« Altzman Family Philanth...er...Family Zoo | Main | More job postings...more clowns »

PIX IPsec VPN problems

So you have a PIX and you want to set up an IPSec LAN-to-LAN VPN with it and you're having major troubles.

Specifically, you're seeing: 

%PIX-3-713119: Group = xxx.yyy.aaa.zzz, IP = xxx.yyy.aaa.zzz, PHASE 1 COMPLETED
%PIX-3-713902: QM FSM error (P2 struct &0x1c0bd30, mess id 0x4a08f6c8)!
%PIX-3-713902: Group = xxx.yyy.aaa.zzz, IP = xxx.yyy.aaa.zzz, Removing peer from correlator table failed, no match!
%PIX-4-113019: Group = xxx.yyy.aaa.zzz, Username = xxx.yyy.aaa.zzz, IP = xxx.yyy.aaa.zzz, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
A few things you need to know about the PIX and its IPSec VPN implementation.
  1. The PIX is very picky about every parameter matching.
  2. The PIX has PFS turned off by default for L2L VPNs
This means that if you’re running something like the OpenBSD IPSec VPN (with isakmpd) which is otherwise pretty permissive about parameters, you must explicitly turn off PFS by turning off DH group 2 in the ipsec.conf file:
  • OLD: 
     quick auth hmac-md5 enc 3des group modp1024\
  • NEW:
     quick auth hmac-md5 enc 3des group none \

Posted by Jerry B. Altzman on January 25, 2008 11:46 AM |

TrackBack

TrackBack URL for this entry:
http://www.jbaltz.com/mt/mt-tb.cgi/68

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)