| Home | Forums | Reviews | Guides | Newsgroups | Register | Search |
 |
| Thread Tools |
|
Guest
Posts: n/a
|
Hi
I'm trying to create a lan-lan tunnel between a 3005 and a pix501. the pix has 3des license: VPN-DES: Enabled VPN-3DES-AES: Enabled i've been following the doc on cisco web: http://www.cisco.com/warp/public/471/ALTIGA_pix.html but i have no idea about what i'm doing wrong. the parameters on the 3005: authentication: esp/sha/hmac-128, preshared key encryption: aes-256 ike proposal: encr: aes-256, auth: sha/hmac/160, group 2 on the pix side: crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer x.x.x.8 crypto map outside_map 20 set transform-set ESP-AES-256-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp enable inside isakmp key ******** address x.x.x.8 netmask 255.255.255.255 isakmp identity address isakmp keepalive 60 10 isakmp log 100 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption aes-256 isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 The vpn web log says: 23877 05/30/2006 17:15:31.390 SEV=4 AUTH/23 RPT=823 x.x.x.9 User [x.x.x.9] Group [x.x.x.9] disconnected: duration: 0:00:00 23876 05/30/2006 17:15:31.390 SEV=4 IKEDBG/97 RPT=278 x.x.x.9 Group [x.x.x.9] QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)! 23871 05/30/2006 17:15:31.390 SEV=5 IKE/34 RPT=5016 x.x.x.9 Group [x.x.x.9] Received local IP Proxy Subnet data in ID Payload: Address 10.10.141.0, Mask 255.255.255.0, Protocol 0, Port 0 23868 05/30/2006 17:15:31.390 SEV=5 IKE/35 RPT=2216 x.x.x.9 Group [x.x.x.9] Received remote IP Proxy Subnet data in ID Payload: Address 10.12.0.0, Mask 255.255.0.0, Protocol 0, Port 0 23864 05/30/2006 17:15:31.340 SEV=4 IKE/119 RPT=16200 x.x.x.9 Group [x.x.x.9] PHASE 1 COMPLETED The PIX says: [...] VPN Peer: ISAKMP: Added new peer: ip  .x.x.8/500 Total VPN Peers:1VPN Peer: ISAKMP: Peer ip .x.x.8/500 Ref cnt incremented to:1 Total VPNPeers:1 crypto_isakmp_process_block:src .x.x.8, dest.x.x.9 spt:500 dpt:500ISAKMP (0): processing NOTIFY payload 24576 protocol 1 spi 0, message ID = 3863724126 ISAKMP (0): processing responder lifetime ISAKMP (0): phase 1 responder lifetime of 3600s return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src .x.x.8, dest.x.x.9 spt:500 dpt:500ISAKMP (0): processing DELETE payload. message ID = 2461701839, spi size = 16 ISAKMP (0): deleting SA: src x.x.x.9, dst x.x.x.8 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0xb31854, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip .x.x.8/500 Ref cnt decremented to:0 Total VPNPeers:1 VPN Peer: ISAKMP: Deleted peer: ip .x.x.8/500 Total VPNpeers:0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.8 and i ran out of ideas. I've tried to config the pix with the no x-auth, changing ipsec nat-t, changing the transform sets... but no luck. Can anyone tell me what i'm doing wrong? The only error message what i see is the QM FSM error (P2 struct &0xcf5afb0, mess id 0x87223d2b)! from the concentrator webpage, but i don't know what that means. Thanks very much Adam |
|
|
|
|||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
|
| |
|
| Thread Tools | |
|
|
