VPN tra Netgear e PIX

mannybiker · 30-10-2006, 15:32

Ho bisogno di creare una VPN tra un router Netgear DG834G e un Cisco PIX 515.
Ho provato a seguire le istruzioni riportate sul sito della Netgear ma niente da fare... alla fase 2 dell'apertura del tunneling si blocca.

Nel log del Netgear trovo questo:

Wed, 2006-10-25 17:55:12 - [ITS] initiating Main Mode
Wed, 2006-10-25 17:55:13 - [ITS] ISAKMP SA established
Wed, 2006-10-25 17:55:14 - [ITS] sent QI2, IPsec SA established
Wed, 2006-10-25 17:55:24 - [ITS] sending notification INVALID_COOKIE to [CISCO PIX IP]:500
Wed, 2006-10-25 17:55:35 - [ITS] sending notification INVALID_COOKIE to [CISCO PIX IP]:500
Wed, 2006-10-25 17:55:44 - [ITS] sending notification INVALID_COOKIE to [CISCO PIX IP]:500
Wed, 2006-10-25 17:55:54 - [ITS] DPD: No response from peer - declaring peer dead

Sul PIX il comando debug crypto ipsec dice:

pixfirewall(config)# IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= [CISCO PIX IP], src= [NETGEAR IP],
dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x5a6d8c9d(1517128861) for SA
from [NETGEAR IP] to [CISCO PIX IP] for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= [CISCO PIX IP], src= [NETGEAR IP],
dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 86400s and 0kb,
spi= 0x5a6d8c9d(1517128861), conn_id= 12, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= [CISCO PIX IP], dest= [NETGEAR IP],
src_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 86400s and 0kb,
spi= 0xbbc2c70a(3150104330), conn_id= 11, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with [NETGEAR IP]

mentre debug crypto isakmp:

crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 10 policy
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 0 against priority 30 policy
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 0 against priority 40 policy
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:[NETGEAR IP]/500 Total VPN Peers:5
VPN Peer: ISAKMP: Peer ip:[NETGEAR IP]/500 Ref cnt incremented to:1 Total VPN Peers:5
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3589793353

ISAKMP : Checking IPSec proposal 0

ISAKMP: transform 0, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 3589793353

ISAKMP (0): processing ID payload. message ID = 3589793353
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 192.168.1.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 3589793353
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.3.0/255.255.255.0 prot 0 port 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from [NETGEAR IP] to [CISCO PIX IP] (proxy 192.168.1.0 to 192.168.3.0)
has spi 1165406688 and conn_id 11 and flags 4
lifetime of 86400 seconds
outbound SA from [CISCO PIX IP] to [NETGEAR IP] (proxy 192.168.3.0 to 192.168.1.0)
has spi 3150104331 and conn_id 12 and flags 4
lifetime of 86400 seconds
VPN Peer: IPSEC: Peer ip:[NETGEAR IP]/500 Ref cnt incremented to:2 Total VPN Peers:5
VPN Peer: IPSEC: Peer ip:[NETGEAR IP]/500 Ref cnt incremented to:3 Total VPN Peers:5
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 333856056
ISAMKP (0): received DPD_R_U_THERE from peer [NETGEAR IP]
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 656696627
ISAMKP (0): received DPD_R_U_THERE from peer [NETGEAR IP]
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2486096099
ISAMKP (0): received DPD_R_U_THERE from peer [NETGEAR IP]
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 958868546
ISAMKP (0): received DPD_R_U_THERE from peer [NETGEAR IP]
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3228279180, spi size = 4
VPN Peer: IPSEC: Peer ip:[NETGEAR IP]/500 Decrementing Ref cnt to:2 Total VPN Peers:5
VPN Peer: IPSEC: Peer ip:[NETGEAR IP]/500 Decrementing Ref cnt to:1 Total VPN Peers:5
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 736301724, spi size = 16
ISAKMP (0): deleting SA: src [NETGEAR IP], dst [CISCO PIX IP]
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x101f46c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:[NETGEAR IP]/500 Ref cnt decremented to:0 Total VPN Peers:5
VPN Peer: ISAKMP: Deleted peer: ip:[NETGEAR IP]/500 Total VPN peers:4

ho provato con mille formati di criptazione (3des,md5,sha,des) ma non credo sia dovuto a questo perché la prima fase dell'ISAKMP va a buon fine.

Preciso che l'indirizzo del Netgear è dinamico per cui il PIX ha una configurazione:

crypto dynamic-map netgear 10 match address 160
crypto ipsec transform-set netgear esp-3des esp-md5-hmac
crypto map twc 60 ipsec-isakmp dynamic netgear
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode3

cosa mi posso ancora inventare????????

Grazie!!!!

30-10-2006, 15:32	#1
mannybiker Junior Member Iscritto dal: Oct 2006 Messaggi: 4	VPN tra Netgear e PIX Ho bisogno di creare una VPN tra un router Netgear DG834G e un Cisco PIX 515. Ho provato a seguire le istruzioni riportate sul sito della Netgear ma niente da fare... alla fase 2 dell'apertura del tunneling si blocca. Nel log del Netgear trovo questo: Wed, 2006-10-25 17:55:12 - [ITS] initiating Main Mode Wed, 2006-10-25 17:55:13 - [ITS] ISAKMP SA established Wed, 2006-10-25 17:55:14 - [ITS] sent QI2, IPsec SA established Wed, 2006-10-25 17:55:24 - [ITS] sending notification INVALID_COOKIE to [CISCO PIX IP]:500 Wed, 2006-10-25 17:55:35 - [ITS] sending notification INVALID_COOKIE to [CISCO PIX IP]:500 Wed, 2006-10-25 17:55:44 - [ITS] sending notification INVALID_COOKIE to [CISCO PIX IP]:500 Wed, 2006-10-25 17:55:54 - [ITS] DPD: No response from peer - declaring peer dead Sul PIX il comando debug crypto ipsec dice: pixfirewall(config)# IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= [CISCO PIX IP], src= [NETGEAR IP], dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x5a6d8c9d(1517128861) for SA from [NETGEAR IP] to [CISCO PIX IP] for prot 3 IPSEC(key_engine): got a queue event... IPSEC(initialize_sas): , (key eng. msg.) dest= [CISCO PIX IP], src= [NETGEAR IP], dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 86400s and 0kb, spi= 0x5a6d8c9d(1517128861), conn_id= 12, keysize= 0, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= [CISCO PIX IP], dest= [NETGEAR IP], src_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4), dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 86400s and 0kb, spi= 0xbbc2c70a(3150104330), conn_id= 11, keysize= 0, flags= 0x4 IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with [NETGEAR IP] mentre debug crypto isakmp: crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 0 against priority 10 policy ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 0 against priority 30 policy ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 0 against priority 40 policy ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:[NETGEAR IP]/500 Total VPN Peers:5 VPN Peer: ISAKMP: Peer ip:[NETGEAR IP]/500 Ref cnt incremented to:1 Total VPN Peers:5 crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3589793353 ISAKMP : Checking IPSec proposal 0 ISAKMP: transform 0, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable. ISAKMP (0): processing NONCE payload. message ID = 3589793353 ISAKMP (0): processing ID payload. message ID = 3589793353 ISAKMP (0): ID_IPV4_ADDR_SUBNET src 192.168.1.0/255.255.255.0 prot 0 port 0 ISAKMP (0): processing ID payload. message ID = 3589793353 ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.3.0/255.255.255.0 prot 0 port 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_AUTH_AWAIT ISAKMP (0): Creating IPSec SAs inbound SA from [NETGEAR IP] to [CISCO PIX IP] (proxy 192.168.1.0 to 192.168.3.0) has spi 1165406688 and conn_id 11 and flags 4 lifetime of 86400 seconds outbound SA from [CISCO PIX IP] to [NETGEAR IP] (proxy 192.168.3.0 to 192.168.1.0) has spi 3150104331 and conn_id 12 and flags 4 lifetime of 86400 seconds VPN Peer: IPSEC: Peer ip:[NETGEAR IP]/500 Ref cnt incremented to:2 Total VPN Peers:5 VPN Peer: IPSEC: Peer ip:[NETGEAR IP]/500 Ref cnt incremented to:3 Total VPN Peers:5 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 36136 protocol 1 spi 0, message ID = 333856056 ISAMKP (0): received DPD_R_U_THERE from peer [NETGEAR IP] ISAKMP (0): sending NOTIFY message 36137 protocol 1 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP: error, msg not encrypted crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 36136 protocol 1 spi 0, message ID = 656696627 ISAMKP (0): received DPD_R_U_THERE from peer [NETGEAR IP] ISAKMP (0): sending NOTIFY message 36137 protocol 1 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP: error, msg not encrypted crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 36136 protocol 1 spi 0, message ID = 2486096099 ISAMKP (0): received DPD_R_U_THERE from peer [NETGEAR IP] ISAKMP (0): sending NOTIFY message 36137 protocol 1 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP: error, msg not encrypted crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 36136 protocol 1 spi 0, message ID = 958868546 ISAMKP (0): received DPD_R_U_THERE from peer [NETGEAR IP] ISAKMP (0): sending NOTIFY message 36137 protocol 1 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 3228279180, spi size = 4 VPN Peer: IPSEC: Peer ip:[NETGEAR IP]/500 Decrementing Ref cnt to:2 Total VPN Peers:5 VPN Peer: IPSEC: Peer ip:[NETGEAR IP]/500 Decrementing Ref cnt to:1 Total VPN Peers:5 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:[NETGEAR IP], dest:[CISCO PIX IP] spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 736301724, spi size = 16 ISAKMP (0): deleting SA: src [NETGEAR IP], dst [CISCO PIX IP] return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0x101f46c, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:[NETGEAR IP]/500 Ref cnt decremented to:0 Total VPN Peers:5 VPN Peer: ISAKMP: Deleted peer: ip:[NETGEAR IP]/500 Total VPN peers:4 ho provato con mille formati di criptazione (3des,md5,sha,des) ma non credo sia dovuto a questo perché la prima fase dell'ISAKMP va a buon fine. Preciso che l'indirizzo del Netgear è dinamico per cui il PIX ha una configurazione: crypto dynamic-map netgear 10 match address 160 crypto ipsec transform-set netgear esp-3des esp-md5-hmac crypto map twc 60 ipsec-isakmp dynamic netgear isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode3 cosa mi posso ancora inventare???????? Grazie!!!! Ultima modifica di mannybiker : 30-10-2006 alle 15:35.

Strumenti
Mostra una versione stampabile Invia questa pagina per email