Problemi VPN tra Cisco PIX 506e e checkpoint NGX R60
Inviato: gio 06 mar , 2008 7:13 pm
Ciao a tutti, sto tentando di creare un tunnel vpn ipsec tra un cisco PIX 506 e un checkpoint NGX R60.
Al momento sono riuscito a fargli fare l'autenticazione ISAKMP ma non apre il tunnel ipsec.
la configurazione del pix è:
PIX Version 6.3(4)
...
access-list NONAT permit ip XX.168.0.0 255.255.255.0 XX.20.92.0 255.255.252.0
access-list 101 permit ip XX.168.0.0 255.255.255.0 XX.20.92.0 255.255.252.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
....
crypto ipsec transform-set POLICY esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map VPN 6 ipsec-isakmp
crypto map VPN 6 match address 101
crypto map VPN 6 set peer remote.pub.70.155
crypto map VPN 6 set transform-set ESP-3DES-SHA
crypto map VPN interface outside
isakmp enable outside
isakmp key **** address remote.pub.70.155 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
isakmp policy 35 authentication pre-share
isakmp policy 35 encryption des
isakmp policy 35 hash sha
isakmp policy 35 group 1
isakmp policy 35 lifetime 86400
....
: end
questo è il debug:
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1366705634:517645e2IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x83d30114(2211643668) for SA
from remote.pub.70.155 to local.pub.182.94 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:remote.pub.70.155/500 Total VPN Peers:4
VPN Peer: ISAKMP: Peer ip:remote.pub.70.155/500 Ref cnt incremented to:1 Total VPN Peers:4
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 2211643668, message ID = 1198335245
ISAKMP (0): deleting spi 335664003 message ID = 1366705634
return status is IKMP_NO_ERR_NO_TRAN
(identity) local= local.pub.182.94, remote= remote.pub.70.155,
local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= XX.20.92.0/255.255.252.0/0/0 (type=4)
ISAKMP (0): beginning Quick Mode exchange, M-ID of 595728766:2382197eIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x5d60bcbd(1566620861) for SA
from remote.pub.70.155 to local.pub.182.94 for prot 3
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 1566620861, message ID = 862257153
ISAKMP (0): deleting spi 3183239261 message ID = 595728766
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 2,
(identity) local= local.pub.182.94, remote= remote.pub.70.155,
local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= XX.20.92.0/255.255.252.0/0/0 (type=4)
ISAKMP (0): beginning Quick Mode exchange, M-ID of 330096096:13acdde0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x72a1922c(1923191340) for SA
from remote.pub.70.155 to local.pub.182.94 for prot 3
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 1923191340, message ID = 2181633195
ISAKMP (0): deleting spi 747807090 message ID = 330096096
return status is IKMP_NO_ERR_NO_TRANS
Per piacere sarei molto grato se qualcuno mi desse un piccolo aiuto.
Grazie Antonio.
Al momento sono riuscito a fargli fare l'autenticazione ISAKMP ma non apre il tunnel ipsec.
la configurazione del pix è:
PIX Version 6.3(4)
...
access-list NONAT permit ip XX.168.0.0 255.255.255.0 XX.20.92.0 255.255.252.0
access-list 101 permit ip XX.168.0.0 255.255.255.0 XX.20.92.0 255.255.252.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
....
crypto ipsec transform-set POLICY esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map VPN 6 ipsec-isakmp
crypto map VPN 6 match address 101
crypto map VPN 6 set peer remote.pub.70.155
crypto map VPN 6 set transform-set ESP-3DES-SHA
crypto map VPN interface outside
isakmp enable outside
isakmp key **** address remote.pub.70.155 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
isakmp policy 35 authentication pre-share
isakmp policy 35 encryption des
isakmp policy 35 hash sha
isakmp policy 35 group 1
isakmp policy 35 lifetime 86400
....
: end
questo è il debug:
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1366705634:517645e2IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x83d30114(2211643668) for SA
from remote.pub.70.155 to local.pub.182.94 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:remote.pub.70.155/500 Total VPN Peers:4
VPN Peer: ISAKMP: Peer ip:remote.pub.70.155/500 Ref cnt incremented to:1 Total VPN Peers:4
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 2211643668, message ID = 1198335245
ISAKMP (0): deleting spi 335664003 message ID = 1366705634
return status is IKMP_NO_ERR_NO_TRAN
(identity) local= local.pub.182.94, remote= remote.pub.70.155,
local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= XX.20.92.0/255.255.252.0/0/0 (type=4)
ISAKMP (0): beginning Quick Mode exchange, M-ID of 595728766:2382197eIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x5d60bcbd(1566620861) for SA
from remote.pub.70.155 to local.pub.182.94 for prot 3
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 1566620861, message ID = 862257153
ISAKMP (0): deleting spi 3183239261 message ID = 595728766
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 2,
(identity) local= local.pub.182.94, remote= remote.pub.70.155,
local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= XX.20.92.0/255.255.252.0/0/0 (type=4)
ISAKMP (0): beginning Quick Mode exchange, M-ID of 330096096:13acdde0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x72a1922c(1923191340) for SA
from remote.pub.70.155 to local.pub.182.94 for prot 3
crypto_isakmp_process_block:src:remote.pub.70.155, dest:local.pub.182.94 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 1923191340, message ID = 2181633195
ISAKMP (0): deleting spi 747807090 message ID = 330096096
return status is IKMP_NO_ERR_NO_TRANS
Per piacere sarei molto grato se qualcuno mi desse un piccolo aiuto.
Grazie Antonio.