Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > site-to-site VPN in differenet IOS for PIX device

Reply
Thread Tools

site-to-site VPN in differenet IOS for PIX device

 
 
bensonlei@yahoo.com.hk
Guest
Posts: n/a
 
      07-16-2007
Hi, all,


We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however
we found that no upgrade IOS for PIX506E IOS V6.3.

Our network has one PIX515E and three PIX506E, they are forming the
site-to-site VPN as the hub-and-spoke structure.

We found today, we could not form the site-to-site VPN between PIX515E
IOS v7.2 & PIX506E IOS V6.3.

Any suggestion ?


Thank you

 
Reply With Quote
 
 
 
 
Omadon
Guest
Posts: n/a
 
      07-16-2007
On Mon, 16 Jul 2007 03:16:02 -0700, http://www.velocityreviews.com/forums/(E-Mail Removed)
<(E-Mail Removed)> wrote:
> Hi, all,
>
>
> We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however
> we found that no upgrade IOS for PIX506E IOS V6.3.
>
> Our network has one PIX515E and three PIX506E, they are forming the
> site-to-site VPN as the hub-and-spoke structure.
>
> We found today, we could not form the site-to-site VPN between PIX515E
> IOS v7.2 & PIX506E IOS V6.3.
>


And why not, it should work....

--
Dee Dee: You need a character too.
Dexter: I want to be Gygex, the 27th level warrior mage with
a class 18 soul-sucking-sword and...
Dee Dee: Here you go, you can be this guy.
Valarian: Well, it seems Hodo the furry footed burrower has joined our quest.

(E-Mail Removed)

 
Reply With Quote
 
 
 
 
bensonlei@yahoo.com.hk
Guest
Posts: n/a
 
      07-17-2007
On 7 16 , 6 16 , (E-Mail Removed) wrote:
> Hi, all,
>
> We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however
> we found that no upgrade IOS for PIX506E IOS V6.3.
>
> Our network has one PIX515E and three PIX506E, they are forming the
> site-to-site VPN as the hub-and-spoke structure.
>
> We found today, we could not form the site-to-site VPN between PIX515E
> IOS v7.2 & PIX506E IOS V6.3.
>
> Any suggestion ?
>
> Thank you




Further debug result :

PI-Line(config)#
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_FQDN
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 25
ISAKMP (0): Total payload length: 29
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500

.............................
..............................
.....................................

VPN Peer:ISAKMP: Peer Info for JIL_FW/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= Local_FW, remote= JIL_FW,
local_proxy= 172.27.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.27.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_FQDN
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
ISAKMP: sa not found for ike msg
.................................
crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 25
ISAKMP (0): Total payload length: 29
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
ISAKMP: error, msg not encrypted
PI-Line(config)# IPSEC(key_engine): request timer fired: count = 1,
(identity) local= Local_FW, remote= JIL_FW,
local_proxy= 172.27.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.27.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src Local_FW, dst JIL_FW
ISADB: reaper checking SA 0xfa77e4, conn_id = 0 DELETE IT!

 
Reply With Quote
 
John Rennie
Guest
Posts: n/a
 
      07-17-2007
I'm fairly sure the 506e won't run v7.x software.

However there should be no problem with a normal LAN to LAN VPN between a 515E
running v7.x and a 506E running v6.3. It's not clear to me what's wrong from
the debug output, but it looks as though it's the security association that's
failing. Did you use the PDM wizard to create the VPN, or did you hand craft
it?

JR

On Tue, 17 Jul 2007 02:18:26 -0700, (E-Mail Removed) wrote:

>On 7 16 , 6 16 , (E-Mail Removed) wrote:
>> Hi, all,
>>
>> We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however
>> we found that no upgrade IOS for PIX506E IOS V6.3.
>>
>> Our network has one PIX515E and three PIX506E, they are forming the
>> site-to-site VPN as the hub-and-spoke structure.
>>
>> We found today, we could not form the site-to-site VPN between PIX515E
>> IOS v7.2 & PIX506E IOS V6.3.
>>
>> Any suggestion ?
>>
>> Thank you

>
>
>
>Further debug result :
>
>PI-Line(config)#
>ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
>ISAKMP (0): beginning Main Mode exchange
>crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
>OAK_MM exchange
>ISAKMP (0): processing SA payload. message ID = 0


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
tasks in differenet rising edges. Amit VHDL 2 06-04-2007 11:56 AM
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
Building VPN's: Static/Dynamic//IOS/PIX/Cisco VPN Client/ all at the same time hk Cisco 0 11-25-2003 02:47 AM



Advertisments