Tom's Hardware > Forum > General Networking > Firewall > Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel

Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel

Forum General Networking : Firewall - Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   09-15-2005 at 09:06:42 PM

Archived from groups: comp.security.firewalls (More info?)

 

I am upgrading all my compaines firewalls with the new 7.0 on
all our pixes. We have one enviroment with a Watchguard V60. With
version
6.3.4 of the pix software, I have successfully created a VPN tunnel
from the
v60 to the pix many times in the past. Now that my test PIX has been
upgraded to 7.0, I have been unable to do so and it is a major hold up
to my project...but what isn't a hold up right? See partial packet
dump below... Keeps saying PAYLOAD_MALFORMED where i have it marked
with <<<<<<<<<. Nothing of the configs has changed....in fact..Phase I
negotiates properly...when used to try and negotiate Phase II...the
watchgaurd sends the all delete SA message...

I have logs, configs, all available....Anyone have a similar
problem...maybe with a VPN concentrator 3000? I hear they took the
code from the 3000 and used it in the new pix 7.0...any ideas?

ISAKMP Header
Initiator COOKIE: 5f f9 10 cc c4 c7 92 5a
Responder COOKIE: 6b 03 45 83 42 a9 fb 9f
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: F718DDC0
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
0c c2 e2 c0 da a3 f8 63 10 f5 cc 15 19 9e d4 71
1c 49 d2 9f
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: PAYLOAD_MALFORMED <<<<<<<<<<<<<<<<<<<<<<<<<<<
SPI: 7c 8a 79 bc
Sep 15 12:48:17 [IKEv1]: IP = 12.156.2.254, IKE DECODE RECEIVED Message
(msgid=f718ddc0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE
(0) total length : 68
Sep 15 12:48:17 [IKEv1 DEBUG]: Group = 12.156.2.254, IP = 12.156.2.254,
processing hash
Sep 15 12:48:17 [IKEv1 DEBUG]: Group = 12.156.2.254, IP = 12.156.2.254,
Processing Notify payload

ISAKMP Header
Initiator COOKIE: 5f f9 10 cc c4 c7 92 5a
Responder COOKIE: 6b 03 45 83 42 a9 fb 9f
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 185D0F10
Length: 196

IKE Recv RAW packet dump
5f f9 10 cc c4 c7 92 5a 6b 03 45 83 42 a9 fb 9f | _......Zk.E.B...
08 10 05 01 dc 8c 07 d2 00 00 00 44 a0 eb 70 64 | ...........D..pd
d8 0f 66 b7 70 31 62 a8 95 dc 1d 91 09 65 05 39 | ..f.p1b......e.9
c4 f8 b8 29 76 04 42 f1 28 0f f4 b8 24 05 a8 e9 | ...)v.B.(...$...
7f dd 3d 95 | .=.

RECV PACKET from 12.156.2.254
ISAKMP Header
Initiator COOKIE: 5f f9 10 cc c4 c7 92 5a
Responder COOKIE: 6b 03 45 83 42 a9 fb 9f
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: DC8C07D2
Length: 68

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 5f f9 10 cc c4 c7 92 5a
Responder COOKIE: 6b 03 45 83 42 a9 fb 9f
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: DC8C07D2
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
4a b8 b4 22 6e d6 13 06 0b 78 f2 38 fc 5a 61 a3
56 07 e7 6d
Payload Notification
Next Payload: None
Payload Length: 16
Reserved: 00
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: PAYLOAD_MALFORMED <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   09-16-2005 at 04:15:33 AM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

In article <1126822002.709287.216210@g43g2000cwa.googlegroups.com>,
jbuice@gmail.com says...
> I am upgrading all my compaines firewalls with the new 7.0 on
> all our pixes. We have one enviroment with a Watchguard V60. With
> version
> 6.3.4 of the pix software, I have successfully created a VPN tunnel
> from the
> v60 to the pix many times in the past. Now that my test PIX has been
> upgraded to 7.0, I have been unable to do so and it is a major hold up
> to my project...but what isn't a hold up right? See partial packet
> dump below... Keeps saying PAYLOAD_MALFORMED where i have it marked
> with <<<<<<<<<. Nothing of the configs has changed....in fact..Phase I
> negotiates properly...when used to try and negotiate Phase II...the
> watchgaurd sends the all delete SA message...
>
> I have logs, configs, all available....Anyone have a similar
> problem...maybe with a VPN concentrator 3000? I hear they took the
> code from the 3000 and used it in the new pix 7.0...any ideas?

Depending on the appliance, I've found a couple things cause that error
you mention:

On the WG unit, try changing the following one at a time to see if you
can match it up with the PIC:

WatchGuard Gateway setting
Authentication: Use SHA1
Encryption: 3des
DH Group: 1
Uncheck Enable Perfect Forward Secrecy (if it doesn't work)
Enable Aggressive mode

In Phase 2 settings:
Type: ESP
Auth: SHA1
Encr: 3DES

I've found the above works for most non-WG VPN appliances - although I
do normally use PFS (perfect Forward Secrecy).

--

spam999free@rrohio.com
remove 999 in order to email me

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > General Networking > Firewall > Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel
Go to:

There are 950 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.323 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them