I have a central office PIX 501 that currently runs independent site-to-site VPNs for around 5 remote offices, and I'm trying to add a
6th VPN. I'm using pre-shared keys for authentication.Central office LAN is 172.16.1.0/16, remote office LAN is
172.20.6.0/24. When I try and pass interesting traffic over the VPN, the VPN LED on the PIX illuminates so it seems like a connection is actually made. However, the packets never get through -- pings and telnet attempts time out. I have even added a static route on a target machine in the 172.16.1.0 network.What information could I please provide to help y'all debug this with me? Here is the important output from config term:
(central office)
ip address outside 64.sss.198.6 255.255.255.240 ip address inside 172.16.1.192 255.255.0.0 isakmp key ****** address 63.xxx.214.138 netmask 255.255.255.255 access-list nonat permit ip 172.16.1.0 255.255.255.0 172.20.6.0
255.255.255.0 access-list nonat permit ip 172.16.10.0 255.255.255.0 172.20.6.0 255.255.255.0 access-list nonat permit ip 172.16.11.0 255.255.255.0 172.20.6.0 255.255.255.0 access-list SPRINGVALE permit ip 172.16.1.0 255.255.255.0 172.20.6.0 255.255.255.0 access-list SPRINGVALE permit ip 172.16.10.0 255.255.255.0 172.20.6.0 255.255.255.0 access-list SPRINGVALE permit ip 172.16.11.0 255.255.255.0 172.20.6.0 255.255.255.0 crypto ipsec transform-set springvaleset esp-3des esp-md5-hmac crypto map site-vpn 6 ipsec-isakmp crypto map site-vpn 6 set peer 63.xxx.214.138 crypto map site-vpn 6 set transform-set springvaleset crypto map site-vpn 6 match address SPRINGVALE sysopt connection permit-ipsec global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 5000 route outside 0.0.0.0 0.0.0.0 64.sss.198.1 1(remote office)
ip address outside 63.xxx.214.138 255.255.255.0 ip address inside 172.20.6.191 255.255.255.0 access-list rcd_pph permit ip 172.20.6.0 255.255.255.0 172.16.0.0
255.255.0.0 global (outside) 1 interface nat (inside) 0 access-list rcd_pph nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 63.xxx.214.129 1 sysopt connection permit-ipsec crypto ipsec transform-set transrcd esp-3des esp-md5-hmac crypto map rcdmap 1 ipsec-isakmp crypto map rcdmap 1 match address rcd_pph crypto map rcdmap 1 set peer 64.sss.198.6 crypto map rcdmap 1 set transform-set transrcd crypto map rcdmap interface outside isakmp enable outside isakmp key q1w2e3r4 address 64.sss.198.6 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400Given that I have existing remote networks (e.g. 172.20.1.0/24,
172.20.2.0/24, etc) connecting to the central office I am quite baffled by what the problem is. When I try and ping across the VPN, here is the output from a combined "debug crypto {ipsec,isakmp,engine}" running on the remote office PIX:ISAKMP (0): beginning Quick Mode exchange, M-ID of
1243172245:4a194d95IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x596bc730(1500235568) for SA from 64.sss.198.6 to 63.xxx.214.138 for prot 3crypto_isakmp_process_block:src:64.sss.198.6, dest:63.xxx.214.138 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 14 protocol 3 spi 1500235568, message ID = 1860390180 ISAKMP (0): deleting spi 818375513 message ID = 1243172245 return status is IKMP_NO_ERR_NO_TRANS6: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=22784 length=40
7: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=23040 length=40 8: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=23296 length=40 IPSEC(key_engine): request timer fired: count = 1, (identity) local= 63.xxx.214.138, remote= 64.sss.198.6, local_proxy= 172.20.6.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)ISAKMP (0): beginning Quick Mode exchange, M-ID of
-31348343:fe21a989IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xa180df8c(2709577612) for SA from 64.sss.198.6 to 63.xxx.214.138 for prot 3
crypto_isakmp_process_block:src:64.sss.198.6, dest:63.xxx.214.138 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 14 protocol 3 spi 2709577612, message ID = 1859416444 ISAKMP (0): deleting spi 2363457697 message ID = 4263618953 return status is IKMP_NO_ERR_NO_TRANS9: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=23552 length=40
10: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=23808 length=40 11: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=24064 length=40 12: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=24320 length=40 13: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=24576 length=40 14: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=24832 length=40 IPSEC(key_engine): request timer fired: count = 2, (identity) local= 63.xxx.214.138, remote= 64.sss.198.6, local_proxy= 172.20.6.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4) 15: ICMP echo-request from inside:172.20.6.1 to 172.16.1.30 ID=768 seq=25088 length=40And so on and so on. It's interesting that I never see what is a "fatal" error; or perhaps I'm not interpreting the output correctly? TIA for any & all help!
Chris