Remote VPN
in [Cisco]
|
Prev: ssh configuration
Next: CDP-4-NATIVE_VLAN_MISMATCH
From: Charolette on 18 Sep 2006 00:28 Hi, I have a PIX 506e and i have setup a remote VPN client on the PIX. I have setup up the group name, password and VPN IP Pool. I already have VPN site to site over IPsec on IKE. When i try to connect using the VPN Client i get a 32 11:47:36.634 09/18/06 Sev=Warning/3 IKE/0xA300004B Received a NOTIFY message with an invalid protocol id (0) What is the problem?? thanks
From: [NICK] on 18 Sep 2006 09:00 Can we see your config ? (Remove any sensitive info 1st obviously)
From: Charolette on 18 Sep 2006 19:25 thank you very much for your help. Here is the config on the PIX access-list INSIDE_IN permit icmp 192.168.2.0 255.255.255.0 any access-list INSIDE_IN permit udp host OFTSFAP1 any eq domain access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group ML_Inbound_SMTP eq smtp access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group special_www eq www access-list INSIDE_IN permit udp host OFTSFAP1 object-group OPTUS_NTP eq ntp access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq www access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq https access-list INSIDE_IN remark Testing connnection to Net-2-Net access-list INSIDE_IN permit ip 192.168.2.0 255.255.255.0 host NET2NETSRV access-list INSIDE_IN deny ip any any log access-list OUTSIDE_IN permit tcp object-group ML_Inbound_SMTP host Public_OFTSFAP1 eq smtp access-list OUTSIDE_IN permit tcp host PM_PC host Public_OFTSFAP1 eq 3389 access-list OUTSIDE_IN deny ip any any log access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 HO_VPN_NET 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 VPN_RM 255.255.255.0 access-list outside_cryptomap_20 remark VPN to head office access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 HO_VPN_NET 255.255.255.0 access-list outside_inbound_nat0_acl permit ip HO_VPN_NET 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_inbound_nat0_acl permit ip VPN_RM 255.255.255.0 192.168.2.0 255.255.255.0 access-list OFT_VPN_CL_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any pager lines 24 logging standby mtu outside 1500 mtu inside 1500 ip address outside PIX_OUT_INT 255.255.255.248 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224 nat (outside) 0 access-list outside_inbound_nat0_acl outside nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 3 192.168.2.0 255.255.255.128 0 0 access-group OUTSIDE_IN in interface outside access-group INSIDE_IN in interface inside route outside 0.0.0.0 0.0.0.0 61.88.19.161 1 timeout xlate 0:05:00 timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer HO_PIX crypto map outside_map 20 set transform-set ESP-DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address HO_PIX netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption des isakmp policy 30 hash sha isakmp policy 30 group 1 isakmp policy 30 lifetime 86400 vpngroup OFT_VPN_CL address-pool VPN_POOL vpngroup OFT_VPN_CL dns-server OFTSFAP1 vpngroup OFT_VPN_CL split-tunnel OFT_VPN_CL_splitTunnelAcl vpngroup OFT_VPN_CL idle-time 1800 vpngroup OFT_VPN_CL password ******** telnet HO_VPN_NET 255.255.255.0 inside telnet 192.168.2.0 255.255.255.224 inside telnet HOST_PC 255.255.255.192 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.2.2-192.168.2.254 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside vpnclient server HO_PIX vpnclient mode network-extension-mode vpnclient vpngroup OFT_VPN password ******** vpnclient username OFT_VPN_User password ******** terminal width 80 Cryptochecksum:0e5ef91744953bfd6679320e8c0fb6c5 The VPN client connects fine to the PIX but there are no decrypted packets and a lot of bypass. Regards
From: Walter Roberson on 19 Sep 2006 00:26 In article <1158621937.294267.221670(a)b28g2000cwb.googlegroups.com>, Charolette <jubbda(a)gmail.com> wrote: >Here is the config on the PIX >ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224 The pool with a mask of .224 ends at .95 not .96 . I would suggest that you use a netmask of 255.255.255.0, and make sure that the first and last addresses implied by the netmask are not listed in the pool. >access-list INSIDE_IN permit icmp 192.168.2.0 255.255.255.0 any >access-list INSIDE_IN permit udp host OFTSFAP1 any eq domain >access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group ML_Inbound_SMTP eq smtp >access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group special_www eq www In your first line, you permit out the full 192.168.2/24, but in the two lines above you only allow yout 192.168.2.0 - 192.168.2.31 . Is that really what you want? If you have made a deliberate decision to confine "hosts that are allowed to contact those services" to that address range, then take note that that address range includes the PIX inside interface, which would you wouldn't normally want to include if you are being particular about what goes out where. >access-list INSIDE_IN permit udp host OFTSFAP1 object-group OPTUS_NTP >eq ntp >access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq www >access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq https If you have allocated a group of hosts starting from HOST_PC and extending to HOST_PC + 63, and that's what you want to allow to access those services, then I would suggest that it is better form to hide the details of the permitted hosts inside an object-group; that way later you they don't have to be contiguous. >access-list INSIDE_IN remark Testing connnection to Net-2-Net >access-list INSIDE_IN permit ip 192.168.2.0 255.255.255.0 host >NET2NETSRV >access-list INSIDE_IN deny ip any any log That denies traffic to the VPN_pool . However, the sysopt you use later allows the VPN to ignore the access lists. >access-list OUTSIDE_IN permit tcp object-group ML_Inbound_SMTP host >Public_OFTSFAP1 eq smtp >access-list OUTSIDE_IN permit tcp host PM_PC host Public_OFTSFAP1 eq >3389 >access-list OUTSIDE_IN deny ip any any log >access-list inside_outbound_nat0_acl permit ip 192.168.2.0 >255.255.255.0 HO_VPN_NET 255.255.255.0 >access-list inside_outbound_nat0_acl permit ip 192.168.2.0 >255.255.255.0 VPN_RM 255.255.255.0 With the information you gave, we cannot tell whether HO_VPN_NET or VPN_RM encompasses VPN_POOL . If one of the two does, notice the netmask inconsistancy compared to the pool definition. >access-list outside_cryptomap_20 remark VPN to head office >access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 >HO_VPN_NET 255.255.255.0 >access-list outside_inbound_nat0_acl permit ip HO_VPN_NET 255.255.255.0 >192.168.2.0 255.255.255.0 >access-list outside_inbound_nat0_acl permit ip VPN_RM 255.255.255.0 >192.168.2.0 255.255.255.0 >nat (outside) 0 access-list outside_inbound_nat0_acl outside Don't try nat 0 against the outside interface: if it does anything at all, it surely won't be whatever you intended. Instead just rely upon the fact that nat (inside) 0 is automatically applied "in reverse" for incoming traffic. >access-list OFT_VPN_CL_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any >ip address outside PIX_OUT_INT 255.255.255.248 >ip address inside 192.168.2.1 255.255.255.0 >ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224 >nat (outside) 0 access-list outside_inbound_nat0_acl outside >nat (inside) 0 access-list inside_outbound_nat0_acl >nat (inside) 3 192.168.2.0 255.255.255.128 0 0 no global (outside) 3 policy... >access-group OUTSIDE_IN in interface outside >access-group INSIDE_IN in interface inside >sysopt connection permit-ipsec >crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac >crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac >crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac >crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5 >crypto map outside_map 20 ipsec-isakmp >crypto map outside_map 20 match address outside_cryptomap_20 >crypto map outside_map 20 set peer HO_PIX >crypto map outside_map 20 set transform-set ESP-DES-SHA Why is your fixed peer using ESP-DES-SHA but your dynamics are using ESP-DES-MD5 ? PIX 6.3 does not support ESP-DES-SHA by the way (if I recall correctly.) It's better to list several transforms in the set, strongest first; then if somehow there becomes a mismatch in support, they can fall back to another transform. >crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map >crypto map outside_map interface outside >isakmp enable outside >isakmp key ******** address HO_PIX netmask 255.255.255.255 no-xauth >no-config-mode >isakmp policy 20 authentication pre-share >isakmp policy 20 encryption des >isakmp policy 20 hash md5 >isakmp policy 20 group 2 >isakmp policy 20 lifetime 86400 >isakmp policy 30 authentication pre-share >isakmp policy 30 encryption des >isakmp policy 30 hash sha >isakmp policy 30 group 1 >isakmp policy 30 lifetime 86400 DES SHA is stronger than DES MD5, so it would be better if it were a lower policy number. >vpngroup OFT_VPN_CL address-pool VPN_POOL >vpngroup OFT_VPN_CL dns-server OFTSFAP1 >vpngroup OFT_VPN_CL split-tunnel OFT_VPN_CL_splitTunnelAcl >vpngroup OFT_VPN_CL idle-time 1800 >vpngroup OFT_VPN_CL password ******** >telnet HO_VPN_NET 255.255.255.0 inside Everything else implies that HO_VPN_NET is outside, but here you have it on the inside. >telnet 192.168.2.0 255.255.255.224 inside >telnet HOST_PC 255.255.255.192 inside >telnet timeout 5 >ssh timeout 5 >console timeout 0 >dhcpd address 192.168.2.2-192.168.2.254 inside ??? You are allowing accidents of DHCP address allocation to determine whether a particular host is allowed particular kinds of inside or outside access (because of the various .224 you use against inside addresses in places) ? And if there are fixed hosts at HOST_PC then they overlap with your dhcpd address pool, unless HOST_PC is in a completely different IP range -- but if it is in a completely different range then the situation can't work without an 'ip route' statement. >vpnclient server HO_PIX >vpnclient mode network-extension-mode >vpnc
|
Pages: 1 Prev: ssh configuration Next: CDP-4-NATIVE_VLAN_MISMATCH |