vpn tunnel probs with 1841 to pix506

We're having problems connecting our 1841 router to a suppliers network using vpn.

In our network we have to machines (.40 and .41) that need to communicate with 4 different subnets on the suppliers network. To do so, we need to make a VPN tunnel to their PIX506 appliance.

We are getting a few problems.

1) For some reason we can only ping to the first subnet that appears in the 1841's acl. If we change the order of the acl, we can only ping to the subnet that is now on top. 2) If we start the tunnel from our .40 machine, we cannot ping the other side from the .41 machine. The same when we start the ping from the .41 we cannot ping from the .40 3) The tunnel is very unstable. Most of the time it only connects for a few minutes.

We have seen the PIX config of the other side. They make use of object groups. Dont know if that makes a difference or not.

Hope somebody can help.

Vincent

Cisco1841 config:

! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname RT01 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 no logging buffered enable secret ! username privilege 15 secret clock timezone Paris 1 clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero no ip source-route ip cef ! ! ip tcp synwait-time 10 ! ! no ip bootp server ip domain name cisco.com ip ssh time-out 60 ip ssh authentication-retries 2 ip ips po max-events 100 no ftp-server write-enable isdn switch-type basic-net3 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key address 194.78.144.208 ! ! crypto ipsec transform-set FJ esp-3des esp-md5-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to194.78.144.208 set peer 194.78.144.208 set security-association lifetime seconds 28800 set transform-set FJ match address 100 ! ! ! ! interface FastEthernet0/0 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-FE 0$ ip address 128.0.99.172 255.255.0.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface FastEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto no cdp enable no mop enabled ! interface ATM0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no ip mroute-cache no atm ilmi-keepalive dsl operating-mode auto pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! ! interface Dialer1 ip address negotiated no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp no ip route-cache cef no ip route-cache dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname ppp chap password ppp pap sent-username password crypto map SDM_CMAP_1 ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip http server ip http authentication local ip http secure-server ip nat pool branch 214.48.132.65 214.48.132.65 netmask 255.255.255.252 ! ! logging trap debugging logging 128.0.100.240 access-list 100 permit ip host 128.0.99.40 194.78.145.0 0.0.0.255 access-list 100 permit ip host 128.0.99.40 194.78.148.0 0.0.0.255 access-list 100 permit ip host 128.0.99.40 194.78.146.0 0.0.0.255 access-list 100 permit ip host 128.0.99.40 172.30.13.0 0.0.0.255 access-list 100 permit ip host 128.0.99.40 194.78.150.0 0.0.0.255 access-list 100 permit ip host 128.0.99.41 194.78.145.0 0.0.0.255 access-list 100 permit ip host 128.0.99.41 194.78.148.0 0.0.0.255 access-list 100 permit ip host 128.0.99.41 194.78.146.0 0.0.0.255 access-list 100 permit ip host 128.0.99.41 172.30.13.0 0.0.0.255 access-list 100 permit ip host 128.0.99.41 194.78.150.0 0.0.0.255 access-list 120 remark SDM_ACL Category=16 access-list 120 permit ip host 128.0.99.41 172.30.13.0 0.0.0.255 access-list 120 permit ip host 128.0.99.41 194.78.145.0 0.0.0.255 access-list 120 permit ip host 128.0.99.41 194.78.146.0 0.0.0.255 access-list 120 permit ip host 128.0.99.41 194.78.148.0 0.0.0.255 access-list 120 permit ip host 128.0.99.41 194.78.150.0 0.0.0.255 access-list 120 permit ip host 128.0.99.40 172.30.13.0 0.0.0.255 access-list 120 permit ip host 128.0.99.40 194.78.145.0 0.0.0.255 access-list 120 permit ip host 128.0.99.40 194.78.146.0 0.0.0.255 access-list 120 permit ip host 128.0.99.40 194.78.148.0 0.0.0.255 access-list 120 permit ip host 128.0.99.40 194.78.150.0 0.0.0.255 access-list 130 remark SDM_ACL Category=18 access-list 130 deny ip host 128.0.99.41 194.78.146.0 0.0.0.255 access-list 130 deny ip host 128.0.99.40 194.78.146.0 0.0.0.255 access-list 130 permit ip 128.0.0.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run ! route-map nonat permit 10 match ip address 130 ! control-plane ! banner login Authorized access only! Disconnect IMMEDIATELY if you are not an authorized user! ! line con 0 login local transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! scheduler allocate 4000 1000 end

Syslog output:

04-04-2005 17:13:59 Local7.Debug 128.0.99.172 5980: remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4)

04-04-2005 17:13:59 Local7.Debug 128.0.99.172 5979: local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

04-04-2005 17:13:59 Local7.Debug 128.0.99.172 5978: (identity) local= 214.48.132.65, remote= 194.78.144.208,

04-04-2005 17:13:59 Local7.Debug 128.0.99.172 5977:

001833: *Apr 4 17:14:09.391 Paris: IPSEC(key_engine): request timer fired: count = 2,

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5976:

001832: *Apr 4 17:13:40.075 Paris: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 214.48.132.65

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5975: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5974: lifedur= 0s and 0kb,

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5973: protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5972: remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4),

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5971: local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5970: (key eng. msg.) INBOUND local= 214.48.132.65, remote= 194.78.144.208,

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5969:

001831: *Apr 4 17:13:40.075 Paris: IPSEC(validate_proposal_request): proposal part #1,

04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5968:

001830: *Apr 4 17:13:39.419 Paris: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 214.48.132.65

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5967: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5966: lifedur= 0s and 0kb,

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5965: protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5964: remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4),

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5963: local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5962: (key eng. msg.) INBOUND local= 214.48.132.65, remote= 194.78.144.208,

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5961:

001829: *Apr 4 17:13:39.419 Paris: IPSEC(validate_proposal_request): proposal part #1,

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5960: spi= 0x956A4F4B(2506772299), conn_id= 0, keysize= 0, flags= 0x400A

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5959: lifedur= 28800s and 4608000kb,

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5958: protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5957: ,

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5956: remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4)

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5955: local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5954: (key eng. msg.) OUTBOUND local= 214.48.132.65, remote= 194.78.144.208,

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5953: 001828: *Apr 4 17:13:39.391 Paris: IPSEC(sa_request): ,

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5952: remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4)

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5951: local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5950: (identity) local= 214.48.132.65, remote= 194.78.144.208,

04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5949: 001827: *Apr 4 17:13:39.391 Paris: IPSEC(key_engine): request timer fired: count = 1,

04-04-2005 17:12:59 Local7.Info 128.0.99.172

5948: 001826: *Apr 4 17:13:10.075 Paris: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 194.78.144.208

04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5947:

001825: *Apr 4 17:13:10.071 Paris: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 214.48.132.65

04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5946: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5945: lifedur= 0s and 0kb,

04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5944: protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5943: remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4),

04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5942: local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),