PIX-to-PIX IPSec VPN Tunnel

Hello All,

We have recently inherited a network that has multiple locations with multiple tunnels over a few PIX units. The existing tunnels work perfectly. There are three offices: DI, DL and the owner, Dale's, house. There is a working tunnel between DI and DL, one between DL and Dale and a few from DL to other offices. We need to configure a tunnel between DI and Dale, but have had no luck. I have mimiced the existing configuration, attempted to follow Cisco document 6211 to setup a new tunnel, but I can't seem to get the configuration to work. crypto isakmp sa shows nothing on either device, and show crypto ipsec sa does not list anyhing under inbound or outbound SAs. Any insight or direction re: this may be helpful. I have provided configs of the routers (omitting WAN IPs - I confirmed that each WAN IP is configured correctly). FYI: Dale has a PPoE DSL connection and a non-static IP.

Thanks in advance,

Aaron

----------------------------------------- DL PIX Config

: PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password passwd hostname DL- domain-name secure.local clock timezone PST clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl-out permit tcp any host eq smtp access-list acl-out permit tcp any host eq https access-list acl-out permit tcp any host eq ssh access-list acl-out permit icmp any any echo-reply access-list acl-out permit icmp any any unreachable access-list acl-out permit icmp any any time-exceeded access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.201.0

255.255.255. 0 access-list nonat permit ip 192.168.7.0 255.255.255.0 10.20.30.0 255.255.255.0 access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list split permit ip 192.168.7.0 255.255.255.0 19

0 access-list RISCbox permit ip host 192.168.7.243 192.168.201.0 255.255.255.0 access-list DI permit ip 192.168.7.0 255.255.255.0 10.20.30.0 255.255.255.0 access-list DL- permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.255.2 55.0 pager lines 24 logging on logging timestamp logging buffered debugging mtu outside 1500 mtu inside 1500 ip address outside 255.255.255.248 ip address inside 192.168.7.248 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.201.1-192.168.201.50 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.7.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp ssh 192.168.7.243 ssh netmask 255.255. 255.255 0 0 static (inside,outside) 192.168.7.246 netmask 255.255.255.255 0 0

access-group acl-out in interface outside route outside 0.0.0.0 0.0.0.0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server IAS protocol radiu aaa-server IAS max-failed-attempts 3 aaa-server IAS deadtime 10 aaa-server IAS (inside) host 192.168.7.246 sH@r3dSEc019 timeout 10 aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL ntp server 192.168.7.249 source inside http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt ipsec pl-compatibl crypto ipsec transform-set ENCRYPT1 esp-3des esp-md5-hmac crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac crypto dynamic-map dynmap 90 set transform-set AES-256 ENCRYPT1 crypto map 1VPN 10 ipsec-isakmp crypto map 1VPN 10 match address DI crypto map 1VPN 10 set peer 216.241.48.186 crypto map 1VPN 10 set transform-set AES-256 crypto map 1VPN 15 ipsec-isakmp crypto map 1VPN 15 match address DL- crypto map 1VPN 15 set peer 12.176.203.186 crypto map 1VPN 15 set transform-set AES-256 crypto map 1VPN 90 ipsec-isakmp dynamic dynmap crypto map 1VPN client configuration address initiate crypto map 1VPN client configuration address respond crypto map 1VPN interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp key ******** address crypto map PIXRemote 25 set transform-set DE-DI crypto map PIXRemote interface outside isakmp enable outside isakmp key ******** address netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp keepalive 10 3 isakmp nat-traversal 20 isakmp policy 5 authentication pre-share isakmp policy 5 encryption aes-256 isakmp policy 5 hash sha isakmp policy 5 group 5 isakmp policy 5 lifetime 28800 isakmp policy 7 authentication pre-share isakmp policy 7 encryption aes-256 isakmp policy 7 hash sha isakmp policy 7 group 2 isakmp policy 7 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 192.168.7.0 255.255.255.0 inside telnet 192.168.198.0 255.255.255.0 inside telnet 192.168.199.0 255.255.255.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 management-access inside console timeout 0 vpdn group sprintDsl request dialout pppoe vpdn group sprintDsl localname vpdn group sprintDsl ppp authentication chap vpdn username password ********* dhcpd address 192.168.198.19-192.168.198.25 inside dhcpd dns 192.168.7.246 dhcpd lease 86400 dhcpd ping_timeout 750 dhcpd domain dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:0bec5c75b00322ba0d6178f4375d36d0 : end

--------------------------

DI PIX Config:

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname di-pix domain-name secure.local clock timezone PST -8 clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list SPLIT permit ip 10.20.30.0 255.255.255.0 10.254.254.0

255.255.255.0 access-list nonat permit ip 10.20.30.0 255.255.255.0 10.254.254.0 255.255.255.0 access-list nonat permit ip 10.20.30.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list nonat permit ip 10.20.30.0 255.255.255.0 192.168.198.16 255.255.255.240 access-list acl-out permit icmp any any echo-reply access-list acl-out permit icmp any any unreachable access-list acl-out permit icmp any any time-exceeded access-list DL permit ip 10.20.30.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list DE-home permit ip 10.20.30.0 255.255.255.0 192.168.198.16 255.255.255.240 pager lines 24 logging on logging timestamp logging buffered debugging mtu outside 1500 mtu inside 1500 ip address outside 255.255.255.248 ip address inside 10.20.30.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 10.254.254.1-10.254.254.5 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group acl-out in interface outside route outside 0.0.0.0 0.0.0.0 216.241.48.185 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL ntp server 128.9.176.30 source outside ntp server 209.81.9.7 source outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac crypto ipsec transform-set DI-DE esp-des esp-md5-hmac crypto dynamic-map dynmap 90 set transform-set AES-256 crypto map DI-VPN 10 ipsec-isakmp crypto map DI-VPN 10 match address DL crypto map DI-VPN 10 set peer netmask 255.255.255.255 isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp keepalive 10 3 isakmp nat-traversal 20 isakmp policy 5 authentication pre-share isakmp policy 5 encryption aes-256 isakmp policy 5 hash sha isakmp policy 5 group 5 isakmp policy 5 lifetime 28800 isakmp policy 7 authentication pre-share isakmp policy 7 encryption aes-256 isakmp policy 7 hash sha isakmp policy 7 group 2 isakmp policy 7 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup secGroup address-pool vpnpool vpngroup secGroup dns-server 10.20.30.246 vpngroup secGroup default-domain secure.local vpngroup secGroup split-tunnel SPLIT vpngroup secGroup split-dns vpngroup secGroup idle-time 1800 vpngroup secGroup password ******** telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 management-access inside console timeout 0 username encrypted privilege 15 username encrypted privilege 15 terminal width 80 Cryptochecksum:e3d5c96f573c0693ea72f426bf22171a : end di-pix#
Reply to
Aaron Gitlin
Loading thread data ...

Unfortunately that line (or those lines) were munged and I can't reasonably interpolate what they are in the configuration. If that line was overly general, it could cause the problem you are seeing.

Reply to
Walter Roberson

You never need that anymore. It's a rare PIX that is still running the Private Link encryption cards.

PIX 6.3 limitation: 3DES MD5 is not supported. For 3DES you should use 3DES SHA Group 2 (Group 1 if you -really- need to.) DES MD5 Group 1 -is- supported.

Missing end of line there?

The default hash is MD5, so unless the missing end of line was for an SHA hash, the only difference between this and the previous is that this one is group 2 instead of group 1. But why put the stronger encryption as lower priority? And if the missing end of line is SHA, then you do not have a corresponding phase 2 encryption setup; differences in encryption between the two phases don't cause problems in theory, but can in practice.

There is a PIX security advisory that you can use to take that to 6.3(5)rebuild even if you do not have a support contract.

I'd recommend turning those off if Dale is the only client. Alternately, in the isakmp key that matches Dale's potential range of IPs, add no-xauth no-config-mode to the line. You don't appear to have a shared key specific to Dale, but I would suggest that you should: although he has a dynamic IP, his ISP is only going to give him an IP from a limited pool, and things get easier for you if you can allow him to use his internal IP range instead of having him allocated an link IP by the PIXen.

Reply to
Walter Roberson

Wow...Thank you Walter! I will take a look at your suggestions and work from there - these pointers are exactly what I needed.

Thanks again, I'll post and let you know how this turns out,

Reply to
Aaron Gitlin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.