PIX501 IPSec Troubleshootings with ISAKMP Messages

Hallo, All

Here i have a question about the IPSec VPN connection between two PIX501.The details are listed by following:

IOS:PIX-A 6.2(3) and PIX-B 6.3(5) Topology: LAN-A --------- PIX-A

------------Intra-Router----------PIX-B ------------LAN-2 a1 a2 b1 b2 c1 c2 d1 d2

a1: 10.6.2.201 a2: 10.6.2.200 b1: 139.24.179.27 b2: 139.24.179.2 c1: 140.231.179.97 c2: 140.231.182.225 d1: 10.6.4.200 d2: 10.6.4.201

B1 could connect C1 (PING) since they are both in our Intranet. A1 and D2 are both private LAN which need to establish the IPSec connection. Besides, the A1 and D2 also need to connect the Intranet through PIX by using NAT.

Here are configurations of both devices PIX-A PIX Version 6.3(5) ............ names access-list 100 permit ip 10.6.2.0 255.255.255.0 10.6.4.0 255.255.255.0 ip address outside 139.24.179.27 255.255.255.0 ip address inside 10.6.2.200 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 2 139.24.179.40 nat (inside) 0 access-list 100 nat (inside) 2 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 139.24.179.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-des esp-md5-hmac crypto map toNippon 20 ipsec-isakmp crypto map toNippon 20 match address 100 crypto map toNippon 20 set peer 140.231.182.225 crypto map toNippon 20 set transform-set strong crypto map toNippon interface outside isakmp enable outside isakmp key 123456 address 140.231.182.225 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 : end

PIX-B PIX Version 6.2(3)101 .................... names access-list 110 permit ip 10.6.4.0 255.255.255.0 10.6.2.0 255.255.255.0 ip address outside 140.231.182.225 255.255.255.0 ip address inside 10.6.4.200 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 140.231.182.226-140.231.182.228 nat (inside) 0 access-list 110 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 140.231.179.97 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set strong esp-des esp-md5-hmac crypto map toChina 10 ipsec-isakmp crypto map toChina 10 match address 110 crypto map toChina 10 set peer 139.24.179.27 crypto map toChina 10 set transform-set strong crypto map toChina interface outside isakmp enable outside isakmp key 123456 address 139.24.179.27 netmask 255.255.255.255 isakmp policy 8 authentication pre-share isakmp policy 8 encryption des isakmp policy 8 hash md5 isakmp policy 8 group 1 isakmp policy 8 lifetime 86400 telnet timeout 5 ssh timeout 5 :end

Test cases:

  1. Ping from a1 to c1,c2, Okay
  2. Ping from b1 to c2, Okay
  3. Ping from d2 to b1, b2, Okay These three steps meant the SNX networking between PIX-A and PIX-B was Okay, and also PIX NAT settings were fine.
  4. Ping from a1 to d2 not Okay. (vice versa)

When the step-4 was ongoing, i could monitored the traces from PIX-A there were kind of "Peer Not Find" error. Here are debug information debug crypto ipsec debug crypto isakmp debug crypto engine ====================================== ISAKMP (0): beginning Main Mode exchange ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... ISAKMP (0): retransmitting phase 1 (2)... ISAKMP (0): retransmitting phase 1 (3)... ISAKMP (0): retransmitting phase 1 (4)...

IPSEC(key_engine): request timer fired: count = 1, (identity) local= 139.24.179.27, remote= 140.231.182.225, local_proxy= 10.6.2.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.6.4.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 139.24.179.27, dst 140.231.182.225 ISADB: reaper checking SA 0xabecb4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 140.231.182.225/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2, (identity) local= 139.24.179.27, remote= 140.231.182.225, local_proxy= 10.6.2.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.6.4.0/255.255.255.0/0/0 (type=4) ========================================== show ipsec sa ======== interface: outside Crypto map tag: toNippon, local addr. 139.24.179.27

local ident (addr/mask/prot/port): (10.6.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.6.4.0/255.255.255.0/0/0) current_peer: 140.231.182.225:0 PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 270, #recv errors 0

local crypto endpt.: 139.24.179.27, remote crypto endpt.:

140.231.182.225 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: ============================== Obviously, there was no SA being established.

I did some simular tests locally by using another PIX (same IOS with PIX-A, and same IP segment). The rest of configuration were totally same, the error never happened. I have no idea of what was wrong with such a process? Could it be possible coming from different IOS version? Is there anybody who could give me a hand for that? Thanks a lot in advance.

Kurt

Reply to
KurtLue
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.