10.0.11.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.10.3 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
pixfirewall#
02-16-2004 06:37 PM
If I use the VPN Client 3.5 everything works fine; this only happens when I am using the PIX 501 to 515 setup.
Thanks in advance for your help...
02-19-2004 03:07 PM
what does the debug output look like in phase 2 IPSec negotiation process?
i would take a hard look at the nat processes on the PIX as it seems LAN traffic (on the remote PIX) is being NAT'd as it comes into the INSIDE interface then sent out the OUTSIDE interface and on through the ipsec tunnel (on to the destination IPSec peer/headend PIX).
This will not work as expected because that traffic (with it's headers re-written) is using the credentials on the external interface the headend PIX balks because it is not part of the current SA (sequence #'s and stuff). The headend PIX may view this as a sequence prediction man in the middle style attempt, thus the following blurb/link.
Also since the headend PIX is only 6.1 NAT traversal can't be used.
that's why we use Nat 0 on IPSec traffic, but in the case of ezvpn..............?
also
i know from experience that when configuring ezvpn on the IOS routers you cannot configure NAT on the remote ezvpn routers because all that stuff (split tunnel) gets pushed down in config mode.
it may be a simple matter of removing the NAT statement from the remote PIX (ezvpn) and letting config-mode policy pushdown and split tunneling take care of it.
That would explain why it works fine on the VPN Software Client 3.5. Because it is only doing with the headend PIX tells it during Config-mode.
hope this helps,
Don Garnett
Network Support Specialist
02-23-2004 04:37 PM
Removing the NAT didn't work either... I tried using vpnclient mode network-extension-mode, and this didn't work either, but then when I switched the 501 back to vpnclient mode client-mode everything seemed to work smoothly. Thanks for your help on this.
03-15-2004 01:30 AM
Another thing to check on this is the release notes! I had some problems last week with a similar setup, you will have problems if you don't run the same major version of the OS on both ends (i.e. 6.3). Without this you get all sorts of strange confusing and inconsistent problems.
I'd suggest upgrading as the version of 6.1 I tried doesn't support the vpnclient command at all. Also 6.3 allows split tunneling to work when the vpn tunnel is down, which previous versions didn't (i believe).
Regards
03-15-2004 05:49 AM
Hi Aforjeh,
Yes, you are right. Once we upgraded the 515 to the same major revision 6.3, all of these problems magically went away.
Thanks for the note!
Dan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: