SonicWall VPN PIX - does not, could someone help?
Hi all
I'm trying to set up an a 506th PIX VPN tunnel (firmware 6.3 (2)), a firewall SonicWall Pro. It does not at the moment. Phase 1 is ok but the phase 2 is not, the VPN tunnel has not been established, and the security association is removed after a minute or two. I enclose below the PIX config and an attempt to create VPN tunnel debugging output (slightly modified and cut for reasons of confidentiality). The PIX already has other two VPN configured which work perfectly.
I would be very grateful to anyone who could help me answer the following questions about this VPN configuration:
1. to debug output, which means the next?
ISAKMP (0): retransmission of the phase 2 (0/0)... mess_id 0xafc08a94
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
2. in the config, I don't know if the 3 static controls are necessary and how it might interact... What do you think?
3. in what order things happen in the PIX when traffic is from the local network to remote network by VPN? What is NAT then treatment then setting up VPN to access list? or or treatment, then NAT and VPN to access list? or another possibility?
4. How can I get it work?
Thank you very much in advance for any help provided,
A.G.
########### NAMING #################################
vpnpix1 - is the local cisco PIX
remotevpnpeer - is the Sonicwall firewall remote
Intranet - is the local network behind PIX
remotevpnLAN - is the remote network behind the SonicWall
################ CONFIG #############################
6.3 (2) version PIX
interface ethernet0 10full
interface ethernet1 10full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
.../...
hostname vpnpix1
.../...
names of
name A.B.C.D vpnpix1-e1
name X.Y.Z.T vpnpix1-e0
name E.F.G.H defaultgw
intranet name 10.0.0.0
name 192.168.250.0 nat-intranet
name J.K.L.M internetgw
name 10.M.N.P server1
name Server2 10.M.N.Q
name 10.M.N.R server3
name 192.168.252.0 remotevpnLAN
name 10.1.71.0 nat-remotevpnLAN
.../...
object-group network server-group
description servers used by conencted to users remote LAN through a VPN tunnel
network-host server1 object
host Server2 network-object
network-host server3 object
.../...
access allowed INCOMING tcp nat-remotevpnLAN 255.255.255.0 list object-group server-eq - ica citrix
.../...
OUTBOUND ip intranet 255.0.0.0 allowed access list nat-remotevpnLAN 255.255.255.0
access list permits INTRANET-to-remotevpnLAN-VPN ip intranet 255.0.0.0 255.255.255.0 remotevpnLAN
access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 nat-remotevpnLAN
.../...
IP address outside the vpnpix1-e0 255.255.255.240
IP address inside the vpnpix1-e1 255.255.252.0
.../...
Global 192.168.250.1 1 (outside)
NAT (inside) 0 access-list SHEEP-to-remotevpnLAN
NAT (inside) 1 intranet 255.0.0.0 0 0
.../...
static (inside, outside) server1 server1 netmask 255.255.255.255 0 0
public static server2 (indoor, outdoor) server2 netmask 255.255.255.255 0 0
public static server3 (indoor, outdoor) server3 netmask 255.255.255.255 0 0
static (exterior, Interior) nat-remotevpnLAN remotevpnLAN netmask 255.255.255.0 0 0
.../...
Access-group ENTERING into the interface outside
Access-group OUTGOING in the interface inside
Route outside 0.0.0.0 0.0.0.0 internetgw 1
Route inside the intranet 255.0.0.0 defaultgw 1
.../...
Permitted connection ipsec sysopt
.../...
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS1
.../...
map BusinessPartners 30 ipsec-isakmp crypto
card crypto BusinessPartners 30 matches the INTRANET-to-remotevpnLAN-VPN address
card crypto BusinessPartners 30 set peer remotevpnpeer
card crypto BusinessPartners 30 game of transformation-VPN-TS1
BusinessPartners outside crypto map interface
ISAKMP allows outside
.../...
ISAKMP key * address remotevpnpeer netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 28800
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 28800
part of pre authentication ISAKMP policy 30
ISAKMP policy 30 3des encryption
ISAKMP policy 30 md5 hash
30 1 ISAKMP policy group
ISAKMP duration strategy of life 30 28800
.../...
: end
################## DEBUG ############################
vpnpix1 # debug crypto isakmp
vpnpix1 #.
ISAKMP (0): early changes of Main Mode
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: duration of life (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
Exchange OAK_MM
ISAKMP (0): processing KE payload. Message ID = 0
ISAKMP (0): processing NONCE payload. Message ID = 0
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): ID payload
next payload: 8
type: 1
Protocol: 17
Port: 500
Length: 8
ISAKMP (0): the total payload length: 12
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): SA has been authenticated.
ISAKMP (0): start Quick Mode Exchange, M - ID - 1346336108:afc08a94
to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:remotevpnpeer / 500 Total VPN peer: 3
Peer VPN: ISAKMP: Peer ip:remotevpnpeer / 500 Ref cnt incremented: 1 Total VPN peer: 3
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP (0): processing NOTIFY payload Protocol 14 1
SPI 0, message ID = 476084314
to return to the State is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmission of the phase 2 (0/0)... mess_id 0xafc08a94
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): start Quick Mode Exchange, M - ID 1919346690:7266e802
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): retransmission of the phase 2 (1: 1)... mess_id 0xafc08a94
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): retransmission of the phase 2 (0/2)... mess_id 0x7266e802
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): retransmission of the phase 2 (2/3)... mess_id 0xafc08a94
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): retransmission of the phase 2 (1/4)... mess_id 0x7266e802
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): start Quick Mode Exchange, M - ID - 1475513565:a80d7323
ISAKMP (0): delete SA: CBC vpnpix1-e0, dst remotevpnpeer
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: drop msg deleted his
ISADB: Reaper checking HIS 0x10ff1ac, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: Peer ip:remotevpnpeer / 500 Ref cnt decremented for: 0 Total of VPN peer: 3
Peer VPN: ISAKMP: deleted peer: ip:remotevpnpeer / 500 Total VPN peers: 2
ISADB: Reaper checking HIS 0 x 1100984, id_conn = 0
ISADB: Reaper checking HIS 0x10fcddc, id_conn = 0
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: its not located for ike msg
#####################################################
Get rid of:
static (exterior, Interior) nat-remotevpnLAN remotevpnLAN netmask 255.255.255.0 0 0
You don't need it. Change:
OUTBOUND ip intranet 255.0.0.0 allowed access list nat-remotevpnLAN 255.255.255.0
access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 nat-remotevpnLAN
TO:
access list permits OUTGOING ip intranet 255.0.0.0 255.255.255.0 remotevpnLAN
access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 remotevpnLAN
This indicates the PIX not NAT IPSec traffic. NAT happens BEFORE IPSec in the PIX, so if you the traffic IPSec nat it will never match your crypto access list and will not be encrypted.
This, however, should not stop the tunnel of Phase 2 of the course of construction, they would stop flowing above the tunnel, traffic, so you still have a problem somewhere. What I'm guessing, is that the Sonicwall (SW) has a different encryption-defined list access, it must be the EXACT OPPOSITE of what is configured on the PIX. In other words, the SW should be encrypting the traffic of "remotevpnLAN-24" "intranet/8", make sure that the subnet mask ar ETHE same too. "
To answer your questions:
1. it simply means that the PIX has not received a response and is to retransmit the last ISAKMP packet. The process_block simply means that the PIX has dropped a package that was to be encrypted because the IPSec tunnel has not been built. If you get the tunnel built, these messages will disappear.
2. the 3 first static does not appear to be linked to the tunnel IPSec, if they are simply to access a server inside, then they will not affect this VPN tunnel. The last of them should be deleted, as I already said.
3. for traffic initiated from inside the PIX, the order is incoming ACL, then NAT, IPSec processing. That's why your OUTGOING ACL must allow traffic first, then your NAT 0 statement refuses to be NAT had, then the encryption function is the traffic and the number.
4 do what I said above :-)
If you still have no luck, re - run debugs, but initiate traffic behind the Sonicwall, in this way the Sonicwall will try and debug of build that the tunnel and you will get more information on the PIX. Mainly, we'll see what traffic model the SonicWall is configured to encrypt (you don't see if the PIX initiates the tunnel).
Tags: Cisco Security
Similar Questions
-
SonicWALL VPN Client does not connect
I use Windows 10 Pro. I can install the NEW Client VPN (4.9.0.2012) very well. When I put in information that works very well. It will even connected, the first time, when you have completed the installation. Here's the crazy part. I can't disable the VPN client. When I try to ACTIVATE the connection he wants to use a telephone line. I can uninstall the client software and tell him NOT to keep data. I can reinstall the client and it will connect the first time. After that it will not. I have already told him to use LAN ONLY entered in the network settings. Only, it crashes and then trying to acquire IP.
Norman
I think you are talking about the Global VPN Client. You must uninstall this version of CVM and install the most recent of 4.9.4.0306 which has been validated to run on Windows 10.
-
Hello
How can I cancel my plan? I followed the steps recommended by Adobe, but when I click in 'manage plan' site does not work... Could someone help me, please?
Hello
Please contact adobe support https://helpx.adobe.com/in/contact.html?step=PHSP-PHXS_how-tos-troubleshooting_troubleshoo t_stillNeedHelp
Thank you
Jitendra
-
This new "Web search" box/bar has a magnifying glass on the left and on the right, just outside the box, there is "- or -". I'm unable to remove or even just move the toolbars, and it does not meet all left or right click. When it appeared everything first, he appeared with the shortcut for Facebook and Twitter icons. It would be really appreciated if someone could help me with removing permanently from the foregoing. I had already tried to remove Firefox from my Mac OS, but when I re - install a new one, all plug-ins, bookmarks, etc are kept. If not, could someone advise me how to do a clean uninstall of Firefox?
http://support.Mozilla.com/en-us/KB/troubleshooting+extensions+and+themes
-
I have a logo on a white background. I need the bottom either transparent. Not for the life of me I remember how to do this. Could someone help me with this, please?
Elimination of the background is transparent can be done with precision using the mixture control if the Style layer.
1. open the file and if the layer is locked, trash the lock.
2 Cmd + click on the new icon layer in the layers panel to apply a layer of vacuum below the object.
3. return to the upper layer and double-click it in the layers panel to bring up the layer Style.
4 in section mixture if at the bottom of layer Style, move the high gray-scale slider to the right page to the left until it disappears from the background of the illustration. For extra precision, to the point where the White is about to disappear, you can click Option on the half left of the cursor to divide and move it gently to the left when you look white in the picture disappear.
5. layer > merge down and then file > save
-
Could someone help me solve this problem?
Could someone help me, I'm with Adobe Creative Cloud after being installed, but it do not usually performs correctly and as shown in the image below. I am Brazilian is using google translator.
Could resolver meu problema da seguinte forma, o aplicativo Adobe Creative Cloud, fiz area removi no computador com o aplicativo CCleaner.
«Apparently duas pastas OOBE precisam ser removidos C:------users------[user name]------AppData------Local------Adobe------OOBE e C:-Program Files (x 86)------Common Files-Adobe------e OOBE CC reinstalado»
Apparently o aplicativo da adobe não aceita o usuario does um tipo of conta sem senha.
-
Could someone help me that how can I save 100 to 200 in labview at equal distance from the values of a particular number? Lets assume that I have a number of 50 and I need 100-200 equidistant values between 0 and 50. I made a sample program, but it gives error of memory storage that I did not understand how to solve...
You make the mistake to make equal comparisons on numbers floating point. It's very dangerous. Most likely, your VI will never stop until the computer is out of memory. Replace the 'equal' by ' greater than or equal to "and you should be OK.
As you know the number of iterations in advance, you must use a loop FOR, see how far you get. In addition, your shift register must probably be initialized.
(Of course, it is also 'ramp model' If you want a canned solution. )
-
could someone help please...
could someone help please... I spend five hours to find the driver, but not succeed, help me please...
-
Could someone help please? Creation of Weblogic Domain Port 5556 unavailable
Could someone help please?
I try to install PFRD 11g, following, "Oracle® Fusion Middleware Guide Installation of Oracle Portal, forms, reports and discoverer 11 g Release 1 (11.1.1)"
On a server for Red Hat Linux Enterprise 5-32 bit, properly installed Weblogic and PFRD (Portal, forms, reports, discoverer) 11g (type installation only). Then, run config.sh to configure the instance PFRD. However, the configuration hangs at step 11 12, creative field.
The server has 6 GB of physical memory and out of it, 5 GB memory is free.
Here are the latest entries of the log of the installation
------------------------
Task: create the domain
XXX: add task: oracle.as.install.classic.ca.standard.DomainProvisioningTask
AdminServer port is 7001
try to connect to WJ - cn.cn.oracle.com 7001
Creating Weblogic domain.
isPortAvailable [port 5556]
Port 5556 is not available.
oracle.as.provisioning.exception.ASProvWorkflowException
at oracle.as.provisioning.weblogic.ASDomain._createDomain(ASDomain.java:2623)
at oracle.as.provisioning.weblogic.ASDomain.createDomain(ASDomain.java:2469)
at oracle.as.provisioning.engine.WorkFlowExecutor._createDomain(WorkFlowExecutor.java:632)
at oracle.as.provisioning.engine.WorkFlowExecutor.executeWLSWorkFlow(WorkFlowExecutor.java:390)
at oracle.as.provisioning.engine.Config.executeConfigWorkflow_WLS(Config.java:866)
at oracle.as.install.classic.ca.standard.StandardWorkFlowExecutor.execute(StandardWorkFlowExecutor.java:65)
at oracle.as.install.classic.ca.standard.AbstractProvisioningTask.execute(AbstractProvisioningTask.java:26)
at oracle.as.install.classic.ca.standard.StandardProvisionTaskList.execute(StandardProvisionTaskList.java:61)
at oracle.as.install.classic.ca.ClassicConfigMain.doExecute(ClassicConfigMain.java:124)
at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:335)
at oracle.as.install.engine.modules.configuration.action.TaskPerformer.run(TaskPerformer.java:87)
at oracle.as.install.engine.modules.configuration.action.TaskPerformer.startConfigAction(TaskPerformer.java:104)
at oracle.as.install.engine.modules.configuration.action.ActionRequest.perform(ActionRequest.java:15)
at oracle.as.install.engine.modules.configuration.action.RequestQueue.perform(RequestQueue.java:63)
at oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager.start(StandardConfigActionManager.java:158)
at oracle.as.install.engine.modules.configuration.boot.ConfigurationExtension.kickstart(ConfigurationExtension.java:81)
at oracle.as.install.engine.modules.configuration.ConfigurationModule.run(ConfigurationModule.java:83)
at java.lang.Thread.run(Thread.java:619)
---------------------
I think it's because of the 5566 port is not available, but I don't know how solve it, someone help me please? Thank you very much.You can use
netstat -ap|grep 5556
to check which process is using port 5556. An example of output is the following:
TCP 0 0: 5556 *: * LISTEN 4858/java
The last column shows the pid and process what it is (in this case a java process)For more information the process, you can use
ps -ef|grep java
An example of output is the following:
Oracle 4858 4835 7 12:09 pts/2 00:00:03 /home/oracle/bea/jrrt-4.0.1-1.6.0/bin/java jrockit-Xms128m-Xmx256m - Xverify: weblogic aucun-Djava.security.policy=/home/oracle/bea/wlserver_10.3/server/lib/weblogic.policy-Dweblogic.nodemanager.javaHome=/home/oracle/bea/jrrt-4.0.1-1.6.0. NodeManager - v
In this case the Nodemanager uses port 5556.You can stop the process using kill-9 4858 (4858 being the process id - could be different in your case).
We you run Setup (
/wlserver_10.3/common/bin config.sh) there is an option to edit
setting up your environment (select optional configuration). Here you can change the settings of managed servers,
clusters and machines so check this box on the screen. It is a screen to configure the servers managed in which you
can change the settings of the managed servers to create (for example listening ports). In the next step, you can configure
clusters (and subsequently to add servers to the cluster). When you click Next, you are offered the machine configuration
screen, in which you can set the parameters of the machines. For each machine, you can configure a nodemanager thanks to the
parameters nodemanager listening address and port to listen nodemanager. The last parameter, you can change a port number
that is not already taken on your system. -
I have two versions of the same book on my iphone and ipad, which are not synchronized with the other. I want the same book on each device, so I can study on one or the other. I tried to remove the books on my phone, ipad & itunes and start again. It does not work. Help.
Hello david.hogan87,
Thanks for posting about what is happening. If I understand you correctly, you have a book you want on your iPhone and iPad, but neither is synchronizing correctly to have both.
Have you checked every device to confirm that the same identifier Apple is signed all three?
iPhone and iPad: head to settings > iTunes and App Store
iTunes: on a Mac, it's under account or installed depending on the version of iTunes store. On a PC, it is also under account, and if you don't see the menu bar, click on the triangle in the upper left corner to view the Bar Menu or CTRL + B on the keyboard.
If all 3 have the same signed Apple ID, post the version of iOS and iTunes for all three devices here, please.
Best regards.
-
Question
get a dotted line around .swf files in my flash site now. This is new from Firefox 3. With the help of 4 on a MacBookPro. tried the fix "style no outline. does not work. any help?Ah, quite understand now that I added to my doc html
< style type = "text/css" >
{body
background-color: #FFF;
}
"'object {outline: none ;}"} '< / style >
-
Phone numbers contained in the e-mails and the web links will appear for a few seconds and then disappear. I use Yahoo mail, however, if I use IE 8, with Yahoo mail, the problem does not occur. Help!
This has happened
Each time Firefox opened
Is whenever I use Firefox
Tools > Addons > > Extensions
You have the Skype for Firefox extension?
If so, disable it. Known to cause this problem for many users. -
My account has been blocked, I forgot security question answers. Could someone help me to sort out how to access my account security question unanswered!
Hello
You must work with the support of Yahoo and their forums.
Yahoo help and support
http://help.Yahoo.com/l/us/Yahoo/helpcentral/Yahoo products and services
http://everything.Yahoo.com/us/I hope this helps.
Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="">-><- mark="" twain="" said="" it="">->
-
original title: subject zootycoon
my computer can not be run Zoo Tycoon, when the running game does not appear anything, help me! my computer is Win7Hello
1. what version of Zoo tycoon you play?
2. is it works much earlier?
I suggest to run the game as administrator and check.
I suggest you to follow the steps from the links and check out.
Improve the performance of your computer game
http://support.Microsoft.com/kb/815069
The problems of the game performance
http://Windows.Microsoft.com/en-us/Windows7/fixing-game-performance-problems
-
my audio does not work please help
my audio does not work please help. Thank you!
Hi no thanks,
1. What is the brand and model of your system and sound card?
2. when the problem started?
3. did you of recent changes to the computer?
You can try to run the sound troubleshooter and see if it helps.
For more information, you can also consult the following article:
Tips for solving common audio problems
Hope this information is useful.
Maybe you are looking for
-
Alright! The Blockbuster app works, but I have two big problems. #1 must have wifi to download movies. #2 Si you download a movie clock starts and you have 24 hours to watch. The only reason for me to rent movies on my phone would be before uploading
-
I updated an old XP to Windows 7 Pro computer. There are a number of problems due to the age of computers. Can I remove the win 7 on this computer and to update another computer and reactivate it legally?
-
BlackBerry Smartphones is the Tower offers a simple Notepad?
Haha Oops, I found the memo option hidden in the folder applications too bad if this topic
-
Problem syncing of Smartphones blackBerry with Outlook 2003
Hello I have weird problems my BB Bold 9700 to sync with my Outlook 2003 calendar on a Toshiba Portege laptop - would appreciate any advice. A synchronization via BB Desktop Manager (version 6). Everything was working fine until I changed my e-mail a
-
How can I configure my constsntly change wallpaper once I taped?
I set the desktop background to the 'United States', all of them have been marked, I've 'saved', so I thought! He worked for a while - but it changed to another image that T has not been chosen. How to save the chosen background? How the theme to get