Ad
News

Cisco Beats Its Own Lowered Sales Estimates As Slowing U.S. Economy Bites

Published on May 07, 2008

The slowing U.S. economy is biting a lot of tech companies hard, but Cisco has managed to meet its own lowered financial forecasts and beat those of the analysts in its latest quarterly results. Read more

Noctua Debuts Brilliant 2-in-1 Concept For Silent Xeon Workstations

Published on June 10, 2008

Vienna (Austria) - A small Austrian company is making great progress into the world of air-cooled workstations: Noctua has come up with a quiet wind tunnel cooling system for 2-socket Xeon systems. Read more

Large Hadron Collider: Cern In Numbers

Published on June 30, 2008

The Guardian has compuiled osme interesting facts about Cern's LHC. Read more

CES 2007: Linksys gets into the consumer NAS game

Published on January 06, 2007

Ads in the current version of PC World provide a peek at some of the products that Linksys may announce during CES. Read more

Latest Reviews & Articles

Phenom Recycled: Athlon X2 7000-Series

Published on December 15, 2008

Just a couple of weeks before the introduction of its 45 nm Phenom II, AMD introduces a new dual-core chip. The Athlon X2 7000-series is basically a 65 nm Phenom with two active cores, but with the full L2 and L3 cache memory. Read more

Does Saving Power Mean Hurting Performance?

Published on December 15, 2008

Modern processors are capable of switching into power-efficient modes to save power when they’re idle, and an increasing number of motherboards offer dynamic features for the same purpose. Yet, the benefits come at a price. Read more

Four Full Tower Cases From $150 To $600

Published on December 15, 2008

With Intel's Core i7 920 looking like a solid overclocking play, we wanted to find the right full-tower case for our test benches. ABS, Antec, Cooler Master, and Thermaltake battle it out for chassis supremacy. Read more

Overdrive: Italy's Team Is Chosen

Published on December 13, 2008

Our international Overdrive overclocking competition finals are underway in Paris. But before we start streaming the goings-on in France, we want to present the results of our Italian trials. Read more

  Tom's Hardware Forums » General Networking » Firewall » Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel
 

Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel




Word :   Username :  
 
Bottom
Author
 Thread : Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel
 
More Information

Archived from groups: comp.security.firewalls (More info?)

 

I am upgrading all my compaines firewalls with the new 7.0 on
all our pixes. We have one enviroment with a Watchguard V60. With
version
6.3.4 of the pix software, I have successfully created a VPN tunnel
from the
v60 to the pix many times in the past. Now that my test PIX has been
upgraded to 7.0, I have been unable to do so and it is a major hold up
to my project...but what isn't a hold up right? See partial packet
dump below... Keeps saying PAYLOAD_MALFORMED where i have it marked
with <<<<<<<<<. Nothing of the configs has changed....in fact..Phase I
negotiates properly...when used to try and negotiate Phase II...the
watchgaurd sends the all delete SA message...

I have logs, configs, all available....Anyone have a similar
problem...maybe with a VPN concentrator 3000? I hear they took the
code from the 3000 and used it in the new pix 7.0...any ideas?

ISAKMP Header
Initiator COOKIE: 5f f9 10 cc c4 c7 92 5a
Responder COOKIE: 6b 03 45 83 42 a9 fb 9f
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: F718DDC0
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
0c c2 e2 c0 da a3 f8 63 10 f5 cc 15 19 9e d4 71
1c 49 d2 9f
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: PAYLOAD_MALFORMED <<<<<<<<<<<<<<<<<<<<<<<<<<<
SPI: 7c 8a 79 bc
Sep 15 12:48:17 [IKEv1]: IP = 12.156.2.254, IKE DECODE RECEIVED Message
(msgid=f718ddc0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE
(0) total length : 68
Sep 15 12:48:17 [IKEv1 DEBUG]: Group = 12.156.2.254, IP = 12.156.2.254,
processing hash
Sep 15 12:48:17 [IKEv1 DEBUG]: Group = 12.156.2.254, IP = 12.156.2.254,
Processing Notify payload

ISAKMP Header
Initiator COOKIE: 5f f9 10 cc c4 c7 92 5a
Responder COOKIE: 6b 03 45 83 42 a9 fb 9f
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 185D0F10
Length: 196

IKE Recv RAW packet dump
5f f9 10 cc c4 c7 92 5a 6b 03 45 83 42 a9 fb 9f | _......Zk.E.B...
08 10 05 01 dc 8c 07 d2 00 00 00 44 a0 eb 70 64 | ...........D..pd
d8 0f 66 b7 70 31 62 a8 95 dc 1d 91 09 65 05 39 | ..f.p1b......e.9
c4 f8 b8 29 76 04 42 f1 28 0f f4 b8 24 05 a8 e9 | ...)v.B.(...$...
7f dd 3d 95 | .=.

RECV PACKET from 12.156.2.254
ISAKMP Header
Initiator COOKIE: 5f f9 10 cc c4 c7 92 5a
Responder COOKIE: 6b 03 45 83 42 a9 fb 9f
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: DC8C07D2
Length: 68

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 5f f9 10 cc c4 c7 92 5a
Responder COOKIE: 6b 03 45 83 42 a9 fb 9f
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: DC8C07D2
Length: 68
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
4a b8 b4 22 6e d6 13 06 0b 78 f2 38 fc 5a 61 a3
56 07 e7 6d
Payload Notification
Next Payload: None
Payload Length: 16
Reserved: 00
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: PAYLOAD_MALFORMED <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Related Product

Register or log in to remove.

More Information

Archived from groups: comp.security.firewalls (More info?)

 

In article <1126822002.709287.216210@g43g2000cwa.googlegroups.com>,
jbuice@gmail.com says...
> I am upgrading all my compaines firewalls with the new 7.0 on
> all our pixes. We have one enviroment with a Watchguard V60. With
> version
> 6.3.4 of the pix software, I have successfully created a VPN tunnel
> from the
> v60 to the pix many times in the past. Now that my test PIX has been
> upgraded to 7.0, I have been unable to do so and it is a major hold up
> to my project...but what isn't a hold up right? See partial packet
> dump below... Keeps saying PAYLOAD_MALFORMED where i have it marked
> with <<<<<<<<<. Nothing of the configs has changed....in fact..Phase I
> negotiates properly...when used to try and negotiate Phase II...the
> watchgaurd sends the all delete SA message...
>
> I have logs, configs, all available....Anyone have a similar
> problem...maybe with a VPN concentrator 3000? I hear they took the
> code from the 3000 and used it in the new pix 7.0...any ideas?

Depending on the appliance, I've found a couple things cause that error
you mention:

On the WG unit, try changing the following one at a time to see if you
can match it up with the PIC:

WatchGuard Gateway setting
Authentication: Use SHA1
Encryption: 3des
DH Group: 1
Uncheck Enable Perfect Forward Secrecy (if it doesn't work)
Enable Aggressive mode

In Phase 2 settings:
Type: ESP
Auth: SHA1
Encr: 3DES

I've found the above works for most non-WG VPN appliances - although I
do normally use PFS (perfect Forward Secrecy).

--

spam999free@rrohio.com
remove 999 in order to email me


  Tom's Hardware Forums » General Networking » Firewall » Cisco PIX 7.0.1 to Watchguard V60 VPN Tunnel

Go to:
 

Google Ads