Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN betwenn CIsco Pix and Raptor

Status
Not open for further replies.
gartox

gartox

IS-IT--Management
Jan 15, 2002
12
0
0
BE
Hi !


I'm trying to setup a VPN betwen a Cisco PIX 501 (IOS 6.1.1) and a Raptor Firewall 6.5 on winnt 4 sp6.

I'm using IKE with pre-shared secret, I set DES and SHA-1 algorithms on both sides in tunnel mode.

With default timeout nothing works, the raptor log say :



*-*-*-*-*

- Mar 07 16:31:47.300 nt4srvus isakmpd[246]: 120 isakmpd Info: Sending Notification to peer 212.234.100.123
- Mar 07 16:31:47.300 nt4srvus isakmpd[246]: 120 isakmpd Info: Initiator, Failed to establish ISAKMP SA with peer 212.234.100.123[tunTemplate=NewSecure-Tunnel]
- Mar 07 16:32:01.941 nt4srvus isakmpd[246]: 120 isakmpd Info: Error while processing data rcvd from peer 212.234.100.123: (-3396) Invalid cookie in ISAKMP header.
- Mar 07 16:32:01.941 nt4srvus isakmpd[246]: 120 isakmpd Info: Error during isakmp sa negotiation with peer 212.234.100.123, status=IKMP_ERROR err=(-3396) Invalid cookie in ISAKMP header.
- Mar 07 16:32:02.712 nt4srvus isakmpd[246]: 120 isakmpd Info: Error while processing data rcvd from peer 212.234.100.123: (-3360) Shared Key file or entry for this peer in file does not exits.
- Mar 07 16:32:02.712 nt4srvus isakmpd[246]: 120 isakmpd Info: Error during isakmp sa negotiation with peer 212.234.100.123, status=IKMP_ERROR err=(-3360) Shared Key file or entry for this peer in file does not exits.

-*-*-*-*-*


I tried to change default timeout value of the pix to best match default raptor's values but it doesn't work anyway !

Does anyone has already done this type of network architecture ???
Can you give me advices or sample config files ??


thanx to all.
 
Sort by date Sort by votes
This is a lot of steps to make sure of. I would clone the follwing things. Ike_default_crypto and the global_ike_policy. Make clone names like IKE_PIX_CRYPTO and PIX_Global_IKE_Policy.

In the IKE_PIX_CRYPTO properties Make sure ynder the "general" tab the "Pass Traffic" box is NOT checked.
Under the "IPSEC/IKE" tab make sure the settings match what the PIX wall is using (Data Integrity MD5 and Data Privacy DES) may need to be SHA1 and 3DES respectively. This coresponds to the PIX settings "IPSEC - Encrytion and Data Integrity). I made these match for 1st,2nd and 3rd. Make Sure in the "Advanced" tab you are in tunnel mode only.

In the PIX_Global_IKE_Policy integrity MD5 and Privacy is 3DES again these have to match the PIX setup. This corresponds to the ISAKMP-IKE Encryption policies. I made these the same for 1st and 2nd.

After that you need to create an entitiy for the local subnet/host, creat a local security gateway(You already have this, its your outdside nic interface. You also need to create a remote security gateway (Outside address of the PIX firewall) and add another subnet/host for the remote subnet or host you are trying to attach.

Here is the break down of these.
On your gateway make sure the "Security Gateway" tab has the "Enable IKE" box checked.

Make sure the remote pix entity that you added has this box checked as well. This box is also where you add the "Shared Secret" key. No Phase one ID is needed.

On you internal Subnet/Host setup the Subnet or Host address.

Do the same for the remote subnet.

Then go to the VPN Tunnels and setup a tunnel theh has the Local Entity as your local Subnet/Host. The Local Gateway is your outside NIC card. The Remote Enitity is the Remote Subnet/Host and the Remote Gateway is the remote PIX firewall.

Make sure you select the cloned VPN Policy IKE_PIX_Crypto and the IKE policy is PIX_Global_ike_policy.

This setup does not need a rule setup. I am still looking at controlling access thru the tunnel. Raptor says it is a trusted tunnel and does not need a rule. I want access control on mine, but this should at least get the tunnel up so you can test.

This info came from raptor support and work I did with a PIX administrator. Raptor(Symantec) it seems has a whole host of documents it does not publish. I wish for the old days of where all documents and info fot this firewall were openly kept.
 
Upvote 0 Downvote
Thanks, now it's ok !!

The problem was comming from the Cisco Pix that was configuerd by default for isakmp identification by FQDN (hostname+domainname). I had to force him to use @IP for isakmp identification...


Now it's working well ;-)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
145
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
149
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
108
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
160
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top