Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

VPN from 3640 to Watchguard Firebox X Edge Problems

21 views

Skip to first unread message

jlam...@gmail.com

unread,

Aug 14, 2008, 4:25:36 PM8/14/08

Hi,
I'm having problems establishing a VPN tunnel between a 3640 and a
firebox X Edge.
It seems to die during Phase 1 even though the X Edge is setup for
3DES & SHA hashing.

The cisco Local LAN is 192.168.100.0/24 and the X Edge is
192.168.1.0/24.

Any help would be much appreciated.

-- James

Here's the log from the Cisco when it tries to ping 192.168.1.1:

Aug 14 13:16:56.206: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= [cis.co.ip.xxx], remote=
[fir.ebo.x.ip],
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x9F449A63(2672073315), conn_id= 0, keysize= 0, flags= 0x400D
Aug 14 13:16:56.206: ISAKMP: received ke message (1/1)
Aug 14 13:16:56.210: ISAKMP: local port 500, remote port 500
Aug 14 13:16:56.210: ISAKMP (0:1): beginning Main Mode exchange
Aug 14 13:16:56.210: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_NO_STATE
Aug 14 13:16:56.210: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=112
Aug 14 13:16:56.634: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=92
Aug 14 13:16:56.638: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_NO_STATE
Aug 14 13:16:56.638: ISAKMP (0:1): processing SA payload. message ID =
0
Aug 14 13:16:56.638: ISAKMP (0:1): found peer pre-shared key matching
[fir.ebo.x.ip]
Aug 14 13:16:56.638: ISAKMP (0:1): Checking ISAKMP transform 1 against
priority 1 policy
Aug 14 13:16:56.638: ISAKMP: encryption 3DES-CBC
Aug 14 13:16:56.638: ISAKMP: hash SHA
Aug 14 13:16:56.638: ISAKMP: auth pre-share
Aug 14 13:16:56.638: ISAKMP: life type in seconds
Aug 14 13:16:56.638: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
0x80
Aug 14 13:16:56.638: ISAKMP: default group 2
Aug 14 13:16:56.638: ISAKMP (0:1): atts are acceptable. Next payload
is 0
Aug 14 13:16:56.774: ISAKMP (0:1): SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
Aug 14 13:16:56.778: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_SA_SETUP
Aug 14 13:16:56.778: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=232
Aug 14 13:17:06.634: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=92
Aug 14 13:17:06.634: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_SA_SETUP
Aug 14 13:17:06.638: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:06.638: ISAKMP (0:1): retransmitting due to retransmit
phase 1
Aug 14 13:17:06.638: ISAKMP (0:1): retransmitting phase 1
MM_SA_SETUP...
Aug 14 13:17:07.138: ISAKMP (0:1): retransmitting phase 1
MM_SA_SETUP...
Aug 14 13:17:07.138: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:07.138: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
Aug 14 13:17:07.138: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_SA_SETUP
Aug 14 13:17:07.138: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=232
Aug 14 13:17:07.646: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:07.650: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_SA_SETUP
Aug 14 13:17:07.650: ISAKMP (0:1): processing KE payload. message ID =
0
Aug 14 13:17:07.822: ISAKMP (0:1): processing NONCE payload. message
ID = 0
Aug 14 13:17:07.822: ISAKMP (0:1): found peer pre-shared key matching
[fir.ebo.x.ip]
Aug 14 13:17:07.826: ISAKMP (0:1): SKEYID state generated
Aug 14 13:17:07.826: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
Aug 14 13:17:07.826: ISAKMP (1): Total payload length: 12
Aug 14 13:17:07.830: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:07.830: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:16.858: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:16.858: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:16.858: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:16.858: ISAKMP (0:1): retransmitting due to retransmit
phase 1
Aug 14 13:17:16.858: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:17.358: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:17.358: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:17.358: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:17.358: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:17.358: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:26.207: IPSEC(key_engine): request timer fired: count =
1,
(identity) local= [cis.co.ip.xxx], remote= [fir.ebo.x.ip],
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
Aug 14 13:17:26.207: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= [cis.co.ip.xxx], remote=
[fir.ebo.x.ip],
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x241E3B9C(605961116), conn_id= 0, keysize= 0, flags= 0x400D
Aug 14 13:17:26.207: ISAKMP: received ke message (1/1)
Aug 14 13:17:26.207: ISAKMP (0:1): SA is still budding. Attached new
ipsec request to it.
Aug 14 13:17:27.359: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:27.359: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:27.359: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:27.359: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:27.359: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:27.383: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:27.387: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:27.387: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:27.387: ISAKMP (0:1): retransmission skipped for phase 1
(time since last transmission 28)
Aug 14 13:17:32.255: UDP: rcvd src=67.19.103.173(123),
dst=[cis.co.ip.xxx](123), length=56
Aug 14 13:17:37.387: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:37.387: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:37.387: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:37.387: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:37.387: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:37.387: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:37.391: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:37.391: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:37.391: ISAKMP (0:1): retransmission skipped for phase 1
(time since last transmission 4)
Aug 14 13:17:47.391: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:47.391: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:47.391: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:47.391: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:47.391: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:47.407: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:47.407: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:47.407: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:47.407: ISAKMP (0:1): retransmission skipped for phase 1
(time since last transmission 16)
Aug 14 13:17:56.208: IPSEC(key_engine): request timer fired: count =
2,
(identity) local= [cis.co.ip.xxx], remote= [fir.ebo.x.ip],
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
Aug 14 13:17:56.208: ISAKMP: received ke message (3/1)
Aug 14 13:17:56.208: ISAKMP (0:1): ignoring request to send delete
notify (sa not authenticated) src [cis.co.ip.xxx] dst [fir.ebo.x.ip]
Aug 14 13:17:57.408: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:17:57.408: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
Aug 14 13:17:57.408: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Aug 14 13:17:57.408: ISAKMP (0:1): sending packet to [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:57.408: UDP: sent src=[cis.co.ip.xxx](500),
dst=[fir.ebo.x.ip](500), length=96
Aug 14 13:17:57.416: UDP: rcvd src=[fir.ebo.x.ip](500),
dst=[cis.co.ip.xxx](500), length=192
Aug 14 13:17:57.420: ISAKMP (0:1): received packet from [fir.ebo.x.ip]
(I) MM_KEY_EXCH
Aug 14 13:17:57.420: ISAKMP (0:1): phase 1 packet is a duplicate of a
previous packet.
Aug 14 13:17:57.420: ISAKMP (0:1): retransmission skipped for phase 1
(time since last transmission 12)
Aug 14 13:18:07.420: ISAKMP (0:1): retransmitting phase 1
MM_KEY_EXCH...
Aug 14 13:18:07.420: ISAKMP (0:1): peer does not do paranoid
keepalives.

Aug 14 13:18:07.420: ISAKMP (0:1): deleting SA reason "death by
retransmission P1" state (I) MM_KEY_EXCH (peer [fir.ebo.x.ip]) input
queue 0
Aug 14 13:18:07.420: ISAKMP (0:1): deleting node 506435737 error TRUE
reason "death by retransmission P1"
Aug 14 13:18:07.420: ISAKMP (0:1): deleting node 147192259 error TRUE
reason "death by retransmission P1"

And the Cisco config:

!
! Last configuration change at 11:32:12 PDT Thu Aug 14 2008
! NVRAM config last updated at 11:32:13 PDT Thu Aug 14 2008
!
version 12.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
boot system flash:c3640-ik9o3s-mz.122-46a.bin
logging buffered 32768 debugging
!
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.100.2 192.168.100.30
!
ip dhcp pool LAN
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 4.2.2.2
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key zzzzzzzzz address zzz.zzz.zzz.zzz
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer zzz.zzz.zzz.zzz
set transform-set 3DES-SHA
set pfs group2
match address 101
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/0
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip nat outside
full-duplex
crypto map VPN-Map-1
!
interface Ethernet1/1
ip address 192.168.100.1 255.255.255.0
ip nat inside
half-duplex
!
ip nat pool branch xxx.xxx.xxx.xxy xxx.xxx.xxx.xxy netmask
255.255.255.224
ip nat inside source list acl_nat pool branch overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
no ip http server
!
!
ip access-list extended acl_nat
deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0
0.0.0.255
route-map nonat permit 10
match ip address 130
!
!
dial-peer cor custom
!
!
!
!
!
ntp clock-period 17180080
ntp server 67.19.103.173
end

0 new messages