Re: lan-lan tunnel, pix-concentrator

From: roberson@xxxxxxxxxxxx (Walter Roberson)
Date: Tue, 30 May 2006 18:04:58 GMT

In article <Pine.GSO.4.58L0.0605301716100.27106@xxxxxxxxxxxxxxx>,
Adam KOSA <adamk@xxxxxxxxxx> wrote:

I'm trying to create a lan-lan tunnel between a 3005 and a pix501.

the parameters on the 3005:

authentication: esp/sha/hmac-128, preshared key
encryption: aes-256
ike proposal: encr: aes-256, auth: sha/hmac/160, group 2

You really should use group 5 with AES.

on the pix side:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

I recommend instead,

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA TRANS_ESP_3DES_MD5

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes-256
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

I recommend changing the group to 5 for aes-256, and I recommend
reversing the order so that AES-256 has a higher priority than
3DES/MD5 .

I don't particularily recommend 3DES/MD5 : 3DES/SHA is considered
more secure.

The vpn web log says:

23877 05/30/2006 17:15:31.390 SEV=4 AUTH/23 RPT=823 x.x.x.9
User [x.x.x.9] Group [x.x.x.9] disconnected: duration: 0:00:00

23876 05/30/2006 17:15:31.390 SEV=4 IKEDBG/97 RPT=278 x.x.x.9
Group [x.x.x.9]
QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)!

This link *might* help:
http://groups.google.ca/group/openbsd.tech/msg/dc84126f585b4584

23871 05/30/2006 17:15:31.390 SEV=5 IKE/34 RPT=5016 x.x.x.9
Group [x.x.x.9]
Received local IP Proxy Subnet data in ID Payload:
Address 10.10.141.0, Mask 255.255.255.0, Protocol 0, Port 0

23868 05/30/2006 17:15:31.390 SEV=5 IKE/35 RPT=2216 x.x.x.9
Group [x.x.x.9]
Received remote IP Proxy Subnet data in ID Payload:
Address 10.12.0.0, Mask 255.255.0.0, Protocol 0, Port 0

I notice that the remote IP (from the PIX) is netmask 255.255.0.0:
was that what you were expecting?

Meanwhile, on the PIX, push up the debug level. If my fingers
still remember the commands:

debug crypto isakmp 2
debug crypto ipsec 2
.

Prev by Date: Re: How to Open Port (Total Newbie Question)
Next by Date: Cisco router IP redirect back to inside subnet
Previous by thread: Replace Aironet 350 Workgroup
Next by thread: Cisco router IP redirect back to inside subnet
Index(es):
- Date
- Thread

Relevant Pages

Re: PIX-to-PIX IPSec VPN Tunnel
... It's a rare PIX that is still running ... the Private Link encryption cards. ... crypto dynamic-map dynmap 90 set transform-set AES-256 ENCRYPT1 ... isakmp policy 10 hash md5 ...
(comp.dcom.sys.cisco)
Re: PIX-to-PIX IPSec VPN Tunnel
... the Private Link encryption cards. ... isakmp policy 10 hash md5 ... crypto map PIXRemote 25 set transform-set DE-DI ...
(comp.dcom.sys.cisco)
Re: pix 501 - VPN site-to-Site
... nat 0 access-list statement, but it will assume the anyhow ... isakmp policy 9 encryption 3des ... debug crypto isakmp 2 ...
(comp.dcom.sys.cisco)
Re: Pix 501 to 506 VPN
... >isakmp policy 8 authentication pre-share ... >isakmp policy 8 encryption 3des ... >isakmp policy 8 hash sha ... >isakmp policy 8 lifetime 86400 ...
(comp.security.firewalls)