|
Issue with PIX to Route VPN
Hi
I am setting up a test VPN between a PIX 515 and 1841 Router running Firewall IOS. The Tunnel seems to come up fine and is encrypting traffic on the router side but there seems to be an issue on the PIX side as it does not seem to be encrypting/decrypting. I have checked the ACL used in the crypto map on the PIX and it seems to be fine. Can anyone help from the following configuration? __________________________________________________ ___________ PIX PIX# sh run : Saved : PIX Version 7.0(1) names ! interface Ethernet0 speed 100 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 ! interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 ! interface Ethernet2 speed 100 duplex full nameif dmz security-level 50 ip address 172.16.1.1 255.255.255.0 ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname PIX ftp mode passive access-list CRYPTO-ACL extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip audit name INFOPOLICY info action alarm reset ip audit interface inside INFOPOLICY ip audit signature 4052 disable no failover monitor-interface outside monitor-interface inside monitor-interface dmz no asdm history enable arp timeout 14400 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp crypto ipsec transform-set TEST-TS esp-3des esp-sha-hmac crypto map RTR 10 match address CRYPTO-ACL crypto map RTR 10 set peer 192.168.2.2 crypto map RTR 10 set transform-set TEST-TS crypto map RTR interface outside isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 5 isakmp policy 10 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 tunnel-group 192.168.2.2 type ipsec-l2l tunnel-group 192.168.2.2 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:d329d214da16974fe6a4972319bc7dc2 : end __________________________________________________ _______________________ 1841 Router TR# sh run Building configuration... Current configuration : 1544 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RTR ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! no ip dhcp use vrf connected ! ip inspect name OUTBOUND icmp ip inspect name OUTBOUND http no ip ips deny-action ips-interface ! crypto isakmp policy 110 encr 3des authentication pre-share group 5 crypto isakmp key cisco address 192.168.1.2 ! crypto ipsec transform-set MINE esp-3des esp-sha-hmac ! crypto map PIX-VPN 10 ipsec-isakmp set peer 192.168.1.2 set transform-set MINE match address ENCR-ACL !! interface FastEthernet0/0 ip address 192.168.2.2 255.255.255.0 duplex auto speed auto crypto map PIX-VPN ! interface FastEthernet0/1 ip address 10.0.2.1 255.255.255.0 ip inspect OUTBOUND in duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Vlan1 no ip address ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1 ! ip http server no ip http secure-server ! ip access-list extended ACCESS-SRV permit icmp any host 10.0.2.10 ip access-list extended ENCR-ACL permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 ip access-list extended INBOUND-BLOCK deny ip any any ! control-plane ! line con 0 line aux 0 line vty 0 4 login ! end RTR# |
Re: Issue with PIX to Route VPN
In article <1162739824.656425.102890@k70g2000cwa.googlegroups .com>,
VeeDub <veedubius@hotmail.com> wrote: >I am setting up a test VPN between a PIX 515 and 1841 Router running >Firewall IOS. The Tunnel seems to come up fine and is encrypting >traffic on the router side but there seems to be an issue on the PIX >side as it does not seem to be encrypting/decrypting. I have checked >the ACL used in the crypto map on the PIX and it seems to be fine. Can >anyone help from the following configuration? >PIX Version 7.0(1) Hmmm, lots and lots of bugs associated with that version. >isakmp policy 10 authentication pre-share >isakmp policy 10 encryption 3des >isakmp policy 10 hash sha >isakmp policy 10 group 5 Try knocking the transmitter down to group 2 -- 3DES group 5 is unusual enough that it might tickle one of the many bugs in 7.0(1). |
Re: Issue with PIX to Route VPN
I will give that a shot Walter. Can you tell me though why you think
the 3DES/DH-5 is an unusual combination? Thanks Walter Roberson wrote: > In article <1162739824.656425.102890@k70g2000cwa.googlegroups .com>, > VeeDub <veedubius@hotmail.com> wrote: > > >I am setting up a test VPN between a PIX 515 and 1841 Router running > >Firewall IOS. The Tunnel seems to come up fine and is encrypting > >traffic on the router side but there seems to be an issue on the PIX > >side as it does not seem to be encrypting/decrypting. I have checked > >the ACL used in the crypto map on the PIX and it seems to be fine. Can > >anyone help from the following configuration? > > >PIX Version 7.0(1) > > Hmmm, lots and lots of bugs associated with that version. > > > >isakmp policy 10 authentication pre-share > >isakmp policy 10 encryption 3des > >isakmp policy 10 hash sha > >isakmp policy 10 group 5 > > Try knocking the transmitter down to group 2 -- 3DES group 5 is > unusual enough that it might tickle one of the many bugs in 7.0(1). |
Re: Issue with PIX to Route VPN
"VeeDub" <veedubius@hotmail.com> wrote in message news:1162788469.913538.104770@b28g2000cwb.googlegr oups.com... >I will give that a shot Walter. Can you tell me though why you think > the 3DES/DH-5 is an unusual combination? > > Thanks > > > Walter Roberson wrote: >> In article <1162739824.656425.102890@k70g2000cwa.googlegroups .com>, >> VeeDub <veedubius@hotmail.com> wrote: >> >> >I am setting up a test VPN between a PIX 515 and 1841 Router running >> >Firewall IOS. The Tunnel seems to come up fine and is encrypting >> >traffic on the router side but there seems to be an issue on the PIX >> >side as it does not seem to be encrypting/decrypting. I have checked >> >the ACL used in the crypto map on the PIX and it seems to be fine. Can >> >anyone help from the following configuration? >> >> >PIX Version 7.0(1) >> >> Hmmm, lots and lots of bugs associated with that version. >> >> >> >isakmp policy 10 authentication pre-share >> >isakmp policy 10 encryption 3des >> >isakmp policy 10 hash sha >> >isakmp policy 10 group 5 >> >> Try knocking the transmitter down to group 2 -- 3DES group 5 is >> unusual enough that it might tickle one of the many bugs in 7.0(1). > Because the standard in our industry is group 1 or group 2, group 2 for almost 99% of what we do. |
| All times are GMT. The time now is 03:28 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.