1. Home
  2. Networking Firewalls
  3. pix 525 & bdcom 2621 ipsec error!

pix 525 & bdcom 2621 ipsec error!

pix 525 & bdcom 2621 ipsec error! plese help me

===================================================================== bdcom 2621 router configinformation: Current configuration: ! !version 1.3.2E service timestamps log date service timestamps debug date no service password-encryption ! hostname kaifaqu2 ! enable password 0 ciscobdcom 2621 level 15 ! crypto isakmp key ciscobdcom 2621 10.10.20.138 255.255.255.224 ! crypto isakmp policy 1 hash md5 lifetime 28800 ! crypto ipsec transform-set 01 transform-type esp-des esp-sha-hmac ! crypto map 1 1 ipsec-isakmp set peer 10.10.20.138 set pfs group1 set transform-set 01 match address 101 ! interface FastEthernet0/0 ip address 192.168.55.1 255.255.255.0 ip address 192.168.56.1 255.255.255.0 secondary no ip directed-broadcast ip nat inside ! interface FastEthernet0/1 ip address 10.10.140.163 255.255.255.240 no ip directed-broadcast crypto map 1 ip nat outside ! interface Serial0/2 no ip address no ip directed-broadcast ! interface Serial0/3 no ip address no ip directed-broadcast ! interface Async0/0 no ip address no ip directed-broadcast ! ip route default 10.10.140.161 ! ip access-list standard nat permit 192.168.55.0 255.255.255.0 permit 192.168.56.0 255.255.255.0 ! ip access-list extended 101 permit ip 192.168.55.0 255.255.255.0 192.168.4.0 255.255.255.0 permit ip 192.168.55.0 255.255.255.0 192.168.3.0 255.255.255.0 permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0 permit ip 192.168.55.0 255.255.255.0 192.168.1.0 255.255.255.0 ! ip nat translation max-entries 300 ip nat inside source list nat interface FastEthernet0/1 !

----------------------------------------------------------------------------------- isakmpinformation Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 28800 seconds Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds ==================================================================================

cisco pix 525information PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 no fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.5.0

255.255.255.0 access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list vpn permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list vpn permit ip 192.168.4.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list vpn permit ip 192.168.4.0 255.255.255.0 192.168.56.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip address outside 10.10.20.138 255.255.255.224 ip address inside 192.168.255.254 255.255.255.0 ip address DMZ 192.168.254.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address DMZ pdm history enable arp timeout 14400 global (outside) 1 interface global (DMZ) 1 interface nat (inside) 0 access-list vpn nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (DMZ,outside) 10.10.20.134 192.168.254.4 netmask 255.255.255.255 0 0 static (DMZ,outside) 10.10.20.130 192.168.254.2 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit ip host 10.10.20.134 any conduit permit ip host 10.10.20.130 any route outside 0.0.0.0 0.0.0.0 10.10.20.129 1 route inside 192.168.0.0 255.255.255.0 192.168.255.1 1 route inside 192.168.1.0 255.255.255.0 192.168.255.1 1 route inside 192.168.2.0 255.255.255.0 192.168.255.1 1 route inside 192.168.3.0 255.255.255.0 192.168.255.1 1 route inside 192.168.4.0 255.255.255.0 192.168.255.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set 01 esp-des esp-sha-hmac crypto map 1 1 ipsec-isakmp crypto map 1 1 match address 100 crypto map 1 1 set pfs crypto map 1 1 set peer 10.10.140.162 crypto map 1 1 set transform-set 01 crypto map 1 2 ipsec-isakmp crypto map 1 2 match address 101 crypto map 1 2 set pfs crypto map 1 2 set peer 10.10.140.163 crypto map 1 2 set transform-set 01 crypto map 1 interface outside isakmp enable outside isakmp key ******** address 10.10.140.162 netmask 255.255.255.240 isakmp key ******** address 10.10.140.163 netmask 255.255.255.240 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 28800 telnet 192.168.0.0 255.255.255.0 inside telnet 192.168.1.0 255.255.255.0 inside telnet 192.168.2.0 255.255.255.0 inside telnet 192.168.3.0 255.255.255.0 inside telnet 192.168.4.0 255.255.255.0 inside telnet 192.168.255.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:f01f0894bddb743031b7c041072c685d : end

------------------------------------------------------------------------------------ isakmp information Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 28800 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit cisco pix 525debuginformation Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 28800 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit ============================================================================================== pix 525 debug information

pixfirewall# ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 28800 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138 spt:500 dpt:500 ISAKMP: error, msg not encrypted ISAKMP (0): deleting SA: src 10.10.20.138, dst 10.10.140.163 ISADB: reaper checking SA 0x3845ce4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 10.10.140.163/500 not found - peers:0 ======================================================================================

bdcom 2621 show ipsec command information: Transform set 01: { esp-des esp-sha-hmac } will negotiate ={ Tunnel } Interface: FastEthernet0/1 Crypto map name:1 , local addr. 10.10.140.163

local ident (addr/mask/prot/port): (192.168.55.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) local crypto endpt.: 10.10.140.163, remote crypto endpt.:

10.10.20.138

------------------------------------------------------------------------------------ cisco pix 525 show information

Transform set 01: { esp-des esp-sha-hmac } will negotiate = { Tunnel, },

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.55.0/255.255.255.0/0/0) current_peer: 10.10.140.163:0 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 18, #recv errors 0

local crypto endpt.: 10.10.20.138, remote crypto endpt.:

10.10.140.163 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Reply to
pansin
Loading thread data ...

In article , pansin wrote: :pix 525 & bdcom 2621 ipsec error!

When you want the same question to appear in multiple newsgroups, it is best to use "crossposting" instead of seperate postings.

I already answered your posting in comp.dcom.sys.cisco but as you posted seperately here, I need to answer here as well so that other people know the question has been dealt with.

:PIX Version 6.3(3)

:crypto ipsec transform-set 01 esp-des esp-sha-hmac

That combination of parameters is not supported in modern PIX software versions. If you use DES and you want integrity checking, you must use MD5 instead of SHA.

This limitation does not exist for other encryptions on the PIX.

Note: standard newsgroup posting practices are that you should examine the recent postings of others before posting your own question, as the question may be a FAQ or otherwise recently answered. You posted your question in comp.dcom.sys.cisco, but you would have found the answer in my posting there of yesterday noon-ish, "IPSec VPN Flaws found".

formatting link

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.