[c-nsp] Strange IPSEC Behavior
Brian Feeny
signal at shreve.net
Thu Feb 24 21:50:07 EST 2005
I setup a VPN between a Cisco Router and a PIX firewall:
Cisco 1750
IOS (tm) C1700 Software (C1700-K9O3SV3Y-M), Version 12.2(27), RELEASE
SOFTWARE (fc3)
PIX Firewall
Cisco PIX Firewall Version 6.3(1)
The VPN was set with the following policies:
ISAKMP
PSK
MD5
DES
DH Group 2
IPSEC
DES ESP-MD5-HMAC
I had made the mistake of mistmatching crypto ACL's on the two links:
On the router I had:
ip access-list extended shrevenetVpn
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 207.254.192.0 0.0.0.255
And on the PIX I had:
access-list brianVpn permit ip 10.1.1.0 255.255.255.0 192.168.1.0
255.255.255.0
The thing, was, it all worked. I am assuming my traffic from the
router to 207.254.192.0/24 was asymetrically
encrypted, since there was no ACL on the PIX to go back to the router
to encrypt. But it worked fine!
I changed the ISAKMP and IPSEC parameters to use 3DES instead of DES,
and it stopped working! (Like it should).
Debugs on the router complained:
00:48:48: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 207.254.193.39
failed its sanity check or is malformed
Debugs on the PIX complained
1d00h: ISAKMP: IPSec policy invalidated proposal
1d00h: ISAKMP (0:2): SA not acceptable!
What is strange, is using DES it didn't seem to care. I can literally
switch to DES, and it would work, and switch to 3DES it and wouldn't
work. Don't get me wrong, I am not saying it should have worked, I
understand you have to match crypto ACL's, but it worked and thats what
is so strange.
I of course corrected the ACL, and the 3DES connection came up. Anyone
know about this?
Brian
---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.
More information about the cisco-nsp
mailing list