[ previous ] [ next ] [ threads ]
 
 From:  "JP Aubineau" <jp at netechnica dot com>
 To:  "Rick Smith" <manlygc at yahoo dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] M0n0wall 1.21 to Cisco PIX Problem
 Date:  Mon, 23 Jan 2006 15:25:58 -0600 (CST)
https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgDisplay.jsp

Get a free 3DES license for your PIX.... I wouldnt even bother with the
VPN untill you get it... DES is about as secure as writing your ATM pin
number on the back of your cash card and then handing it to a stranger....

> Guys,
>   After beating my head against the wall for a whole day I have decided to
> throw myself at the mercy of the experts that frequent this list.  I am
> attempting to connect from my office location to our datacenter.  In the
> datacenter we use PIX 520's with software version 6.3.  The Internal
> subnet of the datacenter is 192.168.51.0/24  The M0n0wall firewall is
> version 1.21.  At our corporate office we have an internal subnet of
> 192.168.50.0/24 (this is where the M0n0wall resides).
>
>   I have set up the PIX as described in the handbook document although I
> substituted DES for 3DES where mentioned (I know, it's not very secure
> but that's the only license we have at the moment).  I keep encountering
> the "invalid exchange type 6" in the phase 2 part of the negotiation.
> Does anyone have any ideas?
>
>   I will include the relevant portions of each configuration (PIX and
> M0n0wall).
>
>   Here is the PIX config:
>
>   crypto ipsec transform-set mono esp-des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set mono
> crypto map transmap 1 ipsec-isakmp
> crypto map transmap 1 match address 101
> crypto map transmap 1 set peer 71.4.142.66
> crypto map transmap 1 set transform-set mono
> crypto map transmap 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map transmap client authentication RADIUS
> crypto map transmap interface outside
> isakmp enable outside
> isakmp key ******** address 71.4.142.66 netmask 255.255.255.255
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption des
> isakmp policy 1 hash md5
> isakmp policy 1 group 1
> isakmp policy 1 lifetime 1000
> isakmp policy 21 authentication pre-share
> isakmp policy 21 encryption des
> isakmp policy 21 hash md5
> isakmp policy 21 group 2
> isakmp policy 21 lifetime 86400
> access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.50.0
> 255.255.255.0
> access-list 102 permit ip 192.168.51.0 255.255.255.0 192.168.50.0
> 255.255.255.0
> nat (inside) 0 access-list 102
> sysopt connection permit-ipsec
>
>   Below is the m0n0wall config:
>   path pre_shared_key "/var/etc/psk.txt";
>   path certificate  "/var/etc";
>   remote 64.5.55.68 {
>  exchange_mode aggressive;
>  my_identifier address "71.4.142.66";
>    peers_identifier address 64.5.55.68;
>  initial_contact on;
>  support_proxy on;
>  proposal_check obey;
>    proposal {
>   encryption_algorithm des;
>   hash_algorithm md5;
>   authentication_method pre_shared_key;
>   dh_group 2;
>   lifetime time 86400 secs;
>  }
>  lifetime time 86400 secs;
> }
>   sainfo address 192.168.50.0/24 any address 192.168.51.0/24 any {
>  encryption_algorithm des;
>  authentication_algorithm hmac_md5;
>  compression_algorithm deflate;
>  pfs_group 2;
>  lifetime time 86400 secs;
> }
>
>   Below is the IPSEC log of the M0n0wall firewall:
>   Jan 20 20:11:54 racoon: ERROR: Invalid exchange type 6 from
> 64.5.55.68[500].
> Jan 20 20:11:54 racoon: ERROR: 64.5.55.68 give up to get IPsec-SA due to
> time up to wait.
> Jan 20 20:11:39 racoon: ERROR: Invalid exchange type 6 from
> 64.5.55.68[500].
> Jan 20 20:11:24 racoon: ERROR: Invalid exchange type 6 from
> 64.5.55.68[500].
> Jan 20 20:11:24 racoon: INFO: initiate new phase 2 negotiation:
> 71.4.142.66[0]<=>64.5.55.68[0]
> Jan 20 20:11:23 racoon: INFO: ISAKMP-SA established
> 71.4.142.66[500]-64.5.55.68[500] spi:b1073465fc8997bd:2a7553162d023747
> Jan 20 20:11:23 racoon: NOTIFY: couldn't find the proper pskey, try to get
> one by the peer's address.
> Jan 20 20:11:23 racoon: WARNING: No ID match.
> Jan 20 20:11:23 racoon: INFO: received Vendor ID: CISCO-UNITY
> Jan 20 20:11:23 racoon: INFO: received Vendor ID: DPD
> Jan 20 20:11:23 racoon: INFO: received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt
> Jan 20 20:11:23 racoon: INFO: begin Aggressive mode.
> Jan 20 20:11:23 racoon: INFO: initiate new phase 1 negotiation:
> 71.4.142.66[500]<=>64.5.55.68[500]
> Jan 20 20:11:23 racoon: INFO: IPsec-SA request for 64.5.55.68 queued due
> to no phase1 found.
> Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace
> it: 192.168.50.0/24[0] 192.168.51.0/24[0] proto=any dir=out
> Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace
> it: 192.168.50.1/32[0] 192.168.50.0/24[0] proto=any dir=out
> Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace
> it: 192.168.51.0/24[0] 192.168.50.0/24[0] proto=any dir=in
> Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace
> it: 192.168.50.0/24[0] 192.168.50.1/32[0] proto=any dir=in
> Jan 20 20:11:22 racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=9)
> Jan 20 20:11:22 racoon: INFO: 71.4.142.66[500] used as isakmp port (fd=8)
> Jan 20 20:11:22 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
>
> Thanks,
>   Rick
>
>
> ---------------------------------
> Yahoo! Photos
>  Got holiday prints? See all the ways to get quality prints in your hands
> ASAP.


Thank you,

JP Aubineau
President, Principal Consultant
NETECHNICA, Inc.
8634 Central Avenue NE
Blaine, MN 55434
Cell / Direct:     612.282.5180
Toll Free:         888.604.TECH
Fax:               763.785.9855
Direct Email:      jp at netechnica dot com
General Info:      info at netechnica dot com
Website:           www.netechnica.com

Enterprise IT Solutions for the Small Business (tm)