On Tue, Dec 16, 2008 at 11:17 PM, Boris Goldberg <bo...@twopoint.com> wrote: > Hello Danial, > > Tuesday, December 16, 2008, 4:07:26 PM, you wrote: > >>> Your tunnel is probably host-to-host - don't change it, but add an >>> additional network-to-host one. That "dummy" tunnel wont actually transfer >>> anything, but will route packets from your internal network to enc0, than >>> your nat rule will change it and everything should work. > > DO> I'm not quite sure how you've done this. Could you be more specific? > DO> Do you mean to add an additional Connection in isakmpd.conf and refer > DO> to the same Peer but a different network (Local-ID)? > > Yes, something like the following: > > [Phase 1] > <their_external_IP>= PIX > > [Phase 2] > Connections= PIX_CONN-1,PIX_CONN-1_1 > > [PIX_CONN-1] > Phase= 2 > ISAKMP-peer= PIX > Configuration= quick-mode-pix > Local-ID= Net-twopoint > Remote-ID= pix-internal-1 > > [PIX_CONN-1_1] > Phase= 2 > ISAKMP-peer= PIX > Configuration= quick-mode-pix > Local-ID= twopoint-internal-1 > Remote-ID= pix-internal-1 > > [Net-twopoint] > ID-type= IPV4_ADDR_SUBNET > Network= <our_network> > Netmask= <our_netmask> > > [twopoint-internal-1] > ID-type= IPV4_ADDR > Address= <our_firewall_internal_IP> > > [pix-internal-1] > ID-type= IPV4_ADDR > Address= <their_box_internal_IP> > > Of course, it's just a quote from our isakmd.conf. Real numbers are > substituted with <description>.
This involves the same issue as mentioned earlier, that the flows/"dummy tunnel" does in fact get transmitted to the peer for quick mode negotiation. isakmpd -dvL reports Default transport_send_messages: giving up on exchange PEER, no response from peer <peer_ip>:500 isakmpd.pcap contains 00:38:55.138549 <myhostip>.500 > <peer_ip>.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 4e4b2944370a8560->ff879e6d83275fd5 msgid: 85e8f8bd len: 284 payload: HASH len: 24 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x8f05b4fc payload: TRANSFORM len: 28 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = <my_lan>/255.255.0.0 payload: ID len: 12 type: IPV4_ADDR = <remote_internal_ip> [ttl 0] (id 1, len 312) 00:38:55.218317 <peer_ip>.500 > <myhostip>.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 4e4b2944370a8560->ff879e6d83275fd5 msgid: c2905b70 len: 124 payload: HASH len: 24 payload: NOTIFICATION len: 68 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 152) I'm relying on the lo1 hack to save me. Gonna try it as soon as the IP I'm gonna use gets accepted by the remote site! Thanks, Danial