Cisco PIX 501 connecting to a NetWolves FoxBox via VPN 1

[llamabeta]

I am having some difficulty getting a tunnel to come up between a Pix 501 and a NetWolves FoxBox.

This is the debug report I get:

mc5(config)# ping 10.0.1.254

VPN Peer: ISAKMP: Added new peer: ip:24.242.xxx.xxx Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:24.242.xxx.xxx Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src 24.242.xxx.xxx, dest 65.66.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 6000
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR 10.0.1.254 NO response received -- 1260ms

crypto_isakmp_process_block: src 24.242.xxx.xxx, dest 65.66.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 24.242.xxx.xxx, dest 65.66.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1777929188:9606f41cIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x416f10d3(1097797843) for SA
from 24.242.xxx.xxx to 65.66.xxx.xxx for prot 2
IPSEC(spi_response): getting spi 0x7b021c75(2063735925) for SA
from 24.242.xxx.xxx to 65.66.xxx.xxx for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify

retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 65.66.xxx.xxx, remote= 24.242.xxx.xxx,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -881301200:cb786930IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xaedf0d01(2933853441) for SA
from 24.242.xxx.xxx to 65.66.xxx.xxx for prot 2
IPSEC(spi_response): getting spi 0x2b83b23c(730051132) for SA
from 24.242.xxx.xxx to 65.66.xxx.xxx for prot 3

ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 65.66.xxx.xxx, remote= 24.242.xxx.xxx,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): deleting SA: src 65.66.xxx.xxx, dst 24.242.xxx.xxx
ISADB: reaper checking SA 0x80a89df0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:24.242.xxx.xxx Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:24.242.xxx.xxx Total VPN peers:0


The first phase seems to get through OK but phase time just times out.

Any ideas? I actually had the tunnel created at one point at time but lost the config on that. =(

Here is my current config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname mc5
domain-name mamas.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonatinside permit ip any 10.0.1.0 255.255.255.0
access-list To-Corp permit ip any 10.0.1.0 255.255.255.0
access-list tocorp permit ip any host 24.242.xxx.xxx
access-list tocorp permit ip 10.0.7.0 255.255.255.0 any
access-list fromcorp permit ip host 24.242.xxx.xxx any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 65.66.xxx.xxx 255.255.255.248
ip address inside 10.0.7.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.1.0 255.255.255.0 outside
pdm location 24.242.xxx.xxx 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group fromcorp in interface outside
access-group tocorp in interface inside
route outside 0.0.0.0 0.0.0.0 65.66.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 128.194.254.9 source outside
http server enable
http 10.0.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set mytransform ah-sha-hmac esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map CorpEncr 11 ipsec-isakmp
crypto map CorpEncr 11 match address To-Corp
crypto map CorpEncr 11 set pfs
crypto map CorpEncr 11 set peer 24.242.xxx.xxx
crypto map CorpEncr 11 set transform-set mytransform
crypto map CorpEncr interface outside
isakmp enable outside
isakmp key ******** address 24.242.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 6000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
terminal width 80


Any help you can offer is appreciated. I'm at the point of pulling hair.

Thank You.

 

[llamabeta]

Ok I have made progress. It is creating the IPSec tunnel, getting through the first phase then stalls out. I will return with the debug information after I try a couple more things. If it helps the foxbox is a BSD box modified for firewall duty. I have limited access to it but I maybe able to get some help on that. Anyone ever tried building a tunnel to a BSD box?

Thanks.

 

[yizhar]

HI.

I have no experience with such devices, but here are some tips:

* Can each device ping the other?

* Is there another NAT/Firewall device between the peers (for example ADSL router)?

* Compare all the timeout values. This is a common problem when interconnecting different devices, because each has different default timeouts for IPSec.
Remember that there are several timeouts for ISAKMP (phase 1) and for IPSec (phase 2).


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[llamabeta]

Yizhar I appreciate the reply.
Each device can ping each other and there is nothing inbetween these devices filtering anything. My remote side just has a simple SpeedStream Modem in there only converting the DSL signal.
The timeout's are dead on as they should be. I was thinking that myself when I first had the problem.

Here's where the debug stands now.
(65.66.xxx.xxx is where the Pix is directly connected to. This debug is based on when i try to ping from 24.242.xxx.xxx *pinging to 10.0.7.254*)


crypto_isakmp_process_block: src 24.242.xxx.xxx, dest 65.66.xxx.xxx
VPN Peer: ISAKMP: Added new peer: ip:24.242.xxx.xxx Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:24.242.xxx.xxx Ref cnt incremented to:1 Total VPN Peer
s:1
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 6000
ISAKMP: encryption DES-CBC
ISAKMP: auth pre-share
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 24.242.xxx.xxx, dest 65.66.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 24.242.xxx.xxx, dest 65.66.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src 24.242.xxx.xxx, dest 65.66.xxx.xxx
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 922752777

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x6 0x50 0x0
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 1
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
(key eng. msg.) dest= 65.66.xxx.xxx, src= 24.242.xxx.xxx,
dest_proxy= 10.0.7.0/255.255.255.0/0/0 (type=4),
src_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 65.66.xxx.xxx, src= 24.242.xxx.xxx,
dest_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4),
src_proxy= 10.0.7.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS

Reading through all the Cisco doc's I can find the "proxy identities not supported" is made out to be a access-list type problem which is good and fine when working with Cisco (PIX OS or Cisco IOS). So I'm curious if this could be an indication of any other type of error.

Thanks again.

 

[yizhar]

HI.

> isakmp identity address
Maybe you should configure the pix with:
isakmp identity hostname
?


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[llamabeta]

I actually got the tunnel up and operational. Got in contact with someone that worked with racoon (bsd) and PIX before. Here is the guy's entire e-mail. I appreciate your help yihzar. A rather tough problem to solve. The "***" at the bottom of the Cisco config tell you whats really needed

FreeBSD 4.6-RELEASE: external IP=BSD_IP, internal IP=10.0.0.2

PIX 501 running version 6.2(1) of the PIX Firewall OS: external
IP=PIX_IP,
internal IP=192.168.1.1

--------------------------------------------------------------------------

FreeBSD:

options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG

-----

cd /usr/ports/security/racoon
make install clean

-----

more /usr/local/etc/racoon/racoon.conf

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to
confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# "log" specifies logging level.
#log debug;

# "padding" defines some parameter of padding. You should not touch
these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp BSD_IP [500];
}

# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}

remote PIX_IP
{
exchange_mode aggressive,main;
doi ipsec_doi;
my_identifier address "BSD_IP";
peers_identifier fqdn;
send_cert off;
send_cr off;
verify_cert off;

nonce_size 16;
lifetime time 24 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim

proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}

-----

vi /usr/local/etc/racoon/psk.txt

#peer's ip pre-shared secret
192.168.1.1 dontguessme

Since I am configuring "tunnel mode", I used the internal IP of the
PIX;
if I had been configuring "transport mode", I would have instead used
the
external IP of the PIX.

It is important to remember to change the default permissions of this
file
or IKE negotiations will fail:

chmod 600 /usr/local/etc/racoon/psk.txt

-----

vi /etc/rc.local
if [-x /usr/local/sbin/racoon]; then
echo -n "racoon"
/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l
/var/log/racoon.log
fi

/sbin/route add 192.168.1.0/24 10.0.0.2

-----

I'll then add the following lines to "/etc/rc.conf" so the required gif
(generic tunnel interface) will be created and IPSEC will be enabled at
bootup:

gif_interfaces="gif0"
ifconfig_gif0="10.0.0.2 netmask 255.0.0.0 192.168.1.1 netmask
255.255.255.0"
gifconfig_gif0="BSD_IP netmask BSD_MASK PIX_IP netmask PIX_MASK"
ipsec_enable="YES"

-----

more /etc/ipsec.conf

#delete all existing entries from the SAD and SPD databases
flush;
spdflush;

#add the policy to the SPD database
spdadd BSD_IP/cidr PIX_IP/cidr any -P out
ipsec esp/tunnel/BSD_IP-PIX_IP/require;

spdadd PIX_IP/cidr BSD_IP/cidr any -P out
ipsec esp/tunnel/PIX_IP-BSD_IP/require;

-----

#ipfw rules to allow VPN
add 00201 allow log esp from any to any
add 00202 allow log ah from any to any
add 00203 allow log udp from any 500 to any

-----

sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root racoon 5898 6 udp4 BSD_IP:500 *:*

-----

ifconfig gif0
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
inet 10.0.0.2 --> 192.168.1.1 netmask 0xffffff00

-----

setkey -DP

-------------------------------------------------------------------------

PIX:

sh ver
<snip>
VPN-DES: Enabled
<snip>

If DES is not enabled, refer to the following URL for instructions on
activating the license:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/install/install.htm#15626

-----

Next, verify the keys:

sh ca mypubkey rsa

If you don't have any keys, enter configuration mode and create them:

conf t
ca generate rsa key 1024
ca save all

Don't forget that save command or you'll lose your keys if the PIX is
ever
reloaded.

-----

sysopt connection permit-ipsec

crypto ipsec transform-set vpn esp-des esp-sha-hmac
crypto dynamic-map bsd 100 set pfs group2
crypto dynamic-map bsd 100 set peer BSD_IP
crypto dynamic-map bsd 100 set transform-set vpn
crypto dynamic-map bsd 100 set security-association lifetime seconds
3600

crypto map vpnbsd 50 ipsec-isakmp dynamic bsd
crypto map vpnbsd interface outside

isakmp enable outside
no isakmp enable inside
isakmp key dontguessme address BSD_IP netmask 255.255.255.255 no-xauth
no-config-mode
isakmp peer ip BSD_IP no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

write mem


*** negotiations will fail if you forget to use the no-xauth and
no-config-mode

*** negotiations will fail if you forget to make a dynamic crypto map

*** ensure there your access list allows port 500 and protocol 50

--------------------------------------------------------------------------

Testing:

tail -f /var/log/racoon.log

-----

tcpdump port 500

-----

setkey -D