- Posts: 301
- Thank you received: 3
Connecting 506e to a non cisco device. HELP (=
18 years 11 months ago #12061
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Connecting 506e to a non cisco device. HELP (= was created by Bublitz
I canno't spark up a VPN with a Nortel device. The peer ip is 206.210.222.130. Here is my vpn setup to connect to them dyn-map 5. The IT guy at the other end swears up and down that our device wan ip doesn't even show up in the log to even try and spark up a vpn connection.
We have a vpn setup with 4 other locations all using 506e devices. So I used the same format.
Can anyone see anything wrong with the way its setup and or know why our device hasn't even contacted their device?
VPN ACL
access-list outside_cryptomap_5 permit ip host 172.25.2.190 host 172.18.50.4
access-list outside_cryptomap_5 permit ip host 172.25.2.190 host 172.20.20.23
access-list outside_cryptomap_5 permit ip host 172.25.2.191 host 172.18.50.4
access-list outside_cryptomap_5 permit ip host 172.25.2.191 host 172.20.20.23
access-list outside_cryptomap_5 permit ip host 172.25.2.192 host 172.18.50.4
access-list outside_cryptomap_5 permit ip host 172.25.2.192 host 172.20.20.23
Network settings
ip address outside 75.40.26.58 255.255.255.248
ip address inside 172.25.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 75.40.26.59 172.25.2.10 netmask 255.255.255.255 0 0
access-group outside_int in interface outside
rip outside default version 2 authentication md5 jabber67 1
route outside 0.0.0.0 0.0.0.0 75.40.26.62 1
Ipsec Settings
crypto ipsec transform-set transform1 esp-3des esp-sha-hmac
crypto ipsec transform-set transform2 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 match address 100
crypto dynamic-map cisco 1 set transform-set transform1
crypto map dyn-map 5 ipsec-isakmp
crypto map dyn-map 5 match address outside_cryptomap_5
crypto map dyn-map 5 set peer 206.210.222.130
crypto map dyn-map 5 set transform-set transform2
crypto map dyn-map 25 ipsec-isakmp
crypto map dyn-map 25 match address outside_cryptomap_25
crypto map dyn-map 25 set peer 64.231.149.131
crypto map dyn-map 25 set transform-set transform1
crypto map dyn-map 65535 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 206.210.222.130 netmask 255.255.255.255
isakmp key ******** address 64.231.149.131 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
We have a vpn setup with 4 other locations all using 506e devices. So I used the same format.
Can anyone see anything wrong with the way its setup and or know why our device hasn't even contacted their device?
VPN ACL
access-list outside_cryptomap_5 permit ip host 172.25.2.190 host 172.18.50.4
access-list outside_cryptomap_5 permit ip host 172.25.2.190 host 172.20.20.23
access-list outside_cryptomap_5 permit ip host 172.25.2.191 host 172.18.50.4
access-list outside_cryptomap_5 permit ip host 172.25.2.191 host 172.20.20.23
access-list outside_cryptomap_5 permit ip host 172.25.2.192 host 172.18.50.4
access-list outside_cryptomap_5 permit ip host 172.25.2.192 host 172.20.20.23
Network settings
ip address outside 75.40.26.58 255.255.255.248
ip address inside 172.25.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 75.40.26.59 172.25.2.10 netmask 255.255.255.255 0 0
access-group outside_int in interface outside
rip outside default version 2 authentication md5 jabber67 1
route outside 0.0.0.0 0.0.0.0 75.40.26.62 1
Ipsec Settings
crypto ipsec transform-set transform1 esp-3des esp-sha-hmac
crypto ipsec transform-set transform2 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 match address 100
crypto dynamic-map cisco 1 set transform-set transform1
crypto map dyn-map 5 ipsec-isakmp
crypto map dyn-map 5 match address outside_cryptomap_5
crypto map dyn-map 5 set peer 206.210.222.130
crypto map dyn-map 5 set transform-set transform2
crypto map dyn-map 25 ipsec-isakmp
crypto map dyn-map 25 match address outside_cryptomap_25
crypto map dyn-map 25 set peer 64.231.149.131
crypto map dyn-map 25 set transform-set transform1
crypto map dyn-map 65535 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 206.210.222.130 netmask 255.255.255.255
isakmp key ******** address 64.231.149.131 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
The Bublitz
Systems Admin
Hospice of the Red River Valley
- TheeGreatCornholio
- Offline
- Junior Member
Less
More
- Posts: 24
- Thank you received: 0
18 years 10 months ago #12248
by TheeGreatCornholio
Replied by TheeGreatCornholio on topic Re: Connecting 506e to a non cisco device. HELP (=
Bublitz,
Well, for the most part, it looks ok. I've got three things for you:
1- add the no-config-mode & no-xauth to the end of the isakmp key statement for the 206 peer address like you have for the other one... that can't hurt.
2- your nat 0 references ACL 105. What does that look like? If ACL 105 doesn't have statements in it that are close to or identical to your ACL called "outside_cryptomap_5", then the PIX will NAT that traffic through the NAT 1 group, and it will miss the tunnel completely.
3- have you captured any logging from the PIX while attempting to bring up the tunnel? This would be helpful too in pinpointing the source of the problem...
tGc
Well, for the most part, it looks ok. I've got three things for you:
1- add the no-config-mode & no-xauth to the end of the isakmp key statement for the 206 peer address like you have for the other one... that can't hurt.
2- your nat 0 references ACL 105. What does that look like? If ACL 105 doesn't have statements in it that are close to or identical to your ACL called "outside_cryptomap_5", then the PIX will NAT that traffic through the NAT 1 group, and it will miss the tunnel completely.
3- have you captured any logging from the PIX while attempting to bring up the tunnel? This would be helpful too in pinpointing the source of the problem...
tGc
18 years 10 months ago #12512
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Connecting 506e to a non cisco device. HELP (=
ACL 105 has
permit ip host 172.25.2.190 host 172.18.50.4
permit ip host 172.25.2.190 host 172.20.20.23
permit ip host 172.25.2.191 host 172.18.50.4
permit ip host 172.25.2.191 host 172.20.20.23
permit ip host 172.25.2.192 host 172.18.50.4
permit ip host 172.25.2.192 host 172.20.20.23
basicly the same thing as my Crypto acl
The sonicwallim trying to connect to give me this error
IKE Iniator: Recieved notify. NO_PROPOSAL_CHOSEN
Ive checked the settings on the PIX and the sonicwall they appear to be the same I cant figure out why its not working.
permit ip host 172.25.2.190 host 172.18.50.4
permit ip host 172.25.2.190 host 172.20.20.23
permit ip host 172.25.2.191 host 172.18.50.4
permit ip host 172.25.2.191 host 172.20.20.23
permit ip host 172.25.2.192 host 172.18.50.4
permit ip host 172.25.2.192 host 172.20.20.23
basicly the same thing as my Crypto acl
The sonicwallim trying to connect to give me this error
IKE Iniator: Recieved notify. NO_PROPOSAL_CHOSEN
Ive checked the settings on the PIX and the sonicwall they appear to be the same I cant figure out why its not working.
The Bublitz
Systems Admin
Hospice of the Red River Valley
18 years 10 months ago #12513
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Connecting 506e to a non cisco device. HELP (=
What commands would I use to see debugging or logging via telnet. Can it be filtered to show only debugging for this certain vpn connection.
The Bublitz
Systems Admin
Hospice of the Red River Valley
- TheeGreatCornholio
- Offline
- Junior Member
Less
More
- Posts: 24
- Thank you received: 0
18 years 10 months ago #12516
by TheeGreatCornholio
Replied by TheeGreatCornholio on topic Re: Connecting 506e to a non cisco device. HELP (=
Bublitz,
Ok, so that log message you mentioned indicates a possible Phase 1 initiation issue... In English, it's telling you that there is no match with the peer's ISAKMP defined parameters. So, let's assume for kicks & giggles that this SonicWall you are connecting to has this ISAKMP policy defined:
Auth Preshare
encr = 3DES
hash = SHA
DH Group = 1
Your PIX has two defined ISAKMP Policies:
3des, sha, DH2
3des, md5, DH1
No match.
Why? One side can't be group 1 and the other group 2. It has to match. Now, this a mere guess as to what the other side is configured with, but it does illustrate the fact that both sides need to match. The SonicWall may not 'show' you all that the PIX will, and you may have to guess on some of the settings. I'd try settng DH1 with 3DES and SHA1 as a new policy on the PIX and see if that helps... Some of the older SOHO devices don't support DH group2.
On the PIX, you can use the | (pipe) symbol with the include command to filter down on some of the buffer logs in a telnet session.. for example, if you wanted to see anything logged with the text IKE in it, you would do:
show logg | include IKE
Hope this helps!
tGc
Ok, so that log message you mentioned indicates a possible Phase 1 initiation issue... In English, it's telling you that there is no match with the peer's ISAKMP defined parameters. So, let's assume for kicks & giggles that this SonicWall you are connecting to has this ISAKMP policy defined:
Auth Preshare
encr = 3DES
hash = SHA
DH Group = 1
Your PIX has two defined ISAKMP Policies:
3des, sha, DH2
3des, md5, DH1
No match.
Why? One side can't be group 1 and the other group 2. It has to match. Now, this a mere guess as to what the other side is configured with, but it does illustrate the fact that both sides need to match. The SonicWall may not 'show' you all that the PIX will, and you may have to guess on some of the settings. I'd try settng DH1 with 3DES and SHA1 as a new policy on the PIX and see if that helps... Some of the older SOHO devices don't support DH group2.
On the PIX, you can use the | (pipe) symbol with the include command to filter down on some of the buffer logs in a telnet session.. for example, if you wanted to see anything logged with the text IKE in it, you would do:
show logg | include IKE
Hope this helps!
tGc
18 years 10 months ago #12529
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Connecting 506e to a non cisco device. HELP (=
Ok I used the Wizard to configure this tunnel.
During the setup.
IKE Policy
Enc 3des
auth MD5
DH G 2
Transform Set
enc 3des
auth md5
(no option for DH group) My sonicwall I can configure phase 1 and 2 DH group so im not sure what its suppoed to be.
Im really not sure on the PIX which one of these is phase 1 or 2 IKE policy or transform set?
So on my sonicwall I added all these options except i put dh group 2 on both phase 1 and phase 2 negotiation.
Also id like to add during the wizard setup I have to add source or inside local ip address to outside local ip address for the tunnel. My sonicwall all I do is add outside local ips to the cisco pix im connectiong too. I do not add inside local ips for the tunnel the whole lan is useable. I hope I explained that right hehe
During the setup.
IKE Policy
Enc 3des
auth MD5
DH G 2
Transform Set
enc 3des
auth md5
(no option for DH group) My sonicwall I can configure phase 1 and 2 DH group so im not sure what its suppoed to be.
Im really not sure on the PIX which one of these is phase 1 or 2 IKE policy or transform set?
So on my sonicwall I added all these options except i put dh group 2 on both phase 1 and phase 2 negotiation.
Also id like to add during the wizard setup I have to add source or inside local ip address to outside local ip address for the tunnel. My sonicwall all I do is add outside local ips to the cisco pix im connectiong too. I do not add inside local ips for the tunnel the whole lan is useable. I hope I explained that right hehe
The Bublitz
Systems Admin
Hospice of the Red River Valley
Time to create page: 0.131 seconds