1. Home
  2. Cisco Systems
  3. lan-lan tunnel, pix-concentrator

lan-lan tunnel, pix-concentrator

Hi

I'm trying to create a lan-lan tunnel between a 3005 and a pix501. the pix has 3des license: VPN-DES: Enabled VPN-3DES-AES: Enabled

i've been following the doc on cisco web:

formatting link
but i have no idea about what i'm doing wrong. the parameters on the

3005:

authentication: esp/sha/hmac-128, preshared key encryption: aes-256 ike proposal: encr: aes-256, auth: sha/hmac/160, group 2

23877 05/30/2006 17:15:31.390 SEV=4 AUTH/23 RPT=823 x.x.x.9 User [x.x.x.9] Group [x.x.x.9] disconnected: duration: 0:00:00

23876 05/30/2006 17:15:31.390 SEV=4 IKEDBG/97 RPT=278 x.x.x.9 Group [x.x.x.9] QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)!

23871 05/30/2006 17:15:31.390 SEV=5 IKE/34 RPT=5016 x.x.x.9 Group [x.x.x.9] Received local IP Proxy Subnet data in ID Payload: Address 10.10.141.0, Mask 255.255.255.0, Protocol 0, Port 0

23868 05/30/2006 17:15:31.390 SEV=5 IKE/35 RPT=2216 x.x.x.9 Group [x.x.x.9] Received remote IP Proxy Subnet data in ID Payload: Address 10.12.0.0, Mask 255.255.0.0, Protocol 0, Port 0

23864 05/30/2006 17:15:31.340 SEV=4 IKE/119 RPT=16200 x.x.x.9 Group [x.x.x.9] PHASE 1 COMPLETED

The PIX says:

[...] VPN Peer: ISAKMP: Added new peer: ip:x.x.x.8/500 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:x.x.x.8/500 Ref cnt incremented to:1 Total VPN Peers:1 crypto_isakmp_process_block:src:x.x.x.8, dest:x.x.x.9 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 24576 protocol 1 spi 0, message ID = 3863724126 ISAKMP (0): processing responder lifetime ISAKMP (0): phase 1 responder lifetime of 3600s return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:x.x.x.8, dest:x.x.x.9 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 2461701839, spi size = 16 ISAKMP (0): deleting SA: src x.x.x.9, dst x.x.x.8 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0xb31854, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.x.8/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.8/500 Total VPN peers:0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.8

and i ran out of ideas. I've tried to config the pix with the no x-auth, changing ipsec nat-t, changing the transform sets... but no luck. Can anyone tell me what i'm doing wrong?

The only error message what i see is the QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)! from the concentrator webpage, but i don't know what that means.

Thanks very much Adam

Reply to
Adam KOSA
Loading thread data ...

You really should use group 5 with AES.

I recommend instead,

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA TRANS_ESP_3DES_MD5

I recommend changing the group to 5 for aes-256, and I recommend reversing the order so that AES-256 has a higher priority than

3DES/MD5 .

I don't particularily recommend 3DES/MD5 : 3DES/SHA is considered more secure.

This link *might* help:

formatting link

I notice that the remote IP (from the PIX) is netmask 255.255.0.0: was that what you were expecting?

Meanwhile, on the PIX, push up the debug level. If my fingers still remember the commands:

debug crypto isakmp 2 debug crypto ipsec 2

Reply to
Walter Roberson

:Meanwhile, on the PIX, push up the debug level. If my fingers :still remember the commands: :

thanks for the reply, it helped!

Regards Adam

Reply to
Adam KOSA

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.