Only the Best -- PIX issue with Site to Site

[maynarja]

Cannot connect remote site to PIX. Remote device is pfsense and it is using dynamic IP and intiates the connection.

PIX has a static IP.

Debug

SENDING PACKET to XXX.XXX.XXX.XXX
ISAKMP Header
Initiator COOKIE: d9 24 1c 9b 7c df f7 55
Responder COOKIE: a7 84 d6 76 d7 38 03 b1
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 108
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
SituationSIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00


IKE Recv RAW packet dump
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1 | .$..|..U...v.8..
04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84 | ................
80 e8 95 6e 06 c1 4b 38 f0 30 74 11 63 73 af 24 | ...n..K8.0t.cs.$
42 4a 21 fe 6d 0b 50 44 6e 42 b5 d3 3b 8a f8 62 | BJ!.m.PDnB..;..b
c1 e3 c0 19 f1 75 7b 2e 3a e2 43 e0 4a 86 7e cb | .....u{.:.C.J.~.
a4 95 08 83 e5 0c 3f 1f 77 35 27 fb ec bb c1 4d | ......?.w5'....M
28 79 0a 7b d9 3c d9 57 61 f3 ce be 7d 30 95 d0 | (y.{.<.Wa...}0..
fa cc 9c b7 ad 39 cc ea 8a 5e 11 5f f6 9b ae 93 | .....9...^._....
60 5f 1f 85 2a 41 c4 89 43 5e b9 68 3d b3 e4 c8 | `_..*A..C^.h=...
02 c6 75 73 6e a6 fd 72 0e 48 80 9b 26 3c ed 25 | ..usn..r.H..&<.%
00 00 00 14 85 29 50 e8 2b 00 d1 47 85 70 18 13 | .....)P.+..G.p..
fd 49 cc ef | .I..

RECV PACKET from XXX.XXX.XXX.XXX
ISAKMP Header
Initiator COOKIE: d9 24 1c 9b 7c df f7 55
Responder COOKIE: a7 84 d6 76 d7 38 03 b1
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 180
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
80 e8 95 6e 06 c1 4b 38 f0 30 74 11 63 73 af 24
42 4a 21 fe 6d 0b 50 44 6e 42 b5 d3 3b 8a f8 62
c1 e3 c0 19 f1 75 7b 2e 3a e2 43 e0 4a 86 7e cb
a4 95 08 83 e5 0c 3f 1f 77 35 27 fb ec bb c1 4d
28 79 0a 7b d9 3c d9 57 61 f3 ce be 7d 30 95 d0
fa cc 9c b7 ad 39 cc ea 8a 5e 11 5f f6 9b ae 93
60 5f 1f 85 2a 41 c4 89 43 5e b9 68 3d b3 e4 c8
02 c6 75 73 6e a6 fd 72 0e 48 80 9b 26 3c ed 25
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 20
Data:
85 29 50 e8 2b 00 d1 47 85 70 18 13 fd 49 cc ef
Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE RECEIVED Message (msgid=
0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing ke payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing ISA_KE
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing nonce payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing ke payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing nonce payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing Cisco Unity VID
payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing xauth V6 VID pay
load
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Send IOS VID
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Constructing ASA spoofing IOS
Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing VID payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Send Altiga/Cisco VPN3000/Cis
co ASA GW VID
Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group D
efaultRAGroup
Jan 25 06:58:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Gener
ating keys for Responder...
Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE SENDING Message (msgid=0
) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + VENDOR (13) + NONE (0) total length : 256

SENDING PACKET to XXX.XXX.XXX.XXX
ISAKMP Header
Initiator COOKIE: d9 24 1c 9b 7c df f7 55
Responder COOKIE: a7 84 d6 76 d7 38 03 b1
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
1c 96 72 24 2c 1b fa d3 32 47 82 96 a7 65 e0 39
a8 2a 1e b1 71 16 92 33 12 aa a3 4a 41 90 02 ac
0c a6 5d 5c d5 2d 05 d6 83 c1 ae a3 a6 2b e8 e5
b0 50 fb b6 8b cd b4 50 6d 8f fc 32 6b c3 07 92
2e 61 43 5a 7e 86 14 b9 ae bf ea a7 bf 3f d4 c8
d2 76 e5 3b 80 35 19 6e f2 bc 9b ff be e1 1e 7a
83 c2 d1 87 e1 0e a6 89 0c 25 4c a6 f9 99 73 ab
3d 3c b3 a2 44 2f e5 3b 98 f9 61 81 b4 97 14 c0
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
5f b2 63 b9 08 b7 c1 7c 0a fa e1 02 20 bc b8 c7
e8 3d ac ea
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
52 43 71 6b d7 39 03 b1 44 10 04 f9 45 a5 5b bc
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00


IKE Recv RAW packet dump
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1 | .$..|..U...v.8..
05 10 02 01 00 00 00 00 00 00 00 44 22 86 54 ea | ...........D".T.
47 7d 1c e9 7f e2 9a 67 7e 8b 47 a3 63 f5 48 68 | G}..?..g~.G.c.Hh
bd d7 0c ff 08 f5 4a 97 fe de 33 5c 4c a7 2e af | ......J...3\L...
93 17 85 19 | ....

RECV PACKET from XXX.XXX.XXX.XXX
ISAKMP Header
Initiator COOKIE: d9 24 1c 9b 7c df f7 55
Responder COOKIE: a7 84 d6 76 d7 38 03 b1
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: d9 24 1c 9b 7c df f7 55
Responder COOKIE: a7 84 d6 76 d7 38 03 b1
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 15
ID Type: FQDN (2)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: urb.lan
Payload Hash
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
b5 16 23 1b 1f 83 4e 11 a2 df 3e 99 62 51 cb da
cd 93 f6 22
Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE RECEIVED Message (msgid=
0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 67
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Proce
ssing ID
Jan 25 06:58:12 [IKEv1 DECODE]: ID_FQDN ID received, len 7
0000: 7572622E 6C616E urb.lan


Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, proce
ssing hash
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, compu
ting hash
Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group D
efaultRAGroup
Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Client is u
sing an unsupported Transaction Mode v2 version.Tunnel terminated.
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, IKE M
M Responder FSM error history (struct &0x252f370) <state>, <event>: MM_DONE, E
V_ERROR-->MM_BLD_MSG6, EV_BLOCK_V2-->MM_BLD_MSG6, EV_CHECK_NAT_T-->MM_BLD_MSG6,
EV_GROUP_LOOKUP
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, IKE S
A MM:76d684a7 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 25 06:58:12 [IKEv1 DEBUG]: sending delete/delete with reason message
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, const
ructing blank hash
Jan 25 06:58:12 [IKEv1 DEBUG]: constructing IKE delete payload
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, const
ructing qm hash
Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE SENDING Message (msgid=8
8ddcf55) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length :
80

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1 | .$..|..U...v.8..
08 10 05 00 55 cf dd 88 1c 00 00 00 0c 00 00 18 | ....U...........
5e f5 76 46 08 41 f8 38 14 ed 80 aa 42 08 fe 44 | ^.vF.A.8....B..D
7d f0 08 45 00 00 00 1c 00 00 00 01 01 10 00 01 | }..E............
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1 | .$..|..U...v.8..

ISAKMP Header
Initiator COOKIE: d9 24 1c 9b 7c df f7 55
Responder COOKIE: a7 84 d6 76 d7 38 03 b1
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 55CFDD88
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
5e f5 76 46 08 41 f8 38 14 ed 80 aa 42 08 fe 44
7d f0 08 45
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
# of SPIs: 1
SPI (Hex dump):
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1

ISAKMP Header
Initiator COOKIE: d9 24 1c 9b 7c df f7 55
Responder COOKIE: a7 84 d6 76 d7 38 03 b1
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 88DDCF55
Length: 84
Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Removing pe
er from peer table failed, no match!
Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Error: Unab
le to remove PeerTblEntry

 

[maynarja]

Update - I noticed that in the PIX when using the "isakmp key ***** address 0.0.0.0 netmask 0.0.0.0 it used the defaultRAGroup---> I removed the pre shared key from that group and added it to the dafaultl2lGroup and on the PIX is looks like phase 1 is getting furhter.... but this is the config and log from pfsense which still indicates phase1 is failing.

<remote-subnet>192.168.0.0/16</remote-subnet>
<remote-gateway>XXX.XXX.XXX.XXX</remote-gateway>
<mode>main</mode>
<myident><fqdn>xxx.xxx.xxx.xxX</fqdn> (Tried Domain Name as well)
</myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup><lifetime>86400</lifetime>
<pre-shared-key>***********</pre-shared-key>
<private-key/><cert/><peercert/>
<authentication_method>pre_shared_key</authentication_method>


<protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>

<hash-algorithm-option>hmac_sha1</hash-algorithm-option>

<pfsgroup>0</pfsgroup>

<lifetime>43200</lifetime>


<descr>cORP LAN</descr>
<pinghost>192.168.5.2</pinghost>




lOGS


racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:39:59 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:00 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:00 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:02 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:09 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:09 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:09 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:16 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:16 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:21 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:29 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:29 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:30 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:30 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:33 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:33 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:38 racoon: ERROR: phase1 negotiation failed due to time up. 0b0e11a47a759cc2:41e11b2ae20b8eb4
Jan 25 04:40:40 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:40 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:42 racoon: INFO: IPsec-SA request for Corp_lan queued due to no phase1 found.
Jan 25 04:40:42 racoon: INFO: initiate new phase 1 negotiation: remote_lan[500]<=>Corp_lan[500]
Jan 25 04:40:42 racoon: INFO: begin Identity Protection mode.
Jan 25 04:40:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jan 25 04:40:43 racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 25 04:40:43 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 25 04:40:43 racoon: INFO: received Vendor ID: DPD
Jan 25 04:40:43 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
Jan 25 04:40:43 racoon: ERROR: invalid ID payload.
Jan 25 04:40:49 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:52 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:52 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:52 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:53 racoon: INFO: received Vendor ID: DPD
Jan 25 04:40:53 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
Jan 25 04:40:53 racoon: ERROR: invalid ID payload.
Jan 25 04:40:58 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:41:00 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:41:00 racoon: INFO: delete phase 2 handler.
Jan 25 04:41:01 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
Jan 25 04:41:03 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:41:03 racoon: INFO: received Vendor ID: DPD
Jan 25 04:41:03 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
Jan 25 04:41:03 racoon: ERROR: invalid ID payload.
Jan 25 04:41:03 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
Jan 25 04:41:07 last message repeated 2 times
Jan 25 04:41:12 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:41:13 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:41:13 racoon: INFO: delete phase 2 handler.

 

[maynarja]

Got it !

On the PIX side I needed "isakmp identity auto