6 Replies Latest reply on Feb 8, 2010 9:06 AM by rcamm

    IPSec to CISCO Concentrator

    garyeck

      I need to set up a IPSec with a Cisco Concentrator. I'm looking for a white paper to help me with this.

      There used to be a web site where all the Snapgear white papers were available - is this still available somewhere?

      Thanks!

      Gary

        • 1. Re: IPSec to CISCO Concentrator

          McAfee UTM firewall is certified by the Virtual Private Network Consortium, better known as VPNC

           

          http://www.vpnc.org/

           

          As such interoperability with other vendors is tested and configuration documentation listed at

           

          http://www.vpnc.org/InteropProfiles/

           

          You are after:

           

          htthttp://www.vpnc.org/InteropProfiles/cisco-3000.pdfp://www.vpnc.org/InteropProfil es/McAfeeSnapGear-interop.pdf

           

          and

           

          http://www.vpnc.org/InteropProfiles/cisco-3000.pdf

          • 2. Re: IPSec to CISCO Concentrator
            garyeck

            With the 3000 Concentrator, we are set up to use

            XXX Public IP : aaa.bbb.ccc.ddd

            XXX Private LAN  Network: 192.168.202.0/28

            Preshared Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

            Authentication:  ESP/MD5/HMAC-128

            Encryption:  3DES-168

            IKE Proposal:  IKE-3DES-MD5

             

            On the SG560, I have

            Local Interface: default gatewya interface
            Keying: Main Mode (IKE)
            Local address: static IP address
            Remote address: static IP address
            Authentication: Preshared Secret
            Initiate Tunnel Negotiation: Checked
            Optional Endpoint ID: (none)
            IP Payload Compression: Unchecked
            IPSec offload device: none
            Dead Peer Detection: unchecked
            Initiate Phase 1 & 2 rekeying: checked
            Remote party's IP address: aaa:bbb:ccc:ddd
            Optional Endpoint ID: (blank)
            Key lifetime: 480
            Rekey margin: 10
            Rekey fuzz: 100
            Preshared Secret:xxxxxxxxxxxxxxxx
            Phase 1 Proposal: 3DES-MD5-Diffie Hellman Group 2 (1024 bit)
            Local Network    Remote Network
            159.61.35.78/32   192.168.202.0/28
            Key lifetime: 480
            Phase 2 Proposal: 3DES-MD5
            Perfect Forward Secrecy: unchecked

             

            The tunnel comes up stuck in "Negotiating Phase 2"

            Connection Details:

            000 "DisCorp2": 159.61.35.78/32===209.239.96.78---209.239.96.77...216.57.222.135===192.168.202.0/28
            000 "DisCorp2":   ike_life: 480s; ipsec_life: 480s; rekey_margin: 10s; rekey_fuzz: 100%; keyingtries: 0
            000 "DisCorp2":   policy: PSK+ENCRYPT+TUNNEL; interface: eth1; trap erouted
            000 "DisCorp2":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
            000 "DisCorp2":   IKE algorithms wanted: 5_000-1-2, flags=-strict
            000 "DisCorp2":   IKE algorithms found:  5_192-1_128-2,
            000 "DisCorp2":   ESP algorithms wanted: 3_000-1, flags=-strict
            000 "DisCorp2":   ESP algorithms loaded: 3/168-1/128,
            Negotiation State:
            000 #64: "DisCorp2" STATE_QUICK_I1 (sent QI1, expecting QR1); born:0s; EVENT_RETRANSMIT in 26s

             

            Anyone see anything?

            (BTW, the client's LAN subnet is 159.61.35.67, but they don't want to change all the nodes after we put it behind a NAT device).

            I've enclosed a LOG file

            • 3. Re: IPSec to CISCO Concentrator

              The logs indicatde that the UTM thinks phase 1 is up, and is getting no response to our pohase 2 packets.

               

              This means the cisco either thinks phase 1 is not up, or phase 2 is being rejected due to incorrect matching parameters.

               

              What does the cisco think the current status is ?

              1 of 1 people found this helpful
              • 4. Re: IPSec to CISCO Concentrator
                garyeck

                I got the CISCO guy to send some of the errors:

                 

                -------

                28461 02/02/2010  09:32:21.740 SEV=4 IKEDBG/97 RPT=37756 209.239.96.78

                Group  [209.239.96.78]

                QM  FSM error (P2 struct &0xb5a4278, mess id 0xa3cf65c)!

                 

                28462 02/02/2010  09:32:21.740 SEV=6 IKE/1 RPT=37421 209.239.96.78

                Group  [209.239.96.78]

                Removing peer from  correlator table failed, no match!

                 

                28463 02/02/2010  09:32:21.740 SEV=4 AUTH/23 RPT=34201 209.239.96.78

                User [209.239.96.78] Group  [209.239.96.78] disconnected: duration: 0:00:32

                 

                28464 02/02/2010  09:32:21.740 SEV=4 AUTH/85 RPT=34201

                LAN-to-LAN tunnel to headend  device 209.239.96.78 disconnected: duration: 0:00:3

                2

                 

                28466 02/02/2010  09:32:21.740 SEV=9 IPSECDBG/6 RPT=59379

                IPSEC key message parse -  msgtype 2, len 274, vers 1, pid 00000000, seq 0, err 0

                ,  type 2, mode 0, state 32, label 0, pad 0, spi 0x2f6a53de, encrKeyLen 0,  hashKe

                yLen 0, ivlen 0, alg 0,  hmacAlg 0, lifetype 0, lifetime1 1241144, lifetime2 0, d

                sId  0

                 

                28470 02/02/2010  09:32:21.750 SEV=9 IPSECDBG/1 RPT=48495

                Processing KEY_DELETE  msg!

                 

                28471 02/02/2010  09:32:21.750 SEV=7 IPSECDBG/1 RPT=48496

                Could not find assigned  address for tunnel!

                 

                28472 02/02/2010  09:32:24.250 SEV=7 IPSECDBG/10 RPT=10057

                IPSEC ipsec_output() can  call key_acquire() because 5 seconds have elapsed since

                last IKE negotiation began  (src 0xc0a8ca0b, dst 0x0489db74)

                 

                28474 02/02/2010  09:32:24.250 SEV=7 IPSECDBG/14 RPT=10404

                Sending KEY_ACQUIRE to IKE  for src 192.168.202.11, dst 10.5.91.2

                 

                28475 02/02/2010  09:32:24.250 SEV=4 IKE/41 RPT=51428 209.239.96.78

                IKE  Initiator: New Phase 1, Intf 2, IKE Peer 209.239.96.78

                local Proxy Address  192.168.202.0, remote Proxy Address 10.5.91.0,

                SA  (L2L: HO1774)

                • 5. Re: IPSec to CISCO Concentrator
                  garyeck

                  Ross, did you have a chance to look at the log from the CISCO concentrator?

                  • 6. Re: IPSec to CISCO Concentrator

                    sorry i must have missed this update.

                     

                    i dont know cisco dignostics to come up with a definitive answer in this case

                     

                    Here we cisco the cisco is unhappy

                     

                    28462 02/02/2010  09:32:21.740 SEV=6 IKE/1 RPT=37421 209.239.96.78

                    Group  [209.239.96.78]

                    Removing peer from  correlator table failed, no match!

                     

                    yet milliseconds later we see

                     

                    28475 02/02/2010  09:32:24.250 SEV=4 IKE/41 RPT=51428 209.239.96.78

                    IKE  Initiator: New Phase 1, Intf 2, IKE Peer 209.239.96.78

                    local Proxy Address  192.168.202.0, remote Proxy Address 10.5.91.0,

                    SA  (L2L: HO1774)

                     

                    run it past cisco I suggest if possible.