1. Home
  2. Cisco Systems
  3. request help with VPN cryptomap debug

request help with VPN cryptomap debug

Not sure what's going wrong here, but I can't route traffic over site-to-site VPN.

I have cisco client VPNs set up on both routers, as well as the site-to-site VPN connecting the two routers. Are they conflicting?

PIX A config: Building configuration...: Saved:PIX Version 6.3(3)access-list a deny icmp any any access-list a permit tcp pixB.external.IP 255.255.255.248 any eq

25025 access-list a permit ip 10.1.1.0 255.255.255.0 any access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list split permit ip 10.1.1.0 255.255.255.0 any access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.255.0 10.10.2.0 255.255.255.224 access-list crypto30 permit ip pixA.external.IP 255.255.255.0 192.168.1.0 255.255.255.0 access-list vpn2_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any access-list outside_cryptomap_dyn_20 permit ip any 10.0.1.0 255.255.255.0 ip address outside pixA.external.IP 255.255.255.248 pppoe setrouteip address inside 192.168.0.254 255.255.255.0ip audit info action alarmip audit attack action alarmip local pool vpnpool 10.10.10.1-10.10.10.254global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0 0 0access-group a in interface outsidecrypto ipsec transform-set strong esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5crypto map toPixB 30 ipsec-isakmpcrypto map toPixB 30 set peer pixB.external.IPcrypto map toPixB 30 set transform-set strong! Incompletecrypto map toPixB 65535 ipsec-isakmp dynamic outside_dyn_mapcrypto map toPixB interface outsideisakmp enable outsideisakmp key ******** address pixB.outside.IP netmask 255.255.255.255 isakmp policy 9 authentication rsa-sigisakmp policy 9 encryption desisakmp policy 9 hash shaisakmp policy 9 group 1isakmp policy 9 lifetime 86400isakmp policy 12 authentication pre-shareisakmp policy 12 encryption 3desisakmp policy 12 hash shaisakmp policy 12 group 1isakmp policy 12 lifetime 86400isakmp policy 32 authentication pre-shareisakmp policy 32 encryption 3desisakmp policy 32 hash md5isakmp policy 32 group 2isakmp policy 32 lifetime 86400vpngroup vpn2 address-pool vpnPoolvpngroup vpn2 split-tunnel vpn2_splitTunnelAclvpngroup vpn2 idle-time 1800vpngroup vpn2 password ********PixB config: access-list outside_access_in permit tcp any object-group webservices_ref object-group webservers access-list inside_access_in permit ip any any access-list inside_outbound_nat0_acl permit ip host 192.168.1.6 192.168.4.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip host 192.168.1.10 192.168.4.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 192.168.10.32 255.255.255.224 access-list crypto50 permit ip pixB.outside.IP 255.255.255.0 192.168.0.0 255.255.255.0 access-list oui-remote_splitTunnelAcl permit ip host 192.168.1.6 any access-list oui-remote_splitTunnelAcl permit ip host 192.168.1.10 any access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.0 255.255.255.0

crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map toPixA 50 ipsec-isakmp crypto map toPixA 50 match address crypto50 crypto map toPixA 50 set peer pixA.outside.IP crypto map toPixA 50 set transform-set strong crypto map toPixA 65535 ipsec-isakmp dynamic outside_dyn_map_1 crypto map toPixA interface outside isakmp enable outside isakmp key ******** address pixA.outside.IP netmask 255.255.255.255 isakmp policy 8 authentication rsa-sig isakmp policy 8 encryption des isakmp policy 8 hash sha isakmp policy 8 group 1 isakmp policy 8 lifetime 86400 isakmp policy 25 authentication pre-share isakmp policy 25 encryption 3des isakmp policy 25 hash sha isakmp policy 25 group 1 isakmp policy 25 lifetime 86400 isakmp policy 45 authentication pre-share isakmp policy 45 encryption 3des isakmp policy 45 hash md5 isakmp policy 45 group 2 isakmp policy 45 lifetime 86400

If I try to ping from pixB to pixA, I see this debug info on pixA:

crypto_isakmp_process_block:src:pixB.outside.IP, dest:pixA.outside.IP spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1460458007

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP (0): atts are acceptable. ISAKMP: IPSec policy invalidated proposal ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 3 return status is IKMP_ERR_NO_RETRANS

Reply to
cisco
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.