On Tue, Dec 16, 2008 at 11:17 PM, Boris Goldberg <[email protected]> wrote:
> Hello Danial,
>
> Tuesday, December 16, 2008, 4:07:26 PM, you wrote:
>
>>> Your tunnel is probably host-to-host - don't change it, but add an
>>> additional network-to-host one. That "dummy" tunnel wont actually
transfer
>>> anything, but will route packets from your internal network to enc0, than
>>> your nat rule will change it and everything should work.
>
> DO> I'm not quite sure how you've done this. Could you be more specific?
> DO> Do you mean to add an additional Connection in isakmpd.conf and refer
> DO> to the same Peer but a different network (Local-ID)?
>
> Yes, something like the following:
>
> [Phase 1]
> <their_external_IP>= PIX
>
> [Phase 2]
> Connections= PIX_CONN-1,PIX_CONN-1_1
>
> [PIX_CONN-1]
> Phase= 2
> ISAKMP-peer= PIX
> Configuration= quick-mode-pix
> Local-ID= Net-twopoint
> Remote-ID= pix-internal-1
>
> [PIX_CONN-1_1]
> Phase= 2
> ISAKMP-peer= PIX
> Configuration= quick-mode-pix
> Local-ID= twopoint-internal-1
> Remote-ID= pix-internal-1
>
> [Net-twopoint]
> ID-type= IPV4_ADDR_SUBNET
> Network= <our_network>
> Netmask= <our_netmask>
>
> [twopoint-internal-1]
> ID-type= IPV4_ADDR
> Address= <our_firewall_internal_IP>
>
> [pix-internal-1]
> ID-type= IPV4_ADDR
> Address= <their_box_internal_IP>
>
> Of course, it's just a quote from our isakmd.conf. Real numbers are
> substituted with <description>.
This involves the same issue as mentioned earlier, that the
flows/"dummy tunnel" does in fact get transmitted to the peer for
quick mode negotiation.
isakmpd -dvL reports
Default transport_send_messages: giving up on exchange PEER, no
response from peer <peer_ip>:500
isakmpd.pcap contains
00:38:55.138549 <myhostip>.500 > <peer_ip>.500: [udp sum ok] isakmp
v1.0 exchange QUICK_MODE
cookie: 4e4b2944370a8560->ff879e6d83275fd5 msgid: 85e8f8bd len: 284
payload: HASH len: 24
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x8f05b4fc
payload: TRANSFORM len: 28
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = <my_lan>/255.255.0.0
payload: ID len: 12 type: IPV4_ADDR = <remote_internal_ip>
[ttl 0] (id 1, len 312)
00:38:55.218317 <peer_ip>.500 > <myhostip>.500: [udp sum ok] isakmp
v1.0 exchange INFO
cookie: 4e4b2944370a8560->ff879e6d83275fd5 msgid: c2905b70 len: 124
payload: HASH len: 24
payload: NOTIFICATION len: 68
notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 152)
I'm relying on the lo1 hack to save me. Gonna try it as soon as the IP
I'm gonna use gets accepted by the remote site!
Thanks,
Danial
