VPN
[VPN] Cisco Router IOS to Symantec Raptor Dec 12 2006 10:57PM
Nate Goddard (ngoddard nconnect net)
Hello,
I have been unable to reach the list site to look for any archives
on this question, so I?ll through it out there. I?m trying to setup a IPSec
VPN tunnel from a Cisco Router (on which I have several hundred successful
site-to-site tunnels) running IOS 12.4(7) to a Symantec Raptor.
Unfortunately, I can?t really provide much detail about the Symantec because
it?s a customer/vendor?s device. At one point the tunnel did work, but
started failing, and now it fails when something behind the Symantec tries
to initiate a tunnel, but not when something behind the Router initiates the
tunnel.
To lay out some details (which have been obfuscated to protect
identity and security):

Cisco side:
Inside IP: 10.1.1.25 (local subnet has routing to encr dom)
Outside IP: 1.2.3.4
Preshared key
P1: 3DES MD5 DH2
P2: 3DES MD5 no-pfs
Local encryption domain: 7.8.9.0/24 (public space)
Sample ACL for crypto map:
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.56
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.113
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.78

Symantec Raptor side:
Inside IP: 172.16.10.254
Outside IP: 21.22.23.24
Preshared key
P1: 3DES MD5 DH2
P2: 3DES MD5 no-pfs
Local encryption domain: group containing 172.16.10.56, 172.16.10.113,
172.16.10.78
Remote encryption domain: 7.8.9.0 255.255.255.0

It use to work fine this way, with a single local group for the
hosts on the Raptor side, and a subnet on the Cisco side, and each host had
its own IPSec SA (tunnel) to the subnet on the Cisco side. Then the Raptor
changed behavior and started to try to use any existing SA for any 1 of the
3 hosts to encrypt traffic for the other 2 when a system behind the Raptor
was the initiator of traffic and negotiations. If the Cisco side initiates
to all 3 separately, creating the SAs itself, then the tunnel works
bi-directionally as it should, until the P2 SAs expire. At the moment,
there is no way to identify what firmware change, or config change on the
Raptor caused this, so rolling things back is not a practical option (unless
someone knows exactly what the issue is).
We tried disabling that group and tunnel (perhaps deleting it would
be more thorough and a better test ?) and creating 3 totally separate
tunnels on the Raptor, using the same key, etc as the 1 defined S-2-S tunnel
on the Cisco, but system behind the Raptor still can not initiate a tunnel.
As I said, perhaps deleting the old one (not just disabling it) is
necessary.
I ran into the same issue with another customer/vendor using a
Raptor, where they were using a group, and switching them to individual
tunnels resolved the bi-directional initiation issues (it introduced some
minor problems that I?m ignoring here).

Anyone have any experience with a Cisco to Raptor tunnel with a
subnet and hosts (or anything like this) that could shed some light on this?

Nate

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006
4:32 PM

x?>"9äè?IPM.Microsoft Mail.Note1 &p$Cisco Router IOS to Symantec RaptorqÇ@ödpõï­?9F§®õ/·dyã 
Á?h ÎÓ?æ°/Â? ÒÎ17LZFu+#*ß `ng102f5drcp
Ð2 `c
D41stsâhpbch5 Çfh°ÖbiC
¤3ò3æfeb÷¤cGÀ
ÀsetÑp(rq2*
¡no-
ðq6p05?04ñÐà4}mß?PÔÏÛb± ??Ä ?36_/sBÀÐ! b3`}GiovpIPTCTTÔ8N2?"Òr m CEÔ?9"ÿ$/%5yr?æ4l16'?úG Ñk(ô ),±*¿½?Tp(ô¡d ,Þ77-ÿ%4(Heòb pw)(ô'A0/13ÿ$2? °3u,Þ®815¯?B@t°¿(ô?*`/ñ9?2ÃVètnae3u"á<÷
#ø%?4&?M'7@Åý(Õ5*h@Ä,Do÷-æ@Ä/f5/÷D}1w@Ľ3 53çJ>@L6û57ÑïD}8÷@Ä:?5
;AD~<vûKµ>51=@´??Uæ; o0X?e5ÿYÊZáZ?[©Y´[ÒZ?^?]Í]O[YÏ028c?ÿd±doeyY´e¢dgßg÷geOi9 ldmÁeã§mÀ?Pylh àêtq PlÁ@áðdctl
±p7²pau: `s
°GpðàqònumaÉq°to
QjuP|ghqà
p
i½ppApàÀ±sQ1uà ð'@@
¶: rÿud Ã'@'èÐ À4 xnpxizsneúxWAN°Àsàu¡Ívd40:°ve@?mi|Ð ð Dq?4 P
Àa Àq`h îF!|`1P``Nw 0sÀ?sW4 t¼hBsÀ
°|Ðl
àû"àdrØ
F??GÊb?GrBcb
°*Pÿ?2`??` ? ??do@?peAðellp¡÷?±?Ás} :?Áÿ30?`?& P?D ±?Sq ù?Ddg?&? ?&up?Dþvoïpÿrst/u? òÿw,?ñ
´x"vQyl?wÿ?õ{Cñ}Z{´<à o`ýnó1??¯¿?Ïÿ?Úu òvw?4A"wï÷xÿz{b?À ? 1??Co14 ??83½ ð} ?` X°~tp£u°;@?³f08ß?Ð
 0x૱îy 0 p-m°ªQ¬q¬w7mÀAxPt?R»ªQ?ñm РЮ)y?Aÿ?/???Aª3?? ¦voÿwt 2¢´!£O¤_¥o¦}ß;@§¨??Bs|1?ß|Ç?Íw)°@Ðf ¦fc|?»?7378àLà þH?Q? ?,C|S"à¾?ÿ¿OÀTðÀÏÁØ0?à?Pÿ ?Âm°Ã¯ lw*DB ¿?ð1Æy}h@Â?s w@@ m«±}1Á?EûÀSoBm°WÃà `Ï­à0o4?ÐsdPpÞa®ÐSÒ¡Qk ?Ö0|#X°vâUÂà ~w¡ÔD»Ñ 3»ØÕÓ6_-Ð?Á¹ÖT2Áð9ÅLà5|#xml?ã Ù³1 ?Àtp:/Î/ðoÀs.}?U0o?.Ï1/Üf?°e/w°d/!¾3ÜóÙÀWÐ
¡Â?wðwµ@Þ3h¼ÞÁÀrÿ?°®!ß??pà*P3Ðß?ÚbáCg±°­àr?ó???R?P???nb~j` ð|Ð`ð oï­àÐ ?¬0sPä¸é?Agd?a ¢p`ÿÔ Ò@!à?àæÁ{`ÙÀ½??h?P Q?Àèàlß{b @¹ °}qx ? ÷0Ò1a} ?èÙ±ÿ1èáÙ±`P ¶xÑѱÀyÎQ{`ppÿ  °A?°á0û`?b í!°??À¶rÀaðQmp
a\èàtrzäsgß² ? hóð®#gvò?ñQ?  ?ÿàó!ôáRòbèáåÁó1ýõãjíñp 0äq?B òvwk??÷Òðß@1ÞÑáÀ?²e
`ù5ÇäàÎqlytÕP ?ÿ}0ãÑúÇ?ÀÀ±°°í!ÿÙÐ?À±ñ 2² ?ÐP@ÿ ýÑ?d?ÐúÐøÁ?`?aúÁQ?À?QÙÐ30kÿðq}0 Q¯À0 A{@ÿ¯à±À¸¢ ??µ!È1Ü°?Ð}ÑÒÀ?Я±ppuÿ@°b0G»Â`äàØ&ý{Pw 1»?°@p À?P±¢Ü°°` 0Âw}ç!f®Ü°: ì°`1ü3fÞÐРаøÀþÐýÙÐu??w!«"ââ¸ÑâÅÿ?A{`®@äAüÐì°}1âñÿ â¸
¢ 1 °
@ÏãÓÃÙàâðlv衱1ÿÛб`aüð?Àâ??Òþ7Ì¡±0àµ`?P±0®¡üa.Ñtf÷°w!oÿ/ð
±0}ЫñO_­'@±0?àÿ¯³)?¼aO?b("?ÿo¢;@Ï ß!ï1?ÿ#O$%*?#(ÿ)*?A ',ï-ÿ²Þáÿ?ùà?ò1
??¿?Ï°?ÿ±¯?þ«!EØ ?ßµwoÿ·¯¸¿z??PÊ_ËoÌx?Pç?0ÁÊ?Ño,F±A/B?óCO×e

3?E?FOG_c×ùüðb IÚ°ëQ ïå }áð?ò 8¨ñóp߁¼ð4ðÒ0 Ø°­àcN¢È0ok ðQ½nÎy½=}s @O1¹V qYÒÑ@,OÀýNÀIIoJK×úR0äáST/U?ÁÉ?àO1Pu}8À  Q 8O2c°.þ RÿXOY_V/W?]ß^ïåD mN ryæ?N¢Ï?M© p½MpPSâð øVPNN ð{P?À­À?Ï@fCOÜP R\õ (Q±w} Oa/b?ÿcOÁÉM?i?jOk_ÁÉi/¿noÁºÏ??Á?±hð½½1dqorspªsÐ[?À½`f6OÃ-
8-sOÔfós)¨ðfñeRIOS Øà.4(7ç|N±f SyаêÑf?úR²r\¡ÕðQfáÑáïúÀR°M?øÀnv?wOx_ÿ`?/??OÁÉ[ðNáÈ ýQpP÷Ð?0dðÐ[Àï?0üðÐнb\}¸å ÿøÀýqq_?o?Áº¡?ÿOÀ½?Ï?ߍïp¯Ï?ß»?ïÂc8qÏ@ì°/ç?ÿ¦°I_?o??O?_???Oßt???÷Ð
zP\¡A[ñ§½?Ào9?Tfå dhÀõÝkR°b\!0³È`PïÐÁæ?R°÷ Õ1[Ò¤âÿQhÐNÎÀ?Qáeaå ÿ§!£ ?{8?QN±9ÉñÿÑáffä¤äѦ§?h%÷©F¨ñ¢ç.I?/???õMBTP1aQ\«B??ýQ(hÔM¨
àzø±¤¢ÿN±?Ñ~[ð?° Q?¥âáu8 Ñ):®T÷®TgµØ±e¸%®¿¯Ï°ßÿljº»/¼?liÙà?f@â:
|à0.1¡<À¾w¿À/?ª(Ó¡u?z bÿû [ðM Q[ÒàedíÀÿÛÐ?Ï@3`Ã/Ä?ÅOlwﹿÊË/ÅïOÍ?ίϿÏliüQÂÂà.3}яçÒ?Ó¯Ì? Pê@ðñvð keyÍ?×?ØOÔ_|P1Â`ÛÿÝÞli3äDE|ÐMDÃáâ/ñ??DH2Û?å/æ?çO?P2Â`ãö¥¡-pGÿèÿêë
Ì?îï/ð?lx~Lò?óOô_liÇ#ÈÒyÿö/÷?øOli@Rú¯û¿ÿüÏ?ªÉ!þßÿïÿli4ïÿlh:
/?ª7.8.9.0ö/< h?pÇ?4ðf?6áÿzPÉ_ ï ÿñ/oñliSam3ðo?¯ñ??ACLP?úq~qdðÿ60¸%M2ßïÿýÚh`Úm[áifÕ Â#?Ó<Àí?hoO¡11 Â æ6 5653?4Xüfi1¢4ÿ678/9?ÿlY¯¿ Ï!ß"ï#ÿ?.//li1133?ÿ4¯5¿?7¿8Ï9ß0O1_?2o3<Ï=ßlK78BoÿCD:ß%¾'(/)?*O
ÿ+_,oFßGïHÿÚ'¸?}Íÿ¹TFoR¯S¿I?W?X¯Y¿ÿ½_\]/^?Á_¯`¿aÏÿ6Ê$?A0Öe/f?Z¯hßÿiïj
ÿÐÏm_nooÕpÿ·rs^é2ÂÑ}2ÖPÿPuv?w¯Ù¿ÚÏlï{ÿ|ߏ??¯ãOä_??ÿ?¯ç/?¿?Ï
?ßìßíïÿ?}/????¯õ[úïþ?ÉÑÂ`gÈ!@0¹0ÿ¢ Ñ«¢?Ï?ß?ïg_$äÿ?O_?o}HªP ï¡ÿ£
ÿ?B/¥¯¦¿67?ª_«oÿ¤­¯®¿¯Ï¨O±_²o³ÿE?¶·/¸??º/»?¼Oá_4RemoV??ÿ?ï@VA1A"
Ä30½¯¾¿¿Ïÿ¼¯UyRÕÀ@O Õ°:wkðPÊahiòsÊ ay±0L ËPÀçW!?° lú?4ÿËPÕ°$2Ë??ÍÒVɱ0V`~ÐÌA Ë @ÎuC÷Ëp?ÏIe Ì $3Mà·~Ð?ðÎQw?ÕÐSV?DSAptunË l^)ÊrÍÒÐÑ%. TÿÍà?Å?ÆOÇ_^éΨÖïß×ÿÙ?:ÝV`g~ÁÛo§Üݏ^ébeMàvþ ÿÛ_àßáï?+ä
?åOæ_*ÿÏÁ$P0V?~ÐÔrPÊrçÊBV`íexËp°?WÓ±í¢1ùðfÍÃ3ÿ΁ÂUìáé@&°àÍ?÷Â
Íà 2Ê Ö¯èÿêûîW y$PÁðã¢P졿θˠðÍá?á°aVòïïBðõÏ²Ë gÂùþ¡úsÖ`IïTÐøø¶~pÊr¿M°?àï°ÊPP²V?lËÁÿÂpÑðî#ÍÒÓ°Ë?ò¿óÏïôß^éÒÑÔ0f±0ÍÑÎ?ç
ÓôÊ£Ë?biÿ_ow=^­-?O^édiÿ~`LPÂÁý!íøQ?ñ~?ù?Pld±0Ô°?àÍÒ¿`ÿ ¯
¿^?íàp Ñ]ÖaAðÁÍáÂmÂPtÿ?~`@Ë??0Ë?ÊrWAý?fíò`ùÊñ?ÐË ÿ!ßT±0? &°? ßT¿ÎmÌðÊA÷rËp±0sÿ?@ý0þ??ñÒÊàS»@Ì@pLÐ
Ìòo?Tö(ÔÌ sË?А? õu k?0wË?íàñ
q?³ø?0u2).ÄßïO_nÉÃWÊaOP~Áý ÀsÉà5Ñ?4ϲEö(?±MàpË?MÌ î#ÿ?ñÊ°1ã¡a!ËPù0ï?POpÏ¥ã°tV?ͱ~pý@?ÔPϲþGï°
Ôp?Àÿ
bý?2!_"o#bÚÔ0ïÎ]aÌbÔ?a~â±0Õ ùñødï MË~ÐSx-2-ÐEÕZ±0bÿN°ö¯ÎÈ¡?àÌðÓ0rÿüVÌ1.//0?1OÒË?þI3ñÈp±0(ñ£)¢þ(
rO%ù
ÐÔPRVû!Ly åÉÄð9áP¿Ôv4 TËôqòcO!ñr/vÂP?°ù@3dÿÌ@2æòa*Ê Hfÿ?3;?<O=_°?ìËñLà/þ?80òÏÀiãðduÿ
?ÑÓôË?~aGð÷t¾- Éø¶Â SË?(
ÑÿEQ?@PàCÀì!`Ã@ûù1Ðo&@ÁðøbÑ_?ÇL?MO$zrquÂW/ÿX?YO?ù80?Uñ?û ÖÉAîð¢ãÑí?@!ÿ%ÀÂ`FvÐåÔq9FÌwÔôϲÎ(î´?ÌÀiÿ~ðËCÔQÂ?)r~?UVoBà*Õ5Ëp
?`_ù@N¿ü¡[o\]$?ßQrÈ_j} ôdÉ l?án5z7nC lqjnl 8¦ m`Ë--såNàýãðrÊ@́ðÒ±jï0¿7°úp?Cáߐ.sô.CÍà~ÁbíAVØG F~`E À²}wUVò}@? ÃbÄ 4Ú3ò@/yÐu#DÐDÀ¥øPe?26à1Ä ñ `/58ò@t`ÁàÌ G{Á{b{á12/­0/Am@06 4:zÁP.Msô?É$}?Þ?â Y ? ÀF?? ÀF?
? ÀF?? ? ÀF?? ÀF?@? ÀF`?p?J2 ? ÀF?? ÀF?J?7GVA2¡??è{O± AVG FLAGS (OUT)Ð?! øÁ?h ÎÓ?æ°/úÁ?h ÎÓ?æ°/þ
4ý?4ý?4NITAù¿¸ª7Ùn100000000C18C906820CED31189E6B02F9D00000
0443A6E00åátÓm eHELLO,IHAVEBEENUNABLETOREACHTHELISTSITETOLOOKFORANYARCHIVESON
THISQUESTION,SOI?LLTHROUGHITOUTTHEREI?MHè_______________________________
________________
VPN mailing list
VPN (at) lists.shmoo (dot) com [email concealed]
http://lists.shmoo.com/mailman/listinfo/vpn

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus