(XPost in other forums also).
HI.
I would like some assistance with troubleshooting IPSec IKE VPN between pix 6.1(1) and CheckPoint 4.1 sp3.
I will try to be descriptive as needed, please ask me if I miss important info.
General:
I was trying to establish VPN between a pix and a checkpoint.
The users behind the pix need access to a FTP server behind the FW-1.
I have full access to the pix box, but I have no direct access to the checkpoint -
I only talk by phone to the remote FW1 administrator.
The Checkpoint FW1 is accepting VPN (IKE) connections from several other "partner" FW-1 machines and securemote clients, but our was the first CISCO side to try to connect to it.
Since it didn't work yet, I have configured few clients (in the pix side) with SecuRemote to establish client to FW-1 VPN , but I would still like to learn and troubleshoot the gateway to gateway solution so it can be used later.
Currently, there is no problem to connect to FTP server using SecuRemote client from workstation,
but trying to connect using the pix configuration detailed here gives connection timeout at the ftp client,
and the debug output shown at the bottom of this message.
Network info:
Behind the pix there are 3 internal subnets: 192.168.1.X 192.168.2.X 192.168.3.X (all class C).
The pix internal interface is 192.168.1.254.
The internal router to other subnets is 192.168.1.253
The pix external interface will be referenced as PIXOUTSIDE and is connected to an external router and to ISP.
The pix vpn clients (not related to the checkpoint) get ip addresses of 192.168.12.X
The FW-1 external interface will be referenced as CHECKPOINT
The ftp server behind the FW-1 will be referenced as FTPSERVER
IPSec info:
Both checkpoint and pix configured with DES & MD5 for IKE phase 1, and also for IPSec (phase 2).
Using shared-secret authentication.
The timeout values were agreed:
The CheckPoint ISAKMP timeout was configured to 1440 min (86400 sec) to agree with the pix maximum value.
The pix IPSec timeout was configured to 3600 sec to agree with the CheckPoint.
I did the pix side configuration, and the FW-1 administrator did the FW-1 side.
We both used the following article:
PIX partial config:
NOTE1 - The pix also supports incoming VPN client connections with xauth as shown in the partial config.
NOTE2 - I've used the 192.168.0.0/16 network in access-list instead of specifing each class C separately.
NOTE3 - There is also an access-list on the outside interface which is not shown here.
access-list nonatinside permit ip 192.168.0.0 255.255.0.0 192.168.12.0 255.255.255.0
access-list nonatinside permit ip 192.168.0.0 255.255.0.0 host FTPSERVER
access-list tonamal permit ip 192.168.0.0 255.255.0.0 host FTPSERVER
ip local pool vpnclientpool 192.168.12.1-192.168.12.99
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set mytransform esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map mydynmap 10 set transform-set mytransform
crypto dynamic-map mydynmap 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address tonamal
crypto map mymap 20 set peer CHECKPOINT
crypto map mymap 20 set transform-set mytransform
crypto map mymap 100 ipsec-isakmp dynamic mydynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address CHECKPOINT netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup XXXXXXX address-pool vpnclientpool
vpngroup XXXXXXX split-tunnel localtovpnclient
vpngroup XXXXXXX idle-time 1800
vpngroup XXXXXXX password ********
FW-1 Log:
The log shows something like this (I'm not sure about the exact details):
"IKE Log: Sent Notification : No proposal Chosen <phase1 Stage2> Negotiation ID"
PIX Debug output:
*** DEBUG CRYPTO ISAKMP RESULTS ***
VPN Peer: ISAKMP: Added new peer: ip:CHECKPOINT Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:CHECKPOINT Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src CHECKPOINT, dest PIXOUTSIDE
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 1...
ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
ISADB: reaper checking SA 0x80d3aee0, conn_id = 0
ISADB: reaper checking SA 0x80d39ad8, conn_id = 0
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src PIXOUTSIDE, dst CHECKPOINT
ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
ISADB: reaper checking SA 0x80d3aee0, conn_id = 0
ISADB: reaper checking SA 0x80d39ad8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:CHECKPOINT Ref cnt decremented to:0 Total VPN Peers:3
VPN Peer: ISAKMP: Deleted peer: ip:CHECKPOINT Total VPN peers:2
ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
ISADB: reaper checking SA 0x80d3aee0, conn_id = 0
*** DEBUG CRYPTO IPSEC RESULTS ***
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= PIXOUTSIDE, remote= CHECKPOINT,
local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= FTPSERVER/255.255.255.255/0/0 (type=1)
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= PIXOUTSIDE, remote= CHECKPOINT,
local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= FTPSERVER/255.255.255.255/0/0 (type=1)
I would thank any info about this, and if you can further help me understand the debug output
and the practical meaning of the FW-1 error "No proposal Chosen".
Thanks.
Yizhar Hurwitz
HI.
I would like some assistance with troubleshooting IPSec IKE VPN between pix 6.1(1) and CheckPoint 4.1 sp3.
I will try to be descriptive as needed, please ask me if I miss important info.
General:
I was trying to establish VPN between a pix and a checkpoint.
The users behind the pix need access to a FTP server behind the FW-1.
I have full access to the pix box, but I have no direct access to the checkpoint -
I only talk by phone to the remote FW1 administrator.
The Checkpoint FW1 is accepting VPN (IKE) connections from several other "partner" FW-1 machines and securemote clients, but our was the first CISCO side to try to connect to it.
Since it didn't work yet, I have configured few clients (in the pix side) with SecuRemote to establish client to FW-1 VPN , but I would still like to learn and troubleshoot the gateway to gateway solution so it can be used later.
Currently, there is no problem to connect to FTP server using SecuRemote client from workstation,
but trying to connect using the pix configuration detailed here gives connection timeout at the ftp client,
and the debug output shown at the bottom of this message.
Network info:
Behind the pix there are 3 internal subnets: 192.168.1.X 192.168.2.X 192.168.3.X (all class C).
The pix internal interface is 192.168.1.254.
The internal router to other subnets is 192.168.1.253
The pix external interface will be referenced as PIXOUTSIDE and is connected to an external router and to ISP.
The pix vpn clients (not related to the checkpoint) get ip addresses of 192.168.12.X
The FW-1 external interface will be referenced as CHECKPOINT
The ftp server behind the FW-1 will be referenced as FTPSERVER
IPSec info:
Both checkpoint and pix configured with DES & MD5 for IKE phase 1, and also for IPSec (phase 2).
Using shared-secret authentication.
The timeout values were agreed:
The CheckPoint ISAKMP timeout was configured to 1440 min (86400 sec) to agree with the pix maximum value.
The pix IPSec timeout was configured to 3600 sec to agree with the CheckPoint.
I did the pix side configuration, and the FW-1 administrator did the FW-1 side.
We both used the following article:
PIX partial config:
NOTE1 - The pix also supports incoming VPN client connections with xauth as shown in the partial config.
NOTE2 - I've used the 192.168.0.0/16 network in access-list instead of specifing each class C separately.
NOTE3 - There is also an access-list on the outside interface which is not shown here.
access-list nonatinside permit ip 192.168.0.0 255.255.0.0 192.168.12.0 255.255.255.0
access-list nonatinside permit ip 192.168.0.0 255.255.0.0 host FTPSERVER
access-list tonamal permit ip 192.168.0.0 255.255.0.0 host FTPSERVER
ip local pool vpnclientpool 192.168.12.1-192.168.12.99
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set mytransform esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map mydynmap 10 set transform-set mytransform
crypto dynamic-map mydynmap 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address tonamal
crypto map mymap 20 set peer CHECKPOINT
crypto map mymap 20 set transform-set mytransform
crypto map mymap 100 ipsec-isakmp dynamic mydynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address CHECKPOINT netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup XXXXXXX address-pool vpnclientpool
vpngroup XXXXXXX split-tunnel localtovpnclient
vpngroup XXXXXXX idle-time 1800
vpngroup XXXXXXX password ********
FW-1 Log:
The log shows something like this (I'm not sure about the exact details):
"IKE Log: Sent Notification : No proposal Chosen <phase1 Stage2> Negotiation ID"
PIX Debug output:
*** DEBUG CRYPTO ISAKMP RESULTS ***
VPN Peer: ISAKMP: Added new peer: ip:CHECKPOINT Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:CHECKPOINT Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src CHECKPOINT, dest PIXOUTSIDE
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 1...
ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
ISADB: reaper checking SA 0x80d3aee0, conn_id = 0
ISADB: reaper checking SA 0x80d39ad8, conn_id = 0
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src PIXOUTSIDE, dst CHECKPOINT
ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
ISADB: reaper checking SA 0x80d3aee0, conn_id = 0
ISADB: reaper checking SA 0x80d39ad8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:CHECKPOINT Ref cnt decremented to:0 Total VPN Peers:3
VPN Peer: ISAKMP: Deleted peer: ip:CHECKPOINT Total VPN peers:2
ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
ISADB: reaper checking SA 0x80d3aee0, conn_id = 0
*** DEBUG CRYPTO IPSEC RESULTS ***
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= PIXOUTSIDE, remote= CHECKPOINT,
local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= FTPSERVER/255.255.255.255/0/0 (type=1)
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= PIXOUTSIDE, remote= CHECKPOINT,
local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= FTPSERVER/255.255.255.255/0/0 (type=1)
I would thank any info about this, and if you can further help me understand the debug output
and the practical meaning of the FW-1 error "No proposal Chosen".
Thanks.
Yizhar Hurwitz
