Help - Netscreen 500 to Cisco PIX 525 VPN



  • Hey guys. First let me start off by saying that I’m primarily a System Admin not a Network Eng of any kind but I have been assigned the task of setting up a LAN-to-LAN VPN tunnel using our current Cisco PIX 525 in our colo and an unused Netscreen 500.

    I have made a good amount of progress but I still can’t get passed the phase 2 negotiation. Here is what keeps getting logged in my NS.

    2007-12-28 16:08:09 info IKE<xx.xx.xx.xx>: Received initial contact notification and removed Phase 2 SAs.
    2007-12-28 16:08:09 info IKE<xx.xx.xx.xx>: > Received notify message for DOI <1> <24578> <notify_initial_contact>.
    2007-12-28 16:08:09 info IKE<xx.xx.xx.xx>: > Phase 2: Initiated negotiation.
    2007-12-28 16:08:09 info IKE<xx.xx.xx.xx>: > Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.
    2007-12-28 16:08:08 info IKE<xx.xx.xx.xx>: > >> <xx.xx.xx.xx>: > Phase 1: Initiated negotiations in main mode.

    It just keeps repeating that over and over and I’ve tried several different things to try to get this to work.

    Here is the config on my PIX (Really old FW btw - 6.1(2))

    access-list 137 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
    Crypto Map “toLosAngeles” 37 ipsec-isakmp
            Peer = xx.xx.xx.xx
            access-list 137 permit ip 10.10.10.0 255.255.254.0 192.168.1.0 255.255.255.0
            Current peer: xx.xx.xx.xx
            Security association lifetime: 4608000 kilobytes/28800 seconds
            PFS (Y/N): Y
            DH group:  group1
            Transform sets={ MySET1, MySET2, }

    isakmp enable outside
    isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
    isakmp identity address
    isakmp client configuration address-pool local lapdog outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption des
    isakmp policy 30 hash sha
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 86400
    isakmp policy 31 authentication pre-share
    isakmp policy 31 encryption des
    isakmp policy 31 hash md5
    isakmp policy 31 group 1
    isakmp policy 31 lifetime 28800

    Transform set MySET1: { esp-des esp-md5-hmac  }
       will negotiate = { Tunnel,  },

    Transform set MySET2: { esp-des esp-sha-hmac  }
       will negotiate = { Tunnel,  },

    Here is my Netscreen 500 config:

    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set clock “timezone” 0
    set admin format dos
    set admin name "netscreen"
    set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
    set admin auth timeout 10
    set admin auth server "Local"
    set log module system level emergency destination console
    set log module system level alert destination console
    set log module system level critical destination console
    set log module system level error destination console
    set log module system level warning destination console
    set log module system level notification destination console
    set log module system level information destination console
    set log module system level debugging destination console
    unset log module system level emergency destination onesecure
    unset log module system level alert destination onesecure
    unset log module system level critical destination onesecure
    unset log module system level error destination onesecure
    unset log module system level warning destination onesecure
    unset log module system level notification destination onesecure
    unset log module system level information destination onesecure
    unset log module system level debugging destination onesecure
    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “DMZ” tcp-rst
    set zone “MGT” tcp-rst
    set zone Untrust screen tear-drop
    set zone Untrust screen syn-flood
    set zone Untrust screen ping-death
    set zone Untrust screen ip-filter-src
    set zone Untrust screen land
    set zone V1-Untrust screen tear-drop
    set zone V1-Untrust screen syn-flood
    set zone V1-Untrust screen ping-death
    set zone V1-Untrust screen ip-filter-src
    set zone V1-Untrust screen land
    set interface “ethernet1/2” zone "Untrust"
    set interface “ethernet2/2” zone "DMZ"
    set interface “ethernet3/2” zone "Trust"
    set interface “tunnel.1” zone "Untrust"
    set interface ethernet1/2 ip ExternalIP/29
    set interface ethernet1/2 route
    set interface ethernet3/2 ip InternalIP/24
    set interface ethernet3/2 nat
    unset interface vlan1 ip
    set interface tunnel.1 ip unnumbered interface ethernet1/2
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet1/2 manage-ip xx.xx.xx.xx
    set interface ethernet3/2 manage-ip xx.xx.xx.xx
    unset interface ethernet1/2 ip manageable
    set interface ethernet2/2 ip manageable
    unset interface ethernet3/2 ip manageable
    set interface vlan1 ip manageable
    set interface ethernet1/2 manage ping
    set interface ethernet1/2 manage telnet
    set address “Trust” “192.168.1.0” 192.168.1.0 255.255.255.0 "Created by vpn wizard"
    set address “Trust” “192.168.1.0/24” 192.168.1.0 255.255.255.0
    set address “Trust” “192.168.1.0_0” 192.168.1.0 255.255.255.0 "Created by vpn wizard"
    set address “Trust” “192.168.1.0_1” 192.168.1.0 255.255.255.0 "Created by vpn wizard"
    set address “Trust” “Internal_LAN_192” 192.168.1.0 255.255.255.0 "192.168.1.0/24"
    set address “Untrust” “10.10.10.0” 10.10.10.0 255.255.254.0 "Created by vpn wizard"
    set address “Untrust” “10.10.10.0/23” 10.10.10.0 255.255.254.0
    set snmp name "ns500"
    set ike p2-proposal “NoPFS_Des/MD5” no-pfs ESP DES MD5 second 28800
    set ike p2-proposal “NoPFS_Des/SHA” no-pfs ESP DES SHA-1 second 28800
    set ike p2-proposal “NoPFS_Des/MD5_2” no-pfs ESP DES MD5 second 28800
    set ike p2-proposal “g1_Des/MD5” Group1 ESP DES MD5 second 28800
    set ike p2-proposal “g2_Des/MD5” Group2 ESP DES MD5 second 28800
    set ike p2-proposal “g2_Des/SHA” Group2 ESP DES SHA-1 second 28800
    set ike p2-proposal “g1_Des/MD5_2” Group1 ESP DES MD5 second 28800
    set ike gateway “My_PIX” ip xx.xx.xx.xx Main outgoing-interface “ethernet1/2” preshare “MyPreShareKey” sec-level compatible
    set ike policy-checking
    set ike respond-bad-spi 1
    set vpn “My_VPN” id 5 gateway “My_PIX” replay tunnel idletime 0 proposal “g1_Des/MD5”  "g1_Des/MD5_2"
    set vpn “My_VPN” monitor source-interface ethernet1/2
    set vpn “My_VPN” id 6 bind interface tunnel.1
    set ike id-mode subnet
    set xauth lifetime 480
    set xauth default auth server Local
    set vpn “My_VPN” proxy-id local-ip 192.168.1.0/24 remote-ip 10.10.10.0/23 ANY
    set policy id 1 from “Untrust” to “Trust”  “10.10.10.0/23” “192.168.1.0/24” “ANY” Permit
    set policy id 0 from “Trust” to “Untrust”  “192.168.1.0/24” “10.10.10.0/23” “ANY” Permit
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 interface ethernet1/2 gateway MyExternalIP
    set route 10.10.10.0/23 interface tunnel.1
    exit

    I would appreciate any ideas or help. Thanks.</xx.xx.xx.xx></xx.xx.xx.xx></xx.xx.xx.xx></xx.xx.xx.xx></notify_initial_contact></xx.xx.xx.xx></xx.xx.xx.xx>



  • Ok, I’m able to ping the router on the other side at least but I can’t get past the router. When I try to ping any host behind it I get stopped.

    Any ideas?



  • Ok, I’ve gotten it to partially work by upgrading my PIX to 6.3(5) code and enabling 3DES.

    Now it actually negotiates but the tunnel will only stay up for like a minute or two and I still can’t seem to ping from one end to the other. I think traffic is somehow making it accross because I’m seeing hit counts on the PIX ACL that is bound to the Crypto map for this tunnel.

    This is what I’m seeing in the logs.

    2008-01-04 10:20:09 crit vpn “LVL3_VPN_172NET” is down.
    2008-01-04 10:18:34 info vpn “LVL3_VPN_172NET” is up.
    2008-01-04 10:18:34 info IKE <xx.xx.xx.xx>Phase 2 msg-id <abfaa5aa>: Completed negotiations with SPI <b24f4939>, tunnel ID <2>, and lifetime <28800> seconds/<4608000> KB.
    2008-01-04 10:18:34 info IKE <xx.xx.xx.xx>Phase 2 msg-id <abfaa5aa>: Received responder lifetime notification.(0 sec/4608000 Kb)
    2008-01-04 10:18:34 info IKE <xx.xx.xx.xx>Received notify message for DOI <1> <24576> <notify_responder_lifetime>.
    2008-01-04 10:18:34 info IKE <xx.xx.xx.xx>Phase 2: Initiated negotiation.
    2008-01-04 10:18:24 info netscreen: The system configuration was saved from host 192.168.1.61 by admin netscreen
    2008-01-04 10:18:24 notif netscreen: VPN monitoring for VPN LVL3_VPN_172NET has been enabled.
    2008-01-04 10:18:24 notif netscreen: VPN LVL3_VPN_172NET with gateway LVL3_PIX, rekey, and p2-proposal noPFS_3DES/SHA has been modified from host 192.168.1.61.
    2008-01-04 10:17:38 crit vpn “LVL3_VPN_172NET” is down.
    2008-01-04 10:15:59 info vpn “LVL3_VPN_172NET” is up.
    2008-01-04 10:15:59 info IKE <xx.xx.xx.xx>Phase 2 msg-id <11c98ad5>: Completed negotiations with SPI <b24f4938>, tunnel ID <2>, and lifetime <28800> seconds/<4608000> KB.
    2008-01-04 10:15:59 info IKE <xx.xx.xx.xx>Phase 2 msg-id <11c98ad5>: Received responder lifetime notification.(0 sec/4608000 Kb)
    2008-01-04 10:15:59 info IKE <xx.xx.xx.xx>Received notify message for DOI <1> <24576> <notify_responder_lifetime>.
    2008-01-04 10:15:59 info IKE <xx.xx.xx.xx>Phase 2: Initiated negotiation.
    2008-01-04 10:15:46 warn Admin User netscreen has logged on via Telnet from 192.168.1.61:4988
    2008-01-04 10:14:59 info netscreen: The system configuration was saved from host 192.168.1.61 by admin netscreen
    2008-01-04 10:14:59 notif netscreen: VPN monitoring for VPN LVL3_VPN_172NET has been enabled.
    2008-01-04 10:14:59 notif netscreen: VPN LVL3_VPN with gateway LVL3_PIX, rekey, and p2-proposal noPFS_3DES/SHA has been modified from host 192.168.1.61.
    2008-01-04 10:11:28 crit vpn “LVL3_VPN” is down.</xx.xx.xx.xx></notify_responder_lifetime></xx.xx.xx.xx></xx.xx.xx.xx></b24f4938></xx.xx.xx.xx></xx.xx.xx.xx></notify_responder_lifetime></xx.xx.xx.xx></abfaa5aa></xx.xx.xx.xx></b24f4939></abfaa5aa></xx.xx.xx.xx>



  • @greg1c:

    Just out of curiosity, what code are you running on the NS500?  You might have better luck making this a policy based VPN on the NS 500 side.  I think a debug of IKE will help here.

    debug ike all

    get db str

    Greg

    This are the two versions for my NS:
    Hardware Version: 4110(0)
    Software Version: 4.0.0r6.0 (Firewall+VPN)

    I’ll try those commands and see what I find. Thanks.



  • @screenie.:

    Ouch, that a lot of config! Maybe debugging IKE give you a clue:

    on NS500

    debug ike basic

    clear db

    let cisco build the vpn
    undebug all
    To view your logging
    get db stream

    I noticed that the config still has some of the stuff that was done after rebuilding the VPN tunnel. I wonder if I should blow everything out again and start from scratch.

    I’ll try those commands and see what I find. Thanks.



  • Just out of curiosity, what code are you running on the NS500?  You might have better luck making this a policy based VPN on the NS 500 side.  I think a debug of IKE will help here.

    debug ike all

    get db str

    Greg


  • Global Moderator

    Ouch, that a lot of config! Maybe debugging IKE give you a clue:

    on NS500

    debug ike basic

    clear db

    let cisco build the vpn
    undebug all
    To view your logging
    get db stream


 

31
Online

38.4k
Users

12.7k
Topics

44.5k
Posts