hi, am trying to set up a pix 506 and 501 to make a site to site vpn, i am currently receiving this output on the syslog server:
a.a.a.a -outside address of pix 506e b.b.b.b - outside address of pix 501
%PIX-7-702303: sa_request, (key eng. msg.) src= b.b.b.b, dest= a.a.a.a, src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), dest_proxy= crayford/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi=
0x0(0), conn_id= 0, keysize= 0, flags= 0x4004 %PIX-7-702208: ISAKMP Phase 1 exchange started (local b.b.b.b (initiator), remote a.a.a.a)-702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-7-702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-7-702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-6-602203: ISAKMP session disconnected (local b.b.b.b (initiator), remote a.a.a.a)
I think these debug messages point to a problem with the shared key but ive already checked this and ive also check the ip addresses are right.
here are the sho runs on both pix's
506ePIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGnkrGXSVRGTY encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit tcp any eq www any eq www access-list outside_access_in permit tcp any eq smtp any eq smtp access-list outside_access_in permit icmp any any access-list inside_outbound_nat0_acl permit ip 10.35.104.0
255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside a.a.a.a 255.255.255.240 ip address inside 10.35.104.100 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.0 255.255.255.0 outside pdm location 10.35.104.162 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.35.104.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer b.b.b.b crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address b.b.b.b netmask 255.255.255.255 no-xauth no-co nfig-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.35.104.170-10.35.104.185 inside dhcpd dns 10.35.104.106 194.72.6.57 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:d4b5e05e6762f1aaefe62a0a041bc015 : end pixfirewall#501
PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGfgfgrGXSVdmq6xI encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.35.104.0 crayford access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any eq www any eq www access-list inside_outbound_nat0_acl permit ip 192.168.1.0
255.255.255.0 crayfor d 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 any access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 crayford 25 5.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside b.b.b.b 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location crayford 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 y.y.y.y 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer a.a.a.a crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address a.a.a.a netmask 255.255.255.255 no-xauth no-c onfig-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd dns 194.72.0.98 194.72.9.38 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:b435c2f314a9ac08104da24fab6bd882 : endthanks
Alex