[ previous ] [ next ] [ threads ]
 
 From:  Rick Smith <manlygc at yahoo dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  M0n0wall 1.21 to Cisco PIX Problem
 Date:  Mon, 23 Jan 2006 12:43:03 -0800 (PST)
Guys,
  After beating my head against the wall for a whole day I have decided to throw myself at the mercy
of the experts that frequent this list.  I am attempting to connect from my office location to our
datacenter.  In the datacenter we use PIX 520's with software version 6.3.  The Internal subnet of
the datacenter is 192.168.51.0/24  The M0n0wall firewall is version 1.21.  At our corporate office
we have an internal subnet of 192.168.50.0/24 (this is where the M0n0wall resides). 
   
  I have set up the PIX as described in the handbook document although I substituted DES for 3DES
where mentioned (I know, it's not very secure but that's the only license we have at the moment).  I
keep encountering the "invalid exchange type 6" in the phase 2 part of the negotiation.  Does anyone
have any ideas?
   
  I will include the relevant portions of each configuration (PIX and M0n0wall).
   
  Here is the PIX config:
   
  crypto ipsec transform-set mono esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set mono
crypto map transmap 1 ipsec-isakmp
crypto map transmap 1 match address 101
crypto map transmap 1 set peer 71.4.142.66
crypto map transmap 1 set transform-set mono
crypto map transmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map transmap client authentication RADIUS
crypto map transmap interface outside
isakmp enable outside
isakmp key ******** address 71.4.142.66 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 102 permit ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list 102 
sysopt connection permit-ipsec
   
  Below is the m0n0wall config:
  path pre_shared_key "/var/etc/psk.txt";
  path certificate  "/var/etc";
  remote 64.5.55.68 {
 exchange_mode aggressive;
 my_identifier address "71.4.142.66";
   peers_identifier address 64.5.55.68;
 initial_contact on;
 support_proxy on;
 proposal_check obey;
   proposal {
  encryption_algorithm des;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2;
  lifetime time 86400 secs;
 }
 lifetime time 86400 secs;
}
  sainfo address 192.168.50.0/24 any address 192.168.51.0/24 any {
 encryption_algorithm des;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate;
 pfs_group 2;
 lifetime time 86400 secs;
}
   
  Below is the IPSEC log of the M0n0wall firewall:
  Jan 20 20:11:54 racoon: ERROR: Invalid exchange type 6 from 64.5.55.68[500]. 
Jan 20 20:11:54 racoon: ERROR: 64.5.55.68 give up to get IPsec-SA due to time up to wait. 
Jan 20 20:11:39 racoon: ERROR: Invalid exchange type 6 from 64.5.55.68[500]. 
Jan 20 20:11:24 racoon: ERROR: Invalid exchange type 6 from 64.5.55.68[500]. 
Jan 20 20:11:24 racoon: INFO: initiate new phase 2 negotiation: 71.4.142.66[0]<=>64.5.55.68[0] 
Jan 20 20:11:23 racoon: INFO: ISAKMP-SA established 71.4.142.66[500]-64.5.55.68[500]
spi:b1073465fc8997bd:2a7553162d023747 
Jan 20 20:11:23 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's
address. 
Jan 20 20:11:23 racoon: WARNING: No ID match. 
Jan 20 20:11:23 racoon: INFO: received Vendor ID: CISCO-UNITY 
Jan 20 20:11:23 racoon: INFO: received Vendor ID: DPD 
Jan 20 20:11:23 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
Jan 20 20:11:23 racoon: INFO: begin Aggressive mode. 
Jan 20 20:11:23 racoon: INFO: initiate new phase 1 negotiation: 71.4.142.66[500]<=>64.5.55.68[500] 
Jan 20 20:11:23 racoon: INFO: IPsec-SA request for 64.5.55.68 queued due to no phase1 found. 
Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.0/24[0]
192.168.51.0/24[0] proto=any dir=out 
Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.1/32[0]
192.168.50.0/24[0] proto=any dir=out 
Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace it: 192.168.51.0/24[0]
192.168.50.0/24[0] proto=any dir=in 
Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.0/24[0]
192.168.50.1/32[0] proto=any dir=in 
Jan 20 20:11:22 racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=9) 
Jan 20 20:11:22 racoon: INFO: 71.4.142.66[500] used as isakmp port (fd=8) 
Jan 20 20:11:22 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) 
  
Thanks,
  Rick

			
---------------------------------
Yahoo! Photos
 Got holiday prints? See all the ways to get quality prints in your hands ASAP.