It's ok! I have adjoint in transform-set the esp-sha-hmac, configured internal
interface of PIX as def gw of internal host (is not sufficent add a route), and
the comunication is on..
Thanks!
DAVIDE
Rob Tashjian wrote:
> Sorry, I'm no expert in PIX configuration, but the error is in the Q{uick}
> M{ode} negotiation between the client and the PIX. That's the "Phase 2"
> reference. It looks like the PIX is sending a proposal that is being
> rejected by the client. This is usually because a) the crypto parameters
> don't match (ie., the client requires 3DES and the PIX proposes DES, or the
> client requires esp md5 authentication and the PIX proposes none or AH), or
> because of a mismatch in the client identifiers. The client identifiers
> are the IP addresses on either end that are allow access to the tunnel.
>
> Since the tunnel isn't being created, the connect will black hole and will
> fail with a timeout.
>
> This is one of the problems with IKE/ISAKMP. There are so many knobs and
> dials that it's really easy to screw up; sort of like ISDN in the early
> days:^)
>
> Hope this helps,
> rwt
> ---
> Robert Tashjian [EMAIL PROTECTED]
> Netopia, Inc
> ----- Original Message -----
> From: "Davide Zari" <[EMAIL PROTECTED]>
> To: "Firewalls lists" <[EMAIL PROTECTED]>
> Sent: Tuesday, May 02, 2000 4:27 AM
> Subject: IKE Phase 2-PIX+SecVPNClient
>
> > Hi,
> >
> > wen I attmpt to open ftp from outside host to inside the log of Secure
> > VPN Client show this:
> >
> > 12:08:36.478 Topixfirewall - Initiating IKE Phase 1 (IP
> > ADDR=192.168.50.1)
> > 12:08:36.578 Topixfirewall - SENDING>>>> ISAKMP OAK MM (SA)
> > 12:08:36.778 Topixfirewall - RECEIVED<<< ISAKMP OAK MM (SA)
> > 12:08:36.919 Topixfirewall - SENDING>>>> ISAKMP OAK MM (KE, NON, VID,
> > VID)
> > 12:08:37.119 Topixfirewall - RECEIVED<<< ISAKMP OAK MM (KE, NON, VID)
> > 12:08:37.239 Topixfirewall - SENDING>>>> ISAKMP OAK MM *(ID, HASH,
> > NOTIFY:STATUS_INITIAL_CONTACT)
> > 12:08:37.339 Topixfirewall - RECEIVED<<< ISAKMP OAK MM *(ID, HASH)
> > 12:08:37.439 Topixfirewall - Established IKE SA
> > 12:08:37.539 Topixfirewall - Initiating IKE Phase 2 with Client IDs
> > (message id: A4561253)
> > 12:08:37.640 Initiator = IP ADDR=192.168.20.2, prot = 0 port = 0
> > 12:08:37.740 Responder = IP ADDR=192.168.50.5, prot = 0 port = 0
> > 12:08:37.840 Topixfirewall - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON,
> > ID, ID)
> > 12:08:37.940 Topixfirewall - RECEIVED<<< ISAKMP OAK INFO *(HASH,
> > NOTIFY:NO_PROPOSAL_CHOSEN)
> > 12:08:38.040 Topixfirewall - Discarding IPSec SA negotiation
> >
> > The topology is:
> >
> > 192.168.201.31---(192.168.201.200 192.168.50.1)---(192.168.50.2
> > 192.168.20.1)---192.168.20.2
> > internal host Eth 1 inside :PIX: Eth 0
> > outside router ext
> > host-VPNClient
> >
> > Her is the config of PIX:
> >
> > PIX Version 5.0(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password otf0ZholSsu4cuaN encrypted
> > passwd otf0ZholSsu4cuaN encrypted
> > hostname pixfirewall
> > fixup protocol ftp 21
> > fixup protocol http 80
> > fixup protocol smtp 25
> > fixup protocol h323 1720
> > fixup protocol rsh 514
> > fixup protocol sqlnet 1521
> > names
> > pager lines 24
> > no logging timestamp
> > no logging standby
> > no logging console
> > no logging monitor
> > logging buffered debugging
> > no logging trap
> > logging facility 20
> > logging queue 512
> > interface ethernet0 auto
> > interface ethernet1 auto
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside 192.168.50.1 255.255.255.0
> > ip address inside 192.168.201.200 255.255.248.0
> > no failover
> > failover timeout 0:00:00
> > failover ip address outside 0.0.0.0
> > failover ip address inside 0.0.0.0
> > arp timeout 14400
> > global (outside) 1 192.168.50.10 netmask 255.255.255.0
> > global (outside) 1 192.168.50.11-192.168.50.20 netmask 255.255.255.0
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) 192.168.50.5 192.168.201.31 netmask
> > 255.255.255.255 0 0
> > access-list 80 permit ip host 192.168.20.2 host 192.168.50.2
> > conduit permit icmp any any
> > conduit permit tcp host 192.168.50.5 eq ftp any
> > no rip outside passive
> > no rip outside default
> > no rip inside passive
> > no rip inside default
> > route outside 0.0.0.0 0.0.0.0 192.168.50.2 1
> > timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> > timeout rpc 0:10:00 h323 0:05:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set transfset1 esp-des
> > crypto dynamic-map cisco 4 set transform-set transfset1
> > crypto map mymap1 20 ipsec-isakmp dynamic cisco
> > crypto map mymap1 interface outside
> > isakmp enable outside
> > isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
> > isakmp policy 8 authentication pre-share
> > isakmp policy 8 encryption des
> > isakmp policy 8 hash md5
> > isakmp policy 8 group 1
> > isakmp policy 8 lifetime 86400
> > telnet 192.168.207.33 255.255.255.255 inside
> > telnet 192.168.201.31 255.255.255.255 inside
> > telnet timeout 5
> > terminal width 80
> >
> > The ftp say "Connection timed out". I think ther's not a DNS problem.
> > From log it can create a SA, is present a isakmp sa:
> >
> > dst src state pending created
> > 192.168.50.1 192.168.20.2 QM_IDLE 0 0
> >
> > and a ipsec sa:
> >
> > interface: outside
> > Crypto map tag: mymap1, local addr. 192.168.50.1
> >
> > The VPN Client is version 1.1 on NT Server, PIX is 515.
> >
> > Thanks for any help,
> >
> > DAVIDE
> >
> > --
> > =========================================
> > Davide Zari
> > Security Consultant - Customer Connect
> > Cybernet Ita, S.p.A.
> > Viale Verona, 190 - 38100 Trento - ITALY
> > Phone :+39 461 373111
> > Fax :+39 461 373110
> > =========================================
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
--
=========================================
Davide Zari
Security Consultant - Customer Connect
Cybernet Ita, S.p.A.
Viale Verona, 190 - 38100 Trento - ITALY
Phone :+39 461 373111
Fax :+39 461 373110
=========================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
