NAT is not in use, the two peers are in direct contact with each other. OS version: Cisco PIX Firewall Version 6.3(4)120 PIX model: Hardware: PIX-515E
Regards Richard --- Petr Ruzicka <[EMAIL PROTECTED]> wrote: > two more questions > - pix version ? > - is nat in use ? > > Petr R. > > --- Richard Green <[EMAIL PROTECTED]> wrote: > Hi > > Thanks, for your replies. I have some additional > information now - > the cisco config (below) - though it still looks > quite sensibly configured > (to someone who doent know any cisco commands ;)), > and > the errors remain :( > > Regards, Richard > > --- Erik Carlseen <[EMAIL PROTECTED]> wrote: > > It would be helpful if you could provide sanitized > > configuration files > > from both the OpenBSD box and the PIX (just search > & > > replace out > > anything confidential, but pleasebe consistant). > > > > Also, I've found (at least for me) that a good > > command line for debug > > purposes is: > > > > isakmpd -f- -d -L -D0=79 -D1=70 -D2=90 -D3=80 > -D4=99 > > -D5=99 -D6=99 > > -D7=99 -D8=99 -D9=99 > > > > For Phase 2 debugging, pay extra attention to the > > 'SA' debug messages. > > > > Regards, > > > > Erik Carlseen > > and... > > --- Petr Ruzicka <[EMAIL PROTECTED]> wrote: > > Hi, could you get configuration of PIX. Not all of > it required, just isakmp and crypto map stuff. > > Do they use xauth ? > > > > Petr R. > > >> Cisco config (sanitized): > > access-list cryptomap_20 permit ip 10.3.3.8 > 255.255.255.248 192.168.157.0 255.255.255.0 > > sysopt connection permit-ipsec > > crypto ipsec transform-set ESP-3DES-MD5 esp-3des > esp-md5-hmac > > crypto map some_map 20 ipsec-isakmp > crypto map some_map 20 match address cryptomap_20 > crypto map some_map 20 set peer 10.1.1.17 > crypto map some_map 20 set transform-set > ESP-3DES-MD5 > crypto map some_map 20 set security-association > lifetime seconds 1800 kilobytes 4608000 > crypto map some_map interface outside > > isakmp enable outside > isakmp key shared-secret address 10.1.1.17 netmask > 255.255.255.255 > isakmp identity address > > isakmp policy 20 authentication pre-share > isakmp policy 20 encryption 3des > isakmp policy 20 hash md5 > isakmp policy 20 group 2 > isakmp policy 20 lifetime 86400 > > > >> /etc/isakmpd/isakmpd.conf config (sanitized) > > > [Phase 1] > 10.0.0.81= peer-machine-WCpix > > [Phase 2] > Connections= VPN-SZ-WCSQL > > [peer-machine-WCpix] > Phase= 1 > Transport= udp > Address= 10.0.0.81 > Local-address= 10.1.1.17 > Configuration= Default-main-mode > Authentication= shared-secret > > [VPN-SZ-WCSQL] > Phase= 2 > ISAKMP-peer= peer-machine-WCpix > Configuration= Default-quick-mode > Local-ID= SZ-internal-network > Remote-ID= WCSQL-subnet > > [SZ-internal-network] > ID-type= IPV4_ADDR_SUBNET > Network= 192.168.157.0 > Netmask= 255.255.255.0 > > [WCSQL-subnet] > ID-type= IPV4_ADDR_SUBNET > Network= 10.3.3.8 > Netmask= 255.255.255.248 > > [Default-main-mode] > DIO= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-MD5 > > [Default-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-3DES-MD5-SUITE > > [3DES-MD5] > GROUP_DESCRIPTION= MODP_1024 > > [QM-ESP-3DES-MD5-PFS-SUITE] > GROUP_DESCRIPTION= MODP_1024 > > # > > >> And some parts of the debug log at your suggested > debug level, at points where errors seem to occur. > . > . > 104124.523585 Exch 90 dpd_check_vendor_payload: bad > size 8 != 16 > . > . > 104124.582274 SA 60 sa_create: sa 0x3c067d00 phase > 2 added to exchange 0x3c067a00 (VPN-SZ-WCSQL) > 104124.582284 Mesg 90 message_alloc: allocated > 0x3c06b700 > 104124.582292 SA 80 sa_reference: SA 0x3c067900 > now has 6 references 104124.582301 Cryp 60 hash_get: > requested algorithm 0 > 104124.582399 Misc 70 attribute_set_constant: no > GROUP_DESCRIPTION in the QM-ESP-3DES-MD5-XF section > 104124.582433 Sdep 80 pf_key_v2_write: iov[0]: > 104124.582448 Sdep 80 02010002 0a000000 > 01000000f2100000 > 104124.582456 Sdep 80 pf_key_v2_write: iov[1]: > 104124.582472 Sdep 80 03000500 00000000 10020000 > ca949151 00000000 00000000 > 104124.582480 Sdep 80 pf_key_v2_write: iov[2]: > 104124.582496 Sdep 80 03000600 00000000 10020000 > cb304f11 00000000 00000000 > 104124.582504 Sdep 80 pf_key_v2_write: iov[3]: > . > . > 104124.665321 Cryp 30 crypto_decrypt: after > decryption: > 104124.665340 Cryp 30 0e000014 54f218d1 81b2fec4 > 56d1ad13 1006f2c6 0000000c 03000000 80140000 > 104124.665351 Cryp 30 00000000 00000000 > 104124.665365 Mesg 50 message_parse_payloads: offset > 28 payload HASH > 104124.665375 Mesg 50 message_parse_payloads: offset > 48 payload ATTRIBUTE > 104124.665388 Mesg 60 message_validate_payloads: > payload HASH at 0x3c06b81c of message 0x3c06b600 > 104124.665399 Mesg 60 message_validate_payloads: > payload ATTRIBUTE at 0x3c06b830 of message > 0x3c06b600 > 104124.665409 Mesg 70 TYPE: 3 > 104124.665417 Mesg 70 ID: 0 > 104124.665428 Exch 90 exchange_validate: checking > for required <Unknown -24112> > 104124.665438 Exch 90 exchange_validate: checking > for required <Unknown 7170> > 104124.665447 Mesg 70 exchange_validate: msg > 0x3c06b600 requires missing <Unknown 7170> > 104124.665455 Default exchange_run: > exchange_validate failed > 104124.665455 Default exchange_run: > exchange_validate failed > 104124.665469 Default dropped message from > 202.148.145.81 port 500 due to notification type > PAYLOAD_MALFORMED > 104124.665487 Timr 10 timer_add_event: event > exchange_free_aux(0x3c067b00) added before > sa_soft_expire(0x3c067900), expiration in 120s > 104124.665501 Exch 10 exchange_establish_p2: > 0x3c067b00 <unnamed> <no policy> policy initiator > phase 2 doi 1 exchange 5 step 0 > 104124.665512 Exch 10 exchange_establish_p2: icookie > 1332ba6460f97397 rcookie 49fdaa74c14081e1 > 104124.665520 Exch 10 exchange_establish_p2: msgid > 2db40593 sa_list > 104124.665530 Mesg 90 message_alloc: allocated > 0x3c06b880 > 104124.665539 SA 80 sa_reference: SA 0x3c067900 > now has 7 references > 104124.665548 Cryp 60 hash_get: requested algorithm > 0 > 104124.665558 Cryp 60 hash_get: requested algorithm > 0 > 104124.665567 Cryp 60 hash_get: requested algorithm > 0 > 104124.665583 Exch 90 exchange_validate: checking > for required INFO > 104124.665599 Cryp 60 hash_get: requested algorithm > 0 > 104124.665608 Cryp 80 ipsec_get_keystate: final > phase 1 IV: > 104124.665617 Cryp 80 8ec210f6 c88a6be8 > 104124.665625 Cryp 80 ipsec_get_keystate: message > ID: > 104124.665634 Cryp 80 2db40593 > 104124.665642 Cryp 50 crypto_init_iv: initialized > IV: > 104124.665653 Cryp 50 5157e037 003668c9 > 104124.665661 Cryp 80 ipsec_get_keystate: phase 2 > IV: > 104124.665670 Cryp 80 5157e037 003668c9 > 104124.665678 Cryp 10 crypto_encrypt: before > encryption: > 104124.665696 Cryp 10 0b000014 173ebef1 862775e9 > 08c11690 b82a6a97 0000000c 00000001 01000010 > 104124.665711 Cryp 30 crypto_encrypt: after > encryption: > 104124.665728 Cryp 30 24378426 8c104447 1996071d > 4eabdff0 61423598 44705fb0 06a80d8f 13d952ff > 104124.665736 Cryp 50 crypto_update_iv: updated IV: > 104124.665746 Cryp 50 06a80d8f 13d952ff > 104124.665754 Mesg 70 message_send: message > 0x3c06b880 > 104124.665765 Mesg 70 ICOOKIE: 0x1332ba6460f97397 > 104124.665775 Mesg 70 RCOOKIE: 0x49fdaa74c14081e1 > 104124.665783 Mesg 70 NEXT_PAYLOAD: HASH > 104124.665791 Mesg 70 VERSION: 16 > 104124.665799 Mesg 70 EXCH_TYPE: INFO > 104124.665808 Mesg 70 FLAGS: [ ENC ] > 104124.665817 Mesg 70 MESSAGE_ID: 0x2db40593 > 104124.665825 Mesg 70 LENGTH: 60 > 104124.665843 Mesg 70 message_send: 1332ba64 > 60f97397 49fdaa74 c14081e1 08100501 2db40593 > 0000003c 24378426 > 104124.665859 Mesg 70 message_send: 8c104447 > 1996071d 4eabdff0 61423598 44705fb0 06a80d8f > 13d952ff > 104124.665868 Exch 40 exchange_run: exchange > 0x3c067b00 finished step 0, advancing... > 104124.665877 Mesg 20 message_free: freeing > 0x3c06b600 > 104124.665885 Trpt 70 transport_release: freeing > 0x3c06c540 > 104124.665894 SA 80 sa_release: SA 0x3c067900 had > 7 references > 104124.665928 Exch 10 exchange_finalize: 0x3c067b00 > <unnamed> <no policy> policy initiator phase 2 doi 1 > exchange 5 step 1 > 104124.665953 Exch 10 exchange_finalize: icookie > 1332ba6460f97397 rcookie 49fdaa74c14081e1 > 104124.665963 Exch 10 exchange_finalize: msgid > 2db40593 sa_list > 104124.665974 Timr 10 timer_remove_event: removing > event exchange_free_aux(0x3c067b00) > 104124.665983 Exch 80 exchange_free_aux: freeing > exchange 0x3c067b00 > 104124.665993 Mesg 20 message_free: freeing > 0x3c06b880 > 104124.666003 SA 80 sa_release: SA 0x3c067900 had > 6 references > 104125.577059 Trpt 70 transport_setup: added > 0x3c06c640 to transport list > 104125.577072 Trpt 70 transport_setup: added > 0x3c06c680 to transport list > 104125.577082 Trpt 50 virtual_clone: old 0x3c06c0c0 > new 0x3c06c540 (main is 0x3c06c640) > 104125.577090 Trpt 70 transport_setup: virtual > transport 0x3c06c540 > 104125.577099 Mesg 90 message_alloc: allocated > 0x3c06b500 > 104125.577108 Mesg 70 message_recv: message > 0x3c06b500 > 104125.577122 Mesg 70 ICOOKIE: 0x79749cd36d3e79fd > 104125.577133 Mesg 70 RCOOKIE: 0x49fdaa7451d1d35a > 104125.577143 Mesg 70 NEXT_PAYLOAD: HASH > 104125.577152 Mesg 70 VERSION: 16 > 104125.577160 Mesg 70 EXCH_TYPE: INFO > 104125.577168 Mesg 70 FLAGS: [ ENC ] > 104125.577178 Mesg 70 MESSAGE_ID: 0x637f2172 > 104125.577186 Mesg 70 LENGTH: 84 > 104125.577203 Mesg 70 message_recv: 79749cd3 > 6d3e79fd 49fdaa74 51d1d35a 08100501 637f2172 > 00000054 6f62c961 > 104125.577220 Mesg 70 message_recv: fc674a97 > f3c458d9 3bbf6a1d 6f49600a 083ffd4a e4b49605 > 22ab8a84 1ca344c1 > 104125.577233 Mesg 70 message_recv: c5f26aed > 7ae6a40c b2c76472 5442dd6b d5833588 > 104125.577244 Default message_recv: invalid > cookie(s) 79749cd36d3e79fd 49fdaa7451d1d35a > 104125.577256 Default dropped message from > 202.148.145.81 port 500 due to notification type > INVALID_COOKIE > > > > Richard Green wrote: > > > Hi > > > > > > I've been struggling with this one for a while, > > and > > > would appeciate some advice from someone with > more > > > experiece that I on creating VPN tunnel between > an > > > OpenBSD (mine) and Cisco PIX (not mine..). > > Previously > > > I /did/ test this using OpenBSD to OpenBSD in a > > test > > > environment without problems. > > > > > > Phase 1 seems to work (at least, if I use a > > > deliberatlye incorrect shared secret I don't get > > this > > > far...) > > > > > > Seems to fail at at phase 2 of creating a > > connection. > > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
