Trying to setup IPSEC VPN to a Linksys BEFSRX1 VPN router and a SSH Sentinel
Cisco config:
PIX Version 6.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ----------------------- encrypted
passwd --------------------------- encrypted
hostname lloil-pix
domain-name *****************
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
names
access-list outside_in permit icmp any any echo
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any host ***PIX external IP*** eq www
access-list outside_in permit tcp any host ***PIX external IP*** eq pop3
access-list outside_in permit tcp any host ***PIX external IP*** eq pcanywhere-data
access-list outside_in permit udp any host ***PIX external IP*** eq pcanywhere-status
access-list outside_in permit tcp any host ***PIX external IP*** eq 5900
access-list outside_in permit udp any host ***PIX external IP*** eq 8767
access-list outside_in permit tcp any host ***PIX external IP*** eq 10888
access-list outside_in permit tcp any host ***PIX external IP*** eq 17900
access-list outside_in permit tcp any host ***PIX external IP*** eq 30230
access-list outside_in permit tcp any host ***PIX external IP*** eq smtp
access-list outside_in permit tcp any host ***PIX external IP*** eq 17888
access-list outside_in permit tcp any host ***PIX external IP*** eq 17889
access-list no-nat permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat permit ip any 10.1.1.0 255.255.255.0
access-list split-tunnel permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_dyn_24 permit ip any 10.1.1.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside ***PIX external IP*** 255.255.255.252
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.1.1.1-10.1.1.254
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 10.0.0.3 255.255.255.255 inside
pdm location 10.0.0.9 255.255.255.255 inside
pdm location 10.0.0.18 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0
0
static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 5900 10.0.0.2 5900 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 10888 10.0.0.3 10888 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 17900 10.0.0.3 17900 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 30230 10.0.0.3 30230 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface pcanywhere-data 10.0.0.18 pcanywhere-data
netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 10.0.0.18 pcanywhere-sta
tus netmask 255.255.255.255 0 0
static (inside,outside) udp interface 8767 10.0.0.3 8767 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 17888 10.0.0.9 17888 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 17889 10.0.0.9 17889 netmask 255.255.255.2
55 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***T1 Router*** 1
timeout xlate 8:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http ***DNS Addy*** 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 3 set pfs group2
crypto dynamic-map dynmap 3 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto dynamic-map dynmap 4 set transform-set strong-des
crypto dynamic-map dynmap 24 match address outside_cryptomap_dyn_24
crypto dynamic-map dynmap 24 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic dynmap
crypto map partner-map client configuration address initiate
crypto map partner-map client configuration address respond
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 28 authentication pre-share
isakmp policy 28 encryption 3des
isakmp policy 28 hash sha
isakmp policy 28 group 2
isakmp policy 28 lifetime 14400
vpngroup lloc address-pool vpn-pool
vpngroup lloc dns-server 10.0.0.9
vpngroup lloc wins-server 10.0.0.1
vpngroup lloc default-domain LLOC
vpngroup lloc split-tunnel split-tunnel
vpngroup lloc idle-time 14400
vpngroup lloc password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:1beffd7aabfedd8a10e850f99371f61e
: end
lloil-pix#
IKE configs with 3DES-MD5 with preshared key, do not connect.
SSH Sentinel Logs:
IP; Start isakmp sa negotiation
IP; Version = 1.0, Input packet fields = 0000
IP; Encode packet, version = 1.0, flags = 0x00000000
IP; Packet to old negotiation
IP; Version = 1.0, Input packet fields = 0001 SA
IP; Encode packet, version = 1.0, flags = 0x00000000
IP; Packet to old negotiation
IP; Version = 1.0, Input packet fields = 0412 KE NONCE VID
: Received vendor id `09 00 26 89 df d6 b7 12' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `37 14 c7 d8 b7 09 c3 75 15 98 65 f7 cb 4f 0f 13' from No Id (server *** PIX External (outside) IP ***:500)
IP; Diffie-hellman secret g^xy[128] = 0xa134e114 4618f21b f4375a7a 0f10887e afabe92a 02641cae 19e00686 71c84b1b 3890e424 b2e7b6c3 3adf5b93 a5fde0e5 f427a06d b8d397cd 55543b83...
IP; Hash algorithm = hmac-md5
IP; Prf key[8] = 0x71696b6e 657a3034
IP; Calculating SKEYID
IP; Output of SKEYID hash[16] = 0x1470d078 2ea9b5f0 a0d8b0f3 79e7ab84
IP; Output of SKEYID_d hash[16] = 0xaf95e9a6 5f7d069b 0ef00985 77a62e45
IP; Output of SKEYID_a hash[16] = 0x96be013a 2bacc18f 19c62922 a6c421be
IP; Output SKEYID_e hash[16] = 0x2acc5963 1eb46724 33b3c0c7 a45ffe59
IP; Final encryption key[24] = 0xdd0de3aa 11ee7054 61791564 e0e7e2ba 851445c4 5ff78cb1
IP; Output of HASH_I hash[16] = 0xf1bcb6fc 1999b521 9a0c3eb7 5727d792
IP; Encode packet, version = 1.0, flags = 0x00000001
IP; Packet to old negotiation
IP; Warning, junk after packet len = 64, decoded = 56
IP; Version = 1.0, Input packet fields = 0024 ID HASH
IP; Output of HASH_R hash[16] = 0xfc080ef0 69d4af6a 4ae14c35 a64847b6
IP; dec->enc iv[8] = 0xfa7259fd 0f3459eb
IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = md5, prf = hmac-md5, life = 0 kB / 14400 sec, key len = 0, group = 2
: Phase-1 [initiator] between ipv4(udp:500,[0..3]=192.168.1.100) and fqdn(udp:500,[0..27]=*** PIX FIREWALL ID ***) done.
QM; Start ipsec sa negotiation
QM; Version = 1.0, Input packet fields = 0000
QM; Output of phase 2 IV hash[8] = 0x7279b6e9 1f579f42
QM; Encode packet, version = 1.0, flags = 0x00000001
QM; HASH hash .= M-ID[4] = 0x40b20a05
QM; HASH hash .= rest of packet[840] = 0x0a000294 00000001 00000001 02000034 01030401...
QM; Output of HASH hash[16] = 0x3d0c0670 3cfc5c09 71b71da5 f1f9b086
IP; Connected
IP; Version = 1.0, Input packet fields = 0024 ID HASH
IP; Connected
CFG; New negotiation
CFG; Output of phase 2 IV hash[8] = 0xdf6a7c11 e77fbf23
CFG; Version = 1.0, Input packet fields = 0820 HASH
CFG; HASH hash .= M-ID[4] = 0x5f9b5d05
CFG; HASH hash .= rest of packet[8] = 0x00000008 03000000
CFG; Output of HASH hash[16] = 0xadd4c1a9 51637147 5b3efbc1 70a86123
CFG; MESSAGE: CFG Mode wait done
CFG; Encode packet, version = 1.0, flags = 0x00000001
CFG; HASH hash .= M-ID[4] = 0x5f9b5d05
CFG; Output of HASH hash[16] = 0x3d2a8339 37d59a19 909403e0 4c0d2c58
CFG; Connected
DEBUG: unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = *** PIX External (outside) IP ***:500
QM; Retransmitting packet, retries = 5
IP; Removing negotiation
IP; Deleting negotiation
: Phase-2 [initiator] for ipv4(icmp:0,[0..3]=192.168.1.100) and ipv4(icmp:0,[0..3]=10.1.1.1) failed; Aborted notification.
Anyone spot what I'm doing wrong?
Cisco config:
PIX Version 6.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ----------------------- encrypted
passwd --------------------------- encrypted
hostname lloil-pix
domain-name *****************
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
names
access-list outside_in permit icmp any any echo
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any host ***PIX external IP*** eq www
access-list outside_in permit tcp any host ***PIX external IP*** eq pop3
access-list outside_in permit tcp any host ***PIX external IP*** eq pcanywhere-data
access-list outside_in permit udp any host ***PIX external IP*** eq pcanywhere-status
access-list outside_in permit tcp any host ***PIX external IP*** eq 5900
access-list outside_in permit udp any host ***PIX external IP*** eq 8767
access-list outside_in permit tcp any host ***PIX external IP*** eq 10888
access-list outside_in permit tcp any host ***PIX external IP*** eq 17900
access-list outside_in permit tcp any host ***PIX external IP*** eq 30230
access-list outside_in permit tcp any host ***PIX external IP*** eq smtp
access-list outside_in permit tcp any host ***PIX external IP*** eq 17888
access-list outside_in permit tcp any host ***PIX external IP*** eq 17889
access-list no-nat permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat permit ip any 10.1.1.0 255.255.255.0
access-list split-tunnel permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_dyn_24 permit ip any 10.1.1.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside ***PIX external IP*** 255.255.255.252
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.1.1.1-10.1.1.254
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 10.0.0.3 255.255.255.255 inside
pdm location 10.0.0.9 255.255.255.255 inside
pdm location 10.0.0.18 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0
0
static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 5900 10.0.0.2 5900 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 10888 10.0.0.3 10888 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 17900 10.0.0.3 17900 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 30230 10.0.0.3 30230 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface pcanywhere-data 10.0.0.18 pcanywhere-data
netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 10.0.0.18 pcanywhere-sta
tus netmask 255.255.255.255 0 0
static (inside,outside) udp interface 8767 10.0.0.3 8767 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 17888 10.0.0.9 17888 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 17889 10.0.0.9 17889 netmask 255.255.255.2
55 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***T1 Router*** 1
timeout xlate 8:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http ***DNS Addy*** 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 3 set pfs group2
crypto dynamic-map dynmap 3 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto dynamic-map dynmap 4 set transform-set strong-des
crypto dynamic-map dynmap 24 match address outside_cryptomap_dyn_24
crypto dynamic-map dynmap 24 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic dynmap
crypto map partner-map client configuration address initiate
crypto map partner-map client configuration address respond
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 28 authentication pre-share
isakmp policy 28 encryption 3des
isakmp policy 28 hash sha
isakmp policy 28 group 2
isakmp policy 28 lifetime 14400
vpngroup lloc address-pool vpn-pool
vpngroup lloc dns-server 10.0.0.9
vpngroup lloc wins-server 10.0.0.1
vpngroup lloc default-domain LLOC
vpngroup lloc split-tunnel split-tunnel
vpngroup lloc idle-time 14400
vpngroup lloc password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:1beffd7aabfedd8a10e850f99371f61e
: end
lloil-pix#
IKE configs with 3DES-MD5 with preshared key, do not connect.
SSH Sentinel Logs:
IP; Start isakmp sa negotiation
IP; Version = 1.0, Input packet fields = 0000
IP; Encode packet, version = 1.0, flags = 0x00000000
IP; Packet to old negotiation
IP; Version = 1.0, Input packet fields = 0001 SA
IP; Encode packet, version = 1.0, flags = 0x00000000
IP; Packet to old negotiation
IP; Version = 1.0, Input packet fields = 0412 KE NONCE VID
: Received vendor id `09 00 26 89 df d6 b7 12' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `37 14 c7 d8 b7 09 c3 75 15 98 65 f7 cb 4f 0f 13' from No Id (server *** PIX External (outside) IP ***:500)
IP; Diffie-hellman secret g^xy[128] = 0xa134e114 4618f21b f4375a7a 0f10887e afabe92a 02641cae 19e00686 71c84b1b 3890e424 b2e7b6c3 3adf5b93 a5fde0e5 f427a06d b8d397cd 55543b83...
IP; Hash algorithm = hmac-md5
IP; Prf key[8] = 0x71696b6e 657a3034
IP; Calculating SKEYID
IP; Output of SKEYID hash[16] = 0x1470d078 2ea9b5f0 a0d8b0f3 79e7ab84
IP; Output of SKEYID_d hash[16] = 0xaf95e9a6 5f7d069b 0ef00985 77a62e45
IP; Output of SKEYID_a hash[16] = 0x96be013a 2bacc18f 19c62922 a6c421be
IP; Output SKEYID_e hash[16] = 0x2acc5963 1eb46724 33b3c0c7 a45ffe59
IP; Final encryption key[24] = 0xdd0de3aa 11ee7054 61791564 e0e7e2ba 851445c4 5ff78cb1
IP; Output of HASH_I hash[16] = 0xf1bcb6fc 1999b521 9a0c3eb7 5727d792
IP; Encode packet, version = 1.0, flags = 0x00000001
IP; Packet to old negotiation
IP; Warning, junk after packet len = 64, decoded = 56
IP; Version = 1.0, Input packet fields = 0024 ID HASH
IP; Output of HASH_R hash[16] = 0xfc080ef0 69d4af6a 4ae14c35 a64847b6
IP; dec->enc iv[8] = 0xfa7259fd 0f3459eb
IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = md5, prf = hmac-md5, life = 0 kB / 14400 sec, key len = 0, group = 2
: Phase-1 [initiator] between ipv4(udp:500,[0..3]=192.168.1.100) and fqdn(udp:500,[0..27]=*** PIX FIREWALL ID ***) done.
QM; Start ipsec sa negotiation
QM; Version = 1.0, Input packet fields = 0000
QM; Output of phase 2 IV hash[8] = 0x7279b6e9 1f579f42
QM; Encode packet, version = 1.0, flags = 0x00000001
QM; HASH hash .= M-ID[4] = 0x40b20a05
QM; HASH hash .= rest of packet[840] = 0x0a000294 00000001 00000001 02000034 01030401...
QM; Output of HASH hash[16] = 0x3d0c0670 3cfc5c09 71b71da5 f1f9b086
IP; Connected
IP; Version = 1.0, Input packet fields = 0024 ID HASH
IP; Connected
CFG; New negotiation
CFG; Output of phase 2 IV hash[8] = 0xdf6a7c11 e77fbf23
CFG; Version = 1.0, Input packet fields = 0820 HASH
CFG; HASH hash .= M-ID[4] = 0x5f9b5d05
CFG; HASH hash .= rest of packet[8] = 0x00000008 03000000
CFG; Output of HASH hash[16] = 0xadd4c1a9 51637147 5b3efbc1 70a86123
CFG; MESSAGE: CFG Mode wait done
CFG; Encode packet, version = 1.0, flags = 0x00000001
CFG; HASH hash .= M-ID[4] = 0x5f9b5d05
CFG; Output of HASH hash[16] = 0x3d2a8339 37d59a19 909403e0 4c0d2c58
CFG; Connected
DEBUG: unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = *** PIX External (outside) IP ***:500
QM; Retransmitting packet, retries = 5
IP; Removing negotiation
IP; Deleting negotiation
: Phase-2 [initiator] for ipv4(icmp:0,[0..3]=192.168.1.100) and ipv4(icmp:0,[0..3]=10.1.1.1) failed; Aborted notification.
Anyone spot what I'm doing wrong?