1. Home
  2. Cisco Systems
  3. pix 525 & bdcom 2621 ipsec error!

pix 525 & bdcom 2621 ipsec error!

plese help me

===================================================================== bdcom 2621 router configinformation: Current configuration: ! !version 1.3.2E service timestamps log date service timestamps debug date no service password-encryption ! hostname kaifaqu2 ! enable password 0 ciscobdcom 2621 level 15 ! crypto isakmp key ciscobdcom 2621 10.10.20.138 255.255.255.224 ! crypto isakmp policy 1 hash md5 lifetime 28800 ! crypto ipsec transform-set 01 transform-type esp-des esp-sha-hmac ! crypto map 1 1 ipsec-isakmp set peer 10.10.20.138 set pfs group1 set transform-set 01 match address 101 ! interface FastEthernet0/0 ip address 192.168.55.1 255.255.255.0 ip address 192.168.56.1 255.255.255.0 secondary no ip directed-broadcast ip nat inside ! interface FastEthernet0/1 ip address 10.10.140.163 255.255.255.240 no ip directed-broadcast crypto map 1 ip nat outside ! interface Serial0/2 no ip address no ip directed-broadcast ! interface Serial0/3 no ip address no ip directed-broadcast ! interface Async0/0 no ip address no ip directed-broadcast ! ip route default 10.10.140.161 ! ip access-list standard nat permit 192.168.55.0 255.255.255.0 permit 192.168.56.0 255.255.255.0 ! ip access-list extended 101 permit ip 192.168.55.0 255.255.255.0 192.168.4.0 255.255.255.0 permit ip 192.168.55.0 255.255.255.0 192.168.3.0 255.255.255.0 permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0 permit ip 192.168.55.0 255.255.255.0 192.168.1.0 255.255.255.0 ! ip nat translation max-entries 300 ip nat inside source list nat interface FastEthernet0/1 !

----------------------------------------------------------------------------------- isakmpinformation Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 28800 seconds Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds ==================================================================================

cisco pix 525information PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 no fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.5.0

255.255.255.0 access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list vpn permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list vpn permit ip 192.168.4.0 255.255.255.0 192.168.55.0 255.255.255.0 access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.56.0 255.255.255.0 access-list vpn permit ip 192.168.4.0 255.255.255.0 192.168.56.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip address outside 10.10.20.138 255.255.255.224 ip address inside 192.168.255.254 255.255.255.0 ip address DMZ 192.168.254.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address DMZ pdm history enable arp timeout 14400 global (outside) 1 interface global (DMZ) 1 interface nat (inside) 0 access-list vpn nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (DMZ,outside) 10.10.20.134 192.168.254.4 netmask 255.255.255.255 0 0 static (DMZ,outside) 10.10.20.130 192.168.254.2 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit ip host 10.10.20.134 any conduit permit ip host 10.10.20.130 any route outside 0.0.0.0 0.0.0.0 10.10.20.129 1 route inside 192.168.0.0 255.255.255.0 192.168.255.1 1 route inside 192.168.1.0 255.255.255.0 192.168.255.1 1 route inside 192.168.2.0 255.255.255.0 192.168.255.1 1 route inside 192.168.3.0 255.255.255.0 192.168.255.1 1 route inside 192.168.4.0 255.255.255.0 192.168.255.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set 01 esp-des esp-sha-hmac crypto map 1 1 ipsec-isakmp crypto map 1 1 match address 100 crypto map 1 1 set pfs crypto map 1 1 set peer 10.10.140.162 crypto map 1 1 set transform-set 01 crypto map 1 2 ipsec-isakmp crypto map 1 2 match address 101 crypto map 1 2 set pfs crypto map 1 2 set peer 10.10.140.163 crypto map 1 2 set transform-set 01 crypto map 1 interface outside isakmp enable outside isakmp key ******** address 10.10.140.162 netmask 255.255.255.240 isakmp key ******** address 10.10.140.163 netmask 255.255.255.240 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 28800 telnet 192.168.0.0 255.255.255.0 inside telnet 192.168.1.0 255.255.255.0 inside telnet 192.168.2.0 255.255.255.0 inside telnet 192.168.3.0 255.255.255.0 inside telnet 192.168.4.0 255.255.255.0 inside telnet 192.168.255.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:f01f0894bddb743031b7c041072c685d : end

------------------------------------------------------------------------------------ isakmp information Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 28800 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit cisco pix 525debuginformation Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 28800 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit ============================================================================================== pix 525 debug information

pixfirewall# ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 28800 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... crypto_isakmp_process_block:src:10.10.140.163, dest:10.10.20.138 spt:500 dpt:500 ISAKMP: error, msg not encrypted ISAKMP (0): deleting SA: src 10.10.20.138, dst 10.10.140.163 ISADB: reaper checking SA 0x3845ce4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 10.10.140.163/500 not found - peers:0 ======================================================================================

bdcom 2621 show ipsec command information: Transform set 01: { esp-des esp-sha-hmac } will negotiate ={ Tunnel } Interface: FastEthernet0/1 Crypto map name:1 , local addr. 10.10.140.163

local ident (addr/mask/prot/port): (192.168.55.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) local crypto endpt.: 10.10.140.163, remote crypto endpt.:

10.10.20.138

------------------------------------------------------------------------------------ cisco pix 525 show information

Transform set 01: { esp-des esp-sha-hmac } will negotiate = { Tunnel, },

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.55.0/255.255.255.0/0/0) current_peer: 10.10.140.163:0 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 18, #recv errors 0

local crypto endpt.: 10.10.20.138, remote crypto endpt.:

10.10.140.163 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Reply to
pansin
Loading thread data ...

In article , pansin wrote: :crypto ipsec transform-set 01 : transform-type esp-des esp-sha-hmac

des + sha is not supported on any current PIX software release. If you are using des, you need to use md5 instead of sha.

[This limitation does not apply to any of the other encryptions.]
Reply to
Walter Roberson

thank you. i now modify the error ,i use 2 pix525 ,but ,debug info error also :

ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 28800 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of

1334059226:4f8420daIPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x3ef3d0ab(1056166059) for SA from 10.10.20.138 to 10.10.140.163 for prot 3

return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Peer ip:10.10.20.138/500 Ref cnt incremented to:2 Total VPN Peers:1 crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 14 protocol 0 spi 0, message ID = 3528213790IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 10.10.20.138

return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0x310bfcc, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:10.10.20.138/500 Ref cnt decremented to:1 Total VPN Peers:1IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 10.10.20.138

ISADB: reaper checking SA 0x311343c, conn_id = 0 crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500 ISAKMP: sa not found for ike msg

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x4f8420da crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500 ISAKMP: illegal udp len IPSEC(key_engine): request timer fired: count = 2, (identity) local= 10.10.140.163, remote= 10.10.20.138, local_proxy= 192.168.56.0/255.255.255.0/0/0 (type=4), remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of

-1828690246:930066baIPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xf6c17598(4139873688) for SA from 10.10.20.138 to 10.10.140.163 for prot 3

ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0x4f8420da crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 14 protocol 0 spi 0, message ID = 1736598443IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 10.10.20.138

return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500 ISAKMP: illegal udp len

crypto_isakmp_process_block:src:10.10.20.138, dest:10.10.140.163 spt:500 dpt:500

Reply to
pansin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.