Hi,
I was trying to establish VPN between a pix and a checkpoint. I did the pix side configuration, and the FW-1 administrator did the FW-1 side. We both used the following article: Pix configuration:
isakmp key ******** address Y.Y.Y.Y netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
I belive FW-1 setting are identical.
But something wron with Phase 2!
Please, look at PIX debug output:
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
VPN Peer: ISAKMP: Added new peer: ip:Y.Y.Y.Y Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:Y.Y.Y.Y Ref cnt incremented to:1 Total VPN Peers:1
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
ISAKMP: Created a peer node for Y.Y.Y.Y
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1712034961
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xc3 0x50
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= X.X.X.X, src= Y.Y.Y.Y,
.................
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (0): processing NONCE payload. message ID = 1712034961
ISAKMP (0): processing ID payload. message ID = 1712034961
ISAKMP (0): ID_IPV4_ADDR_SUBNET src ......./255.255.255.248 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1712034961
ISAKMP (0): ID_IPV4_ADDR dst ................. prot 0 port 0
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x2b4e44d0(726549712) for SA
from Y.Y.Y.Y to X.X.X.X for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
I have not idea what is wrong
Thanks for any help
RR
I was trying to establish VPN between a pix and a checkpoint. I did the pix side configuration, and the FW-1 administrator did the FW-1 side. We both used the following article: Pix configuration:
isakmp key ******** address Y.Y.Y.Y netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
I belive FW-1 setting are identical.
But something wron with Phase 2!
Please, look at PIX debug output:
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
VPN Peer: ISAKMP: Added new peer: ip:Y.Y.Y.Y Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:Y.Y.Y.Y Ref cnt incremented to:1 Total VPN Peers:1
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src Y.Y.Y.Y, dest X.X.X.X
ISAKMP: Created a peer node for Y.Y.Y.Y
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1712034961
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xc3 0x50
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= X.X.X.X, src= Y.Y.Y.Y,
.................
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (0): processing NONCE payload. message ID = 1712034961
ISAKMP (0): processing ID payload. message ID = 1712034961
ISAKMP (0): ID_IPV4_ADDR_SUBNET src ......./255.255.255.248 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1712034961
ISAKMP (0): ID_IPV4_ADDR dst ................. prot 0 port 0
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x2b4e44d0(726549712) for SA
from Y.Y.Y.Y to X.X.X.X for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
I have not idea what is wrong
Thanks for any help
RR