[c-nsp] Problem with cisco VPN, help please

Joel M Snyder Joel.Snyder at Opus1.COM
Thu Aug 11 10:09:34 EDT 2005


>I have a probleme with my cisco PIX 501. I'm trying to establish a site
>2 site VPN connection but still blocked in phase 1. any help please ?

Well, the config and debug you've given us is not the one that's needed, but I
can hazard a guess.   (we need the one from the other end, the responder)

First, according to the debug, you're sending out msg 1 of the MM IKE and
getting basically no response.  So that means that the guy at the other end
doesn't like you.  For IKE's anti-DoS reasons, you're not going to get an "I
don't like you" response, which is why you're seeing nothing.  The useful debug
would be the one at the other end which says why he doesn't like you.

Second, I can hazard a guess.  The part of the config that you're exposing
shows that your external address is an 192.168 address.  Since you're not
giving us the REMOTE address, I am guessing that this means that they have a
normal routable address, which leads me to surmise that you're being NATed. 

There are two reasons why this is probably not working.  The most likely is
that you are appearing on the other side as some other address besides
192.168.xxx.xxx, and thus the guy is saying "I have no policy for him," and
dropping your proposal.  

The second possible reason is that you cannot use IKE with pre-shared secrets
unless you use aggressive mode.  It's a long and convoluted argument, but
basically the guy at the other end doesn't know what your PSS is because he
can't tell it because he has to look it up based on your ID payload---which he
doesn't know, because that's one of the things he has to know in order to
discover your ID payload.  The IKE solution is to base the PSS on your IP
address, which is visible, except in your case, because you're being NATed. 
(Yes, this gets fixed in IKEv2).  With aggressive mode, which has its
own serious security problems, you expose your ID payload in the first message
so he at least knows how to verify that you know the correct PSS.  (This can
also be solved by using wildcard PSS, but if you use the same password for
everyone, you really might as well just use clear-text because you're getting
about the same level of security). 

So, you MIGHT be able to get this to work (this is
VPN-implementation-dependend, and you haven't said what the guy on the other
end is running) if you have a static NAT and if you are sure that the guy at
the other end is putting in the correct IP address for you.  

In any case, the only way to debug this is to get the guy at the other end to
provide the vital & missing information about why he doesn't like you, and then
you'll know and can fix it.

jms


Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)  
jms at Opus1.COM    http://www.opus1.com/jms    Opus One


More information about the cisco-nsp mailing list