PIX to PIX VPN Failing

Hi all,

I am trying to get a link online between a 501 and 515 Cisco Pix. I can't for the life of me figure out what is missing (I am sure I have been starring at the problem too long and am missing the typo). The 501 has two VPNs configured, the 144.223.39.94 endpoint works properly, the

66.124.194.94 endpoint does not.

This is the error on the 501 (configurations follow):

----------------------------------------------------------------------

pixfirewall# show crypto isakmp sa Total : 2 Embryonic : 0 dst src state pending created 66.124.194.4 65.200.10.132 QM_IDLE 0 1 65.200.10.132 144.223.39.94 QM_IDLE 0 13 pixfirewall# ISADB: reaper checking SA 0x809f4540, conn_id = 0 ISADB: reaper checking SA 0x809f4c68, conn_id = 0 ISAKMP (0): beginning Quick Mode exchange, M-ID of

-646700378:d97422a6IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xd76ebb43(3614358339) for SA from 66.124.194.4 to 65.200.10.132 for prot 3

crypto_isakmp_process_block: src 66.124.194.4, dest 65.200.10.132 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3648266918

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 66.124.194.4, src= 65.200.10.132, dest_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), src_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 3648266918

ISAKMP (0): processing ID payload. message ID = 3648266918 ISAKMP (0): processing ID payload. message ID =

3648266918map_alloc_entry: allocating entry 5 map_alloc_entry: allocating entry 6

ISAKMP (0): Creating IPSec SAs inbound SA from 66.124.194.4 to 65.200.10.132 (proxy 10.1.1.0 to 192.168.2.0) has spi 3614358339 and conn_id 5 and flags 4 lifetime of 28800 seconds lifetime of 4608000 kilobytes outbound SA from 65.200.10.132 to 66.124.194.4 (proxy

192.168.2.0 to 10.1.1.0) has spi 2827747088 and conn_id 6 and flags 4 lifetime of 28800 seconds lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event... IPSEC(initialize_sas): , (key eng. msg.) dest= 65.200.10.132, src= 66.124.194.4, dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4), src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0xd76ebb43(3614358339), conn_id= 5, keysize= 0, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= 65.200.10.132, dest= 66.124.194.4, src_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4), dest_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0xa88bff10(2827747088), conn_id= 6, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:66.124.194.4 Ref cnt incremented to:2 Total VPN Peers:2 VPN Peer: IPSEC: Peer ip:66.124.194.4 Ref cnt incremented to:3 Total VPN Peers:2 return status is IKMP_NO_ERROR ISAKMP (0): sending NOTIFY message 36136 protocol 1 crypto_isakmp_process_block: src 66.124.194.4, dest 65.200.10.132 ISAKMP (0): processing NOTIFY payload 36137 protocol 1 spi 0, message ID = 3940387878 ISAMKP (0): received DPD_R_U_THERE_ACK from peer 66.124.194.4 return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0): sending NOTIFY message 36136 protocol 1 crypto_isakmp_process_block: src 66.124.194.4, dest 65.200.10.132 ISAKMP (0): processing NOTIFY payload 36137 protocol 1 spi 0, message ID = 2816603626 ISAMKP (0): received DPD_R_U_THERE_ACK from peer 66.124.194.4 return status is IKMP_NO_ERR_NO_TRANS

This is the 515 (remote) configuration:

------------------------------------------------------

access-list 80 permit ip host 10.1.1.10 192.168.1.0 255.255.255.0 access-list 80 permit ip host 10.1.1.10 192.168.2.0 255.255.255.0 access-list 81 permit ip host 10.1.1.10 192.168.1.0 255.255.255.0 access-list 100 permit ip host 10.1.1.10 host 192.168.1.15 access-list 100 permit ip host 10.1.1.3 host 192.168.2.2 access-list 100 permit ip host 10.1.1.10 host 192.168.1.16 access-list 110 permit ip host 10.1.1.3 host 192.168.1.3 access-list 110 permit ip host 10.1.1.3 host 192.168.2.3 access-list 120 permit ip host 10.1.1.10 host 192.168.1.15 access-list 120 permit ip host 10.1.1.10 30.1.1.0 255.255.255.0 access-list 120 permit ip host 10.1.1.3 host 192.168.1.3 access-list 120 permit ip host 10.1.1.3 host 192.168.2.3 access-list 120 permit ip host 10.1.1.3 192.168.1.32 255.255.255.252 access-list 120 permit ip host 10.1.1.3 host 192.168.2.2 access-list 120 permit ip host 10.1.1.10 host 192.168.1.16 access-list 120 permit ip host 10.1.1.3 host 192.168.2.1 access-list 130 permit ip host 10.1.1.3 192.168.1.32 255.255.255.252 access-list 140 permit ip host 10.1.1.3 host 192.168.2.1

nat (inside) 0 access-list 120

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac crypto dynamic-map dynmap 90 set transform-set strong-des crypto map remotes-map 30 ipsec-isakmp crypto map remotes-map 30 match address 100 crypto map remotes-map 30 set peer 209.101.218.58 crypto map remotes-map 30 set transform-set strong-des crypto map remotes-map 40 ipsec-isakmp crypto map remotes-map 40 match address 110 crypto map remotes-map 40 set peer 65.200.10.132 crypto map remotes-map 40 set transform-set strong-des crypto map remotes-map 50 ipsec-isakmp crypto map remotes-map 50 match address 130 crypto map remotes-map 50 set peer 64.124.78.153 crypto map remotes-map 50 set transform-set strong-des crypto map remotes-map 60 ipsec-isakmp crypto map remotes-map 60 match address 140 crypto map remotes-map 60 set peer 144.223.11.70 crypto map remotes-map 60 set transform-set strong-des crypto map remotes-map 90 ipsec-isakmp dynamic dynmap crypto map remotes-map client configuration address initiate crypto map remotes-map client configuration address respond crypto map remotes-map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask

0.0.0.0 isakmp key ******** address 64.124.78.153 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 209.101.218.58 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 144.223.11.70 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 65.200.10.132 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp client configuration address-pool local IP_POOL outside isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash sha isakmp policy 8 group 2 isakmp policy 8 lifetime 86400 isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400

This is the 501 (local) configuration:

--------------------------------------------------

access-list 101 permit ip 192.168.2.0 255.255.255.0 10.1.1.0

255.255.255.0 access-list 101 permit ip 192.168.2.0 255.255.255.0 103.0.0.0 255.255.255.0 access-list 102 permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list 103 permit ip 192.168.2.0 255.255.255.0 103.0.0.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac crypto ipsec transform-set strong-3des esp-3des esp-md5-hmac crypto map remotes-map 40 ipsec-isakmp crypto map remotes-map 40 match address 102 crypto map remotes-map 40 set peer 66.124.194.4 crypto map remotes-map 40 set transform-set strong-des crypto map remotes-map 50 ipsec-isakmp crypto map remotes-map 50 match address 103 crypto map remotes-map 50 set peer 144.223.39.94 crypto map remotes-map 50 set transform-set strong-3des crypto map remotes-map interface outside isakmp enable outside isakmp key ******** address 144.223.39.94 netmask 255.255.255.255 isakmp key ******** address 66.124.194.4 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp keepalive 10 isakmp policy 7 authentication pre-share isakmp policy 7 encryption 3des isakmp policy 7 hash md5 isakmp policy 7 group 1 isakmp policy 7 lifetime 86400 isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash sha isakmp policy 8 group 2 isakmp policy 8 lifetime 86400 isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 1 isakmp policy 40 lifetime 1000 isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash md5 isakmp policy 50 group 2 isakmp policy 50 lifetime 1000

What am I missing?

Thanks in advance, Max

Reply to
Max Clark
Loading thread data ...

well, which one is it ?

66.124.194.94 (as you write) or 66.124.194.4 (as the config shows)

Reply to
Martin Bilgrav

crypto map remotes-map 40 match address 110 crypto map remotes-map 40 set peer 65.200.10.132

access-list 110 permit ip host 10.1.1.3 host 192.168.1.3 access-list 110 permit ip host 10.1.1.3 host 192.168.2.3

conclusion is that your ACL are non-reverseble - i.e are different on both ends, where they should be alike, just reversed.

the same show in the 501 config

Reply to
Martin Bilgrav

and when you makes changes issue the config-mode command : Clear crypto ipsec sa

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Martin,

Thank you - this is exactly what I needed. The VPN is online.

-Max

Reply to
Max Clark

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.