Has anyone had any experience/success with setting up a VPN between
Firewall-1 and Cisco PIX? I have set up what I think is the correct config
but it's not quite working.
I have set up the configuration below on both firewalls. When I try pinging
or telneting from a SiteA internal address to a SiteB internal address I get
no response to the command but the following two messages appear on the
Firewall-1 log:
Action: Key Install
Source: 192.168.1.1
Dest: 192.168.2.145
Desc: ISAKMP Log: Phase 1 completion. DES/MD5/Pre shared secrets
Negotiation Id: 6910150255ebf513-7a3dc6502ae28722
Action: Key Install
Source: 192.168.1.1
Dest: 192.168.2.145
Desc: ISAKMP Log: Sent Notification: no proposal chosen <phase2 stage2>
Negotiation Id: b60dffd6
I can see stuff in the logs on the PIX box that looks like the Phase 1
negotiation, and there is fair bit of stuff following that which I imagine
is the Phase 2 stuff but I can't really make much sense of it.
When I try pinging or telneting in the opposite direction the PIX seems to
just direct the traffic out to the Internet without building a security
association first.
Can anyone help with this?
The config is as follows (IP addresses changed to protect the innocent):
Site A Site B
-------------192.168.1.1/24 -------------
| FirewallA |------------- Internet ---------------| FirewallB |
------------- 192.168.2.145/28-------------
| |
10.1.0.0/16 | |
| |
---------- 10.4.16.0/22
| Router |
----------
|
|
Other Subnets:
10.2.0.0/16
10.3.0.0/16
10.4.4.0/22
10.4.8.0/22
10.4.12.0/22
FirewallA Config:
-----------------
Firewall-1 4.0 SP4
Windows NT 4.0 SP4
Policy -> Properties -> Encryption:
ISAKMP Key Renegotiation
Renegotiate IPSec SAs every 3600 secs
Renegotiate ISAKMP SAs every 1440 mins
Workstation Object FirewallA:
Encryption Domain: 10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
10.4.4.0/22
10.4.8.0/22
10.4.12.0/22
Encryption Methods Defined: ISAKMP/OAKLEY
Encryption Method: DES
Hash Method: MD5
Authentication Method: Pre-shared key
Peer: FirewallB
Shared Secret: abcdef
Workstation Object FirewallB:
Encryption Domain: 10.4.16.0/22
Encryption Methods Defined: ISAKMP/OAKLEY
Encryption Method: DES
Hash Method: MD5
Authentication Method: Pre-shared key
Peer: FirewallA
Shared Secret: abcdef
Security Rules:
SiteA SiteB Any Encrypt Long
SiteB SiteA Any Encrypt Long
Encrypt properties:
Encryption Schemes: ISAKMP/OAKLEY
Transform: Encryption + Data Integrity (ESP)
Encryption Algorithm: DES
Data Integrity: MD5
Allowed Peer Gateway: FirewallB
Use Perfect Forward Secrecy selected
NAT Rules:
SiteA SiteB Any Original Original Original
SiteB SiteA Any Original Original Original
FirewallB Config:
-----------------
Cisco PIX 520
S/w Version 5.1(2)
(I've removed config lines that do not contribute to the VPN setup.)
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname QUiCKSiLVER
names
access-list vpn-acl permit ip 10.4.16.0 255.255.252.0 10.1.0.0 255.255.0.0
access-list vpn-acl permit ip 10.4.16.0 255.255.252.0 10.2.0.0 255.255.0.0
access-list vpn-acl permit ip 10.4.16.0 255.255.252.0 10.3.0.0 255.255.0.0
access-list vpn-acl permit ip 10.4.16.0 255.255.252.0 10.4.4.0 255.255.252.0
access-list vpn-acl permit ip 10.4.16.0 255.255.252.0 10.4.8.0 255.255.252.0
access-list vpn-acl permit ip 10.4.16.0 255.255.252.0 10.4.12.0
255.255.252.0
ip address outside 192.168.2.145 255.255.255.240
ip address inside 10.4.16.1 255.255.252.0
route outside 0.0.0.0 0.0.0.0 192.168.2.158 1
crypto ipsec transform-set vpn-tfset esp-des esp-md5-hmac
crypto map vpn-map 10 ipsec-isakmp
crypto map vpn-map 10 match address vpn-acl
crypto map vpn-map 10 set pfs
crypto map vpn-map 10 set peer 192.168.1.1
crypto map vpn-map 10 set transform-set vpn-tfset
crypto map vpn-map interface outside
isakmp enable outside
isakmp key abcdef address 192.168.1.1 netmask 255.255.255.255
isakmp identity hostname
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Thanks in advance,
Andrew Cooper
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
