Date: Mon, 13 Jan 2003 16:40:58 -0200 From: "Daniel C. Sobral" <dcs@tcoip.com.br> To: Bob Bishop <rb@gid.co.uk> Cc: current@FreeBSD.ORG Subject: Re: FAST_IPSEC/racoon vs CISCO PIX anyone? Message-ID: <3E23083A.6060802@tcoip.com.br> In-Reply-To: <4.3.2.7.2.20030113120239.03397190@gid.co.uk> References: <4.3.2.7.2.20030113120239.03397190@gid.co.uk> <4.3.2.7.2.20030113120239.03397190@gid.co.uk> <4.3.2.7.2.20030113170059.033a0198@gid.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Bob Bishop wrote:
> At 16:09 13/1/03, Daniel C. Sobral wrote:
>
> > Bob Bishop wrote:
> >
> >> Hi,
> >>
> >> Problems interworking this combination, with ESP tunnel. SA gets
> >> negotiated OK, but ESP packets get rejected by the PIX: it says "host
> >> not found a.b.c.d" where a.b.c.d is its own endpoint address, and sends
> >> "invalid SPI" back to our end, even thought the SPI on the rejected ESP
> >> packet is the one just negitiated.
> >>
> >> This is RC2, racoon-20021120a. FWIW the same problem occurs on 4.7 with
> >> 'ordinary' IPSEC too.
> >>
> >> Any suggestions? TIA
> >
> >
> > Well, this question can be silly, specially if you have already
> > established tunnels before, but... Did you negotiate a SA for each
> > direction?
>
>
> Yes, symmetrically. And we have done this stuff before (but not to a PIX).
Ok. Well, I don't _use_ Pix/Cisco, but we have some tunnels to both from
an isakmpd-based software.
Below is a configuration used on a Pix using site. "Remote" refers to
us, and Local to the Pix. Personally, I think some lines are rather
dubious. It's better to have _them_ initiate the tunnel negotiation, and
debug to see exactly what they are proposing. Any difference will cause
problem. The most common difference is Pix-users defining the
access-list of the tunnel just like the firewall rule. Since my side
only negotiates protocol IP, this cause problem, we the rules on their
side are for TCP tunnels, ICMP tunnels, etc. The first rule of the
access-list here doesn't seem strictly necessary, as long as there is a
rule enabling UDP port 500 and ESP between the gateways.
name <remote-ip> GatewayRemote
name <local-ip> GatewayLocal
access-list tunnel_specification permit ip host GatewayLocal host
GatewayRemote
access-list tunnel_specification permit ip host EndPointLocal host
EndPointRemote
isakmp enable outside (Is the the interface??? I don't know)
isakmp key SHAREDSECRET address GatewayRemote netmask 255.255.255.255
no-xauth no-config-mode
isakmp policy 20 authentication pre-shared
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 864000
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address tunnel_specification
crypto map outside_map 20 set peer GatewayRemote
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 3600
kilobytes 4500
--
Daniel C. Sobral (8-DCS)
Gerencia de Operacoes
Divisao de Comunicacao de Dados
Coordenacao de Seguranca
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail: Daniel.Capo@tco.net.br
Daniel.Sobral@tcoip.com.br
dcs@tcoip.com.br
Outros:
dcs@newsguy.com
dcs@freebsd.org
capo@notorious.bsdconspiracy.net
Men are superior to women.
-- The Koran
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E23083A.6060802>