[ previous ] [ next ] [ threads ]
 
 From:  "dasz" <daszylstra at comcast dot net>
 To:  "Rick Smith" <manlygc at yahoo dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] M0n0wall 1.21 to Cisco PIX Problem
 Date:  Mon, 23 Jan 2006 17:34:26 -0500
I have a similar setup with an older version of Monowall (1.11, can't
upgrade yet . . client reasons).

double check to make sure both phase1 and phase2 key lifetimes match both
sides (if I remember correctly one of the trouble spots I had was the key
lifetimes)
Check under diagnostics -> IPSEC - delete any SAD entries that show up
between your 2 subnets (the tunnel I have between Monowall and Cisco
sometime's won't reconnect, deleting these entries usually brings it back up
immediately)

I'm no Cisco expert, but reading below it looks like the Cisco has 2 key
lifetimes - one is 1000 the other is 86400, but the Monowall has both as
86400 . . . . . . .

David Zylstra
(586) 764 9858

-----Original Message-----
From: Rick Smith [mailto:manlygc at yahoo dot com]
Sent: Monday, January 23, 2006 3:43 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] M0n0wall 1.21 to Cisco PIX Problem


Guys,
  After beating my head against the wall for a whole day I have decided to
throw myself at the mercy of the experts that frequent this list.  I am
attempting to connect from my office location to our datacenter.  In the
datacenter we use PIX 520's with software version 6.3.  The Internal subnet
of the datacenter is 192.168.51.0/24  The M0n0wall firewall is version 1.21.
At our corporate office we have an internal subnet of 192.168.50.0/24 (this
is where the M0n0wall resides).

  I have set up the PIX as described in the handbook document although I
substituted DES for 3DES where mentioned (I know, it's not very secure but
that's the only license we have at the moment).  I keep encountering the
"invalid exchange type 6" in the phase 2 part of the negotiation.  Does
anyone have any ideas?

  I will include the relevant portions of each configuration (PIX and
M0n0wall).

  Here is the PIX config:

  crypto ipsec transform-set mono esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set mono
crypto map transmap 1 ipsec-isakmp
crypto map transmap 1 match address 101
crypto map transmap 1 set peer 71.4.142.66
crypto map transmap 1 set transform-set mono
crypto map transmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map transmap client authentication RADIUS
crypto map transmap interface outside
isakmp enable outside
isakmp key ******** address 71.4.142.66 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.50.0
255.255.255.0
access-list 102 permit ip 192.168.51.0 255.255.255.0 192.168.50.0
255.255.255.0
nat (inside) 0 access-list 102
sysopt connection permit-ipsec

  Below is the m0n0wall config:
  path pre_shared_key "/var/etc/psk.txt";
  path certificate  "/var/etc";
  remote 64.5.55.68 {
 exchange_mode aggressive;
 my_identifier address "71.4.142.66";
   peers_identifier address 64.5.55.68;
 initial_contact on;
 support_proxy on;
 proposal_check obey;
   proposal {
  encryption_algorithm des;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2;
  lifetime time 86400 secs;
 }
 lifetime time 86400 secs;
}
  sainfo address 192.168.50.0/24 any address 192.168.51.0/24 any {
 encryption_algorithm des;
 authentication_algorithm hmac_md5;
 compression_algorithm deflate;
 pfs_group 2;
 lifetime time 86400 secs;
}

  Below is the IPSEC log of the M0n0wall firewall:
  Jan 20 20:11:54 racoon: ERROR: Invalid exchange type 6 from
64.5.55.68[500].
Jan 20 20:11:54 racoon: ERROR: 64.5.55.68 give up to get IPsec-SA due to
time up to wait.
Jan 20 20:11:39 racoon: ERROR: Invalid exchange type 6 from 64.5.55.68[500].
Jan 20 20:11:24 racoon: ERROR: Invalid exchange type 6 from 64.5.55.68[500].
Jan 20 20:11:24 racoon: INFO: initiate new phase 2 negotiation:
71.4.142.66[0]<=>64.5.55.68[0]
Jan 20 20:11:23 racoon: INFO: ISAKMP-SA established
71.4.142.66[500]-64.5.55.68[500] spi:b1073465fc8997bd:2a7553162d023747
Jan 20 20:11:23 racoon: NOTIFY: couldn't find the proper pskey, try to get
one by the peer's address.
Jan 20 20:11:23 racoon: WARNING: No ID match.
Jan 20 20:11:23 racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 20 20:11:23 racoon: INFO: received Vendor ID: DPD
Jan 20 20:11:23 racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 20 20:11:23 racoon: INFO: begin Aggressive mode.
Jan 20 20:11:23 racoon: INFO: initiate new phase 1 negotiation:
71.4.142.66[500]<=>64.5.55.68[500]
Jan 20 20:11:23 racoon: INFO: IPsec-SA request for 64.5.55.68 queued due to
no phase1 found.
Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace
it: 192.168.50.0/24[0] 192.168.51.0/24[0] proto=any dir=out
Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace
it: 192.168.50.1/32[0] 192.168.50.0/24[0] proto=any dir=out
Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace
it: 192.168.51.0/24[0] 192.168.50.0/24[0] proto=any dir=in
Jan 20 20:11:22 racoon: ERROR: such policy already exists. anyway replace
it: 192.168.50.0/24[0] 192.168.50.1/32[0] proto=any dir=in
Jan 20 20:11:22 racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=9)
Jan 20 20:11:22 racoon: INFO: 71.4.142.66[500] used as isakmp port (fd=8)
Jan 20 20:11:22 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)

Thanks,
  Rick


---------------------------------
Yahoo! Photos
 Got holiday prints? See all the ways to get quality prints in your hands
ASAP.