1. Home
  2. Cisco Systems
  3. problems with cisco <-> netscreen

problems with cisco <-> netscreen

It appears that my cisco 806 is trying to forward the packets out my public interface without encrypting them and sending them to the peer. I can route packets from my 192.168.22.0 network where the netscreen is, they make it over to the 192.168.23.0 network, but the responses never make it back.

Anyone care to help me out on this?

Here is the router config.

Using 4991 out of 131072 bytes ! version 12.3 no parser cache no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname cisco-rtr ! boot-start-marker boot-end-marker ! logging cns-events debugging

! clock timezone Central -6 clock summer-time CDT recurring 1 Sun Apr 3:00 last Sun Oct 3:00 aaa new-model ! ! aaa authentication ppp default local aaa authorization network default if-authenticated aaa session-id common ip subnet-zero no ip source-route ip domain name int.fl240.com ip name-server 192.168.23.26 ip dhcp excluded-address 192.168.23.200 192.168.23.201 ip dhcp excluded-address 192.168.23.1 192.168.23.39 ! no ip bootp server ip inspect name myfw cuseeme audit-trail on timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw http java-list 3 audit-trail on timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 vpdn enable vpdn ip udp ignore checksum ! vpdn-group 1 ! Default L2TP VPDN group ! Default PPTP VPDN group accept-dialin protocol any virtual-template 1 ! ! ! ! class-map match-all VONAGE match access-group 101 ! ! policy-map ALL class VONAGE bandwidth 256 class class-default fair-queue ! ! ! crypto isakmp policy 5 hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key netscreen address netscreen ! ! crypto ipsec transform-set aptset esp-3des esp-sha-hmac crypto ipsec transform-set ns-interop esp-des esp-md5-hmac ! crypto map aptmap 2 ipsec-isakmp set peer 192.168.22.200 set transform-set aptset match address 111 ! crypto map netscreen-net 10 ipsec-isakmp set peer netscreen set transform-set ns-interop match address 130 ! ! ! interface Ethernet0 ip address 192.168.23.1 255.255.255.0 ip nat inside ip policy route-map proxy-redirect no cdp enable hold-queue 32 in ! interface Ethernet1 ip address address 255.255.255.0 ip access-group 111 in no ip unreachables ip nat outside ip inspect myfw out no cdp enable crypto map netscreen-net service-policy output ALL ! interface Virtual-Template1 ip unnumbered Ethernet1 ip mroute-cache peer default ip address pool pptp ppp encrypt mppe 40 ppp authentication ms-chap ! ip local pool pptp 192.168.23.200 192.168.23.201 ip nat inside source list 102 interface Ethernet1 overload ip classless ip route 0.0.0.0 0.0.0.0 Ethernet1 permanent no ip http server no ip http secure-server ! logging facility local5 logging 192.168.23.27 access-list 1 permit 192.168.23.0 0.0.0.255 access-list 1 permit any access-list 3 permit any access-list 23 permit 192.168.23.0 0.0.0.255 access-list 101 permit udp host 192.168.23.40 any access-list 101 permit udp any host 192.168.23.40 access-list 102 permit ip 192.168.23.0 0.0.0.255 any access-list 104 permit ip address 0.0.0.255 any access-list 104 permit udp address 0.0.0.255 any eq isakmp access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit gre any any access-list 111 permit tcp any any eq 22 access-list 111 permit ip 192.168.22.0 0.0.0.255 192.168.23.0 0.0.0.255 log access-list 111 permit ip 192.168.23.0 0.0.0.255 192.168.22.0 0.0.0.255 log access-list 120 deny tcp any any neq www access-list 120 deny tcp host 192.168.23.26 any access-list 120 permit tcp any any access-list 130 permit ip 192.168.22.0 0.0.0.255 192.168.23.0 0.0.0.255 log access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.22.0 0.0.0.255 log no cdp run route-map proxy-redirect permit 10 match ip address 120 set ip next-hop 192.168.23.26 ! banner motd ^C go away or I will track you down and sue you and you will go to jail

Enter Password:

^C ! line con 0 exec-timeout 120 0 stopbits 1 line vty 0 4 access-class 1 in exec-timeout 0 0 password 7 transport input ssh ! scheduler max-task-time 5000 end

here is an output from debug ipsec sa cisco-rtr#debug crypto ipsec Crypto IPSEC debugging is on cisco-rtr#terminal monitor cisco-rtr#clear crypto sa peer netscreen cisco-rtr#

12:18:44: IPSEC(delete_sa): deleting SA, (sa) sa_dest= cisco, sa_prot= 50, sa_spi= 0x54464F6D(1413893997), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2004 12:18:44: IPSEC(add_sa): have new SAs -- expire existing in 30 sec., (sa) sa_dest= netscreen, sa_prot= 50, sa_spi= 0x4C131F1C(1276321564), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2005, (identity) local= cisco, remote= netscreen, local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4), remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4) 12:18:44: IPSEC(delete_sa): deleting SA, (sa) sa_dest= netscreen, sa_prot= 50, sa_spi= 0x4C131F1C(1276321564), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2005 12:18:44: ISAKMP: Unlocking IPSEC struct 0x813F3908 from delete_siblings, count 0 12:18:44: ISAKMP: received ke message (3/1) 12:18:44: ISAKMP: set new node -844168567 to QM_IDLE 12:18:44: ISAKMP (0:1): sending packet to netscreen my_port 500 peer_port 500 (I) QM_IDLE 12:18:44: ISAKMP (0:1): purging node -844168567 12:18:44: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL 12:18:44: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

12:18:53: ISAKMP (0:1): received packet from netscreen dport 500 sport

500 Global (I) QM_IDLE 12:18:53: ISAKMP: set new node -928160302 to QM_IDLE 12:18:53: ISAKMP (0:1): processing HASH payload. message ID =

-928160302

12:18:53: ISAKMP (0:1): processing SA payload. message ID = -928160302 12:18:53: ISAKMP (0:1): Checking IPSec proposal 1 12:18:53: ISAKMP: transform 1, ESP_DES 12:18:53: ISAKMP: attributes in transform: 12:18:53: ISAKMP: SA life type in seconds 12:18:53: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 12:18:53: ISAKMP: encaps is 1 (Tunnel) 12:18:53: ISAKMP: authenticator is HMAC-MD5 12:18:53: ISAKMP (0:1): atts are acceptable. 12:18:53: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= cisco, remote= netscreen, local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4), remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 12:18:53: IPSEC(kei_proxy): head = netscreen-net, map->ivrf = , kei->ivrf = 12:18:53: ISAKMP (0:1): processing NONCE payload. message ID =

-928160302

12:18:53: ISAKMP (0:1): processing ID payload. message ID = -928160302 12:18:53: ISAKMP (0:1): processing ID payload. message ID = -928160302 12:18:53: ISAKMP (0:1): asking for 1 spis from ipsec 12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 12:18:53: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE 12:18:53: IPSEC(key_engine): got a queue event... 12:18:53: IPSEC(spi_response): getting spi 1606767518 for SA from cisco to netscreen for prot 3 12:18:53: ISAKMP: received ke message (2/1) 12:18:53: ISAKMP: Locking peer struct 0x813F3908, IPSEC refcount 1 for for stuff_ke 12:18:53: ISAKMP (0:1): Creating IPSec SAs 12:18:53: inbound SA from netscreen to cisco (f/i) 0/ 0 (proxy 192.168.22.0 to 192.168.23.0) 12:18:53: has spi 0x5FC5539E and conn_id 2000 and flags 2 12:18:53: lifetime of 3600 seconds 12:18:53: has client flags 0x0 12:18:53: outbound SA from cisco to netscreen (f/i) 0/ 0 (proxy 192.168.23.0 to 192.168.22.0 ) 12:18:53: has spi 1276321566 and conn_id 2001 and flags A 12:18:53: lifetime of 3600 seconds 12:18:53: has client flags 0x0 12:18:53: ISAKMP (0:1): sending packet to netscreen my_port 500 peer_port 500 (I) QM_IDLE 12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY 12:18:53: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 12:18:53: IPSEC(key_engine): got a queue event... 12:18:53: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= cisco, remote= netscreen, local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4), remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 3600s and 0kb, spi= 0x5FC5539E(1606767518), conn_id= 2000, keysize= 0, flags= 0x2 12:18:53: IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= cisco, remote= netscreen, local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4), remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 3600s and 0kb, spi= 0x4C131F1E(1276321566), conn_id= 2001, keysize= 0, flags= 0xA 12:18:53: IPSEC(kei_proxy): head = netscreen-net, map->ivrf = , kei->ivrf = 12:18:53: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and netscreen 12:18:53: IPSEC(add mtree): src 192.168.23.0, dest 192.168.22.0, dest_port 0

12:18:53: IPSEC(create_sa): sa created, (sa) sa_dest= cisco, sa_prot= 50, sa_spi= 0x5FC5539E(1606767518), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000

12:18:53: IPSEC(create_sa): sa created, (sa) sa_dest= netscreen, sa_prot= 50, sa_spi= 0x4C131F1E(1276321566), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001 12:18:53: ISAKMP (0:1): received packet from netscreen dport 500 sport 500 Global (I) QM_IDLE 12:18:53: ISAKMP (0:1): deleting node -928160302 error FALSE reason "quick mode done (await)" 12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 12:18:53: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE 12:18:53: IPSEC(key_engine): got a queue event... 12:18:53: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP 12:18:53: IPSEC(key_engine_enable_outbound): enable SA with spi 1276321566/50 for netscreen 12:19:43: ISAKMP (0:1): purging node -928160302
Reply to
scubabri
Loading thread data ...

turns out it was my nat configuration that was horking it up :)

b
Reply to
scubabri

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.