Pix to Symantec

[apeasecpc]

Has anyone out there had any success setting up a PIX to Symantec site-to-site vpn?

I am working with a PIX 515 and a Symantec 200R, attempting to do 3des md5.

Dynamic pre-shared key completes phase 1 but fails to authenticate in phase 2.

I can get des md5 to work intermittently, but only sometimes if the connection is initiated from the 200R, and never when initiated from the PIX.

The 200R is very limited in configuration options, so I am trying to configure the more flexible PIX to conform to the Symantec's needs.

I can't get any tech support from Symantec unless I purchase an $800 support contract, which I am trying to avoid if I can.

As an added complication, I don't have direct access to the PIX, but have to do everything through a consultant.

What would be helpful is if someone who has a working connection could post the pertinent configuration settings between the two.

 

[yizhar]

HI.

I have not implemented such a VPN, but such problems you described could be caused by mismatched timeouts for IKE and/or IPSEC. Make sure that both devices are configured with the same timeouts and not only encryption and authentication algorithms.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[apeasecpc]

Does anyone know if the PIX 515 is able to support both 3DES and Diffie-Hellman Group 1 together? My Symantec 200R only supports Group 1.

According to this link, the cisco dialup client does not support Group 1 when using 3DES, so I am wondering if their firewall hardware units also have the same issue:

http://www.cisco.com/en/US/products...tion_guide_chapter09186a00800bd991.html#10711

 

[yizhar]

HI.

I don't think that you'll have a problem with that.
For example, the pix support DES+SHA1 but the latest VPN client 3.6x does not.

Check the time-outs, it can be the catch, like in pix-checkpoint VPN.
This article about pix-checkpoint can give you some tips:

http://www.cisco.com/warp/public/110/cp-p.html

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[apeasecpc]

I checked the above reference, but didn't find anything new. Here are the pix 515 settings:

access-list 110 permit ip 10.1.0.0 255.255.0.0 192.168.10.0 255.255.255.0
nat (inside ) 0 access-list 110
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 110
crypto map mymap 10 set peer x.x.x.x
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set security-association lifetime seconds 3600 kilobytes 100000
crypto map mymap 10 set pfs group1
crypto map mymap interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxxxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 3600

Here are the Symantec 200R settings:

- IPSEC Security Association -
Phase 1 Negotiation: Main Mode
Encryption and Authentication Method: ESP 3DES MD5
SA Lifetime: 60 Minutes
Data Volume Limit: 100000 KB
Inactivity Timeout: 0 (unlimited)
Perfect Forward Secrecy: Enabled
- Local Security Gateway - 
ID Type: IP Address
Phase1 ID: (blank)
- Remote Security Gateway - 
Gateway Address: y.y.y.y
ID Type: IP Address
Phase1 ID: (blank)
Pre-Shared Key: xxxxxxxxxxxxxxxxxxxx
- For Gateway-to-Gateway Tunnels -
NetBIOS Broadcast: Disabled
Global Tunnel: Disabled
Remote Subnet 1: IP=10.1.0.0 Mask=255.255.0.0

All of the timeout settings for both devices appear to be correct.

When I try to ping from the Symantec side I get the following messages/errors in the Symantec log:

MYVPN - Initiating IKE Main Mode
MYVPN - STATE_MAIN_I1: initiate
MYVPN - !!!: handling event EVENT_RETRANSMIT for y.y.y.y "MYVPN" #x
MYVPN - !!!: handling event EVENT_RETRANSMIT for y.y.y.y "MYVPN" #x

The messages repeat several times before timing out.

When my contact tries to ping from the PIX side I get the following messages/errors in the Symantec log.

MYVPN - responding to Main Mode
MYVPN - STATE_MAIN_R1: from STATE_MAIN_R0; sent MR1, expecting MI2
MYVPN - STATE_MAIN_R2: from STATE_MAIN_R1; sent MR2, expecting MI3
MYVPN - STATE_MAIN_R3 sent MR3, ISAKMP SA established
MYVPN - Responding to Quick Mode
MYVPN - STATE_QUICK_R1: from STATE_QUICK_R0; sent QR1, inbound IPsec SA installed, expecting QI2
MYVPN - Receive ISAKMP OAK INFO (IPSEC_INITIAL_CONTACT)
MYVPN - Terminating connection
- ERR:Quick Mode message is for a non-existent (expired?) ISAKMP SA
- (null): AUTHENTICATION_FAILED
- state transition function for (null) failed: AUTHENTICATION_FAILED
- Terminating connection

These messages repeat for each attempt.

I am told by my contact that there are no error messages generated on the PIX end.

Do the error messages give anyone any ideas?

 

[yizhar]

HI.

> Phase1 ID: (blank)
Maybe this should specify the Symantec own ip address instead of blank?

> am told by my contact that there are no error messages generated on the PIX end.
You will need to enable debugging at the pix side.
The article about pix to checkpoint has some useful debug commands at the end.
Remember to issue "terminal monitor" at the telnet session to the pix.

BTW - can the Symantec and the pix ping each other?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[apeasecpc]

> > Phase1 ID: (blank)
> Maybe this should specify the Symantec own ip address instead of blank?

According to the documentation, the device uses the IP address by default if the ID Type is set to "IP Address". All of the Symantec examples for this kind of settup show the ID Types left blank. If I try to set the value to the IP address I get an error.

> > am told by my contact that there are no error messages generated on the PIX end.
> You will need to enable debugging at the pix side.
> The article about pix to checkpoint has some useful debug commands at the end.
> Remember to issue "terminal monitor" at the telnet session to the pix.

The contact is a consultant who works with PIX firewalls. I am sure he is enabling the debugging when we attempt our connections, however I will mention your suggestion to him.

> BTW - can the Symantec and the pix ping each other?

I can ping the public IP addresses in either direction.

With the above 3DES configuration I cannot ping through the devices to anything on the private remote subnets.

If I change both devices from 3DES to DES (retaining all other settings) I can ping the remote subnets sometimes. In every case where the ping is successfull, the consultant first initiates a ping from the pix side which fails, then I send a ping from the Symantec side which somehow causes the connection to be established. Once the connection is established we are both able to ping through in either direction. If I force the connection to drop it will only reconnect using the above procedure. The error message for the first ping from the pix is the same. The message/error for the outgoing ping from the symantic that establishes the connection is.

MYVPN - initiating IKE Main Mode
MYVPN - STATE_MAIN_I1: initiate
MYVPN - STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2
MYVPN - STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3
MYVPN - STATE_MAIN_I4 ISAKMP SA established
MYVPN - Doing Quick Mode with y.y.y.y "MYVPN"
MYVPN - Initiating Quick Mode
MYVPN - STATE_QUICK_I1: initiate
MYVPN - STATE_QUICK_I2 sent QI2, IPsec SA established

About 30 seconds later I then get the message:

- Informational Exchange is for an unknown (expired?) SA
- (null): AUTHENTICATION_FAILED
- state transition function for (null) failed: AUTHENTICATION_FAILED
- Terminating connection

 

[yizhar]

HI.

So I suggest that you re-investigate the timeout values.
At the pix you have 3 timeouts:
One timeout for ISAKMP (phase 1) =
isakmp policy 5 lifetime 3600
Two timeouts (time+bytes) for IPSEC (phase 2) =
crypto map mymap 10 set security-association lifetime seconds 3600 kilobytes 100000

At the symatec, you only have one time base timeout and one bytes based:
SA Lifetime: 60 Minutes
Data Volume Limit: 100000 KB
So maybe the 3rd one is a hardcodded default which is not shown in the configuration.
Refer to the Symantec docuemtnation and look for additional info.

You can also try this at the pix:
crypto map mymap 10 set security-association lifetime kilobytes 100000

Instead of this:
> crypto map mymap 10 set security-association lifetime seconds 3600 kilobytes 100000

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[morgjj]

I am also having the same trouble and have tried several things to make it work. I am able to setup other devices without troubles, but the PIX to 200R is not very cooperative. Have you been able to resolve this?

Thanks
Jeff

 

[apeasecpc]

I was not able to resolve the problem and have abandoned all attempts to connect with Cisco PIX. Instead the users are required to install the Symantec Enterprise VPN Client on their local machines and obtain a VPN connection that way which completely bypasses the PIX.

From what I was able to determine, the flaw appeared to be on the PIX side of the connection. I am aware of several other VPN appliances that are also not able to connect with PIX.

Symantec has recently released a firmware upgrade which might be helpful, you should install the latest firmware and re-attempt if you haven't already.

 

[morgjj]

I did try the newest firmware and still have the same issues as before. I was just curious as I saw it was much earlier in the year and was hoping that there would be a resolution.

It will be cheaper to just put in a PIX at this site then to get the support contract so that Cisco and Symantec can talk to each other. Darn. Was hoping to avoid that.

Thanks for your reply!