pix501 easy vpn to pix515

Discussion in 'Cisco' started by lfnetworking, Sep 7, 2006.

  1. lfnetworking

    lfnetworking Guest

    The goal is to create tunnel between the lan behind the 501 via an easy
    vpn (vpnclient) connection originating on the 501 and terminating on a a
    515 running 7.2(1)

    The 501 is behind another router which provides PAT. Have tried both
    client and nem mode, NAT-T udp and tcp, and while I achieve L3
    connectivity between the 501 and the remote lan, there is no l3
    connectivity between the two remote lans.

    When I watch "sh crypto isakmp sa" from initiation is that the 501 seems
    to be attempting to bring up 2 or 3 tunnels (SAs), and, several minutes
    after one or more forms it dies and the renegotiation begins.

    Here's the ipsec part of the cfg on the headend pix515
    llab - is the tunnel group that's been working fine with the software
    vpnclient negotiating NAT-T tcp and udp. llabevpn is an experimental
    group setup to try to get the 501 vpnclient connection to work.
    ............
    group-policy llabevpn internal
    group-policy llabevpn attributes
    dns-server value 192.168.220.2
    vpn-idle-timeout none
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel721
    split-dns value llab.com
    nem enable
    group-policy llab internal
    group-policy llab attributes
    dns-server value 192.168.220.2
    vpn-idle-timeout none
    ipsec-udp enable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel721
    split-dns value llab.com
    ............
    crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set 3des-sha
    crypto map map1 10 ipsec-isakmp dynamic dynmap
    crypto map map1 interface pix-outside
    crypto isakmp identity address
    crypto isakmp enable pix-outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    tunnel-group DefaultL2LGroup ipsec-attributes
    isakmp keepalive threshold 15
    tunnel-group DefaultRAGroup ipsec-attributes
    isakmp keepalive threshold 15
    tunnel-group llab type ipsec-ra
    tunnel-group llab general-attributes
    address-pool vpnclients
    authorization-server-group LOCAL
    default-group-policy llab
    tunnel-group llab ipsec-attributes
    pre-shared-key *
    isakmp keepalive threshold 15
    tunnel-group llabevpn type ipsec-ra
    tunnel-group llabevpn general-attributes
    address-pool vpnclients
    authorization-server-group LOCAL
    default-group-policy llabevpn
    tunnel-group llabevpn ipsec-attributes
    pre-shared-key *

    .....here's a sample crypto ipsec sa on the 515. Note there are 4 SAs
    formed. My expectation was that I'd only see one with a remote of ident
    192.168.57.0/24 (the lan behind the pix501) and local ident
    192.168.220.0 (the lan behind the pix515)
    192.168.56.104 is the outside address of the 501.

    ............................

    Crypto map tag: dynmap, seq num: 10, local addr: x.x.x.x

    local ident (addr/mask/prot/port): (192.168.220.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port):
    (192.168.56.104/255.255.255.255/0/0)
    current_peer: x.x.x.x, username: jj
    dynamic allocated peer ip: 0.0.0.0

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
    reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

    path mtu 1500, ipsec overhead 58, media mtu 1500
    current outbound spi: C830E208

    inbound esp sas:
    spi: 0x13C4D5BE (331666878)
    transform: esp-3des esp-sha-hmac
    in use settings ={RA, Tunnel, }
    slot: 0, conn_id: 2154, crypto-map: dynmap
    sa timing: remaining key lifetime (sec): 28639
    IV size: 8 bytes
    replay detection support: Y
    outbound esp sas:
    spi: 0xC830E208 (3358646792)
    transform: esp-3des esp-sha-hmac
    in use settings ={RA, Tunnel, }
    slot: 0, conn_id: 2154, crypto-map: dynmap
    sa timing: remaining key lifetime (sec): 28639
    IV size: 8 bytes
    replay detection support: Y

    Crypto map tag: dynmap, seq num: 10, local addr: x.x.x.x

    local ident (addr/mask/prot/port): (192.168.220.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.57.0/255.255.255.0/0/0)
    current_peer: x.x.x.x, username: jj
    dynamic allocated peer ip: 0.0.0.0

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
    reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

    path mtu 1500, ipsec overhead 58, media mtu 1500
    current outbound spi: 58DCD277

    inbound esp sas:
    spi: 0x595A6A5F (1499097695)
    transform: esp-3des esp-sha-hmac
    in use settings ={RA, Tunnel, }
    slot: 0, conn_id: 2154, crypto-map: dynmap
    sa timing: remaining key lifetime (sec): 28706
    IV size: 8 bytes
    replay detection support: Y
    outbound esp sas:
    spi: 0x58DCD277 (1490866807)
    transform: esp-3des esp-sha-hmac
    in use settings ={RA, Tunnel, }
    slot: 0, conn_id: 2154, crypto-map: dynmap
    sa timing: remaining key lifetime (sec): 28706
    IV size: 8 bytes
    replay detection support: Y

    Crypto map tag: dynmap, seq num: 10, local addr: x.x.x.x

    local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    remote ident (addr/mask/prot/port):
    (192.168.221.6/255.255.255.255/0/0)
    current_peer: x.x.x.x, username: jj
    dynamic allocated peer ip: 192.168.221.6

    #pkts encaps: 35175, #pkts encrypt: 35175, #pkts digest: 35175
    #pkts decaps: 24681, #pkts decrypt: 24681, #pkts verify: 24681
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 35175, #pkts comp failed: 0, #pkts decomp
    failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
    reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: x.x.x.x/10000, remote crypto endpt.:
    x.x.x.x/52869
    path mtu 1500, ipsec overhead 94, media mtu 1500
    current outbound spi: EA76D22B

    inbound esp sas:
    spi: 0x45756873 (1165322355)
    transform: esp-3des esp-sha-hmac
    in use settings ={RA, Tunnel, TCP-Encaps, }
    slot: 0, conn_id: 2149, crypto-map: dynmap
    sa timing: remaining key lifetime (sec): 27905
    IV size: 8 bytes
    replay detection support: Y
    outbound esp sas:
    spi: 0xEA76D22B (3933655595)
    transform: esp-3des esp-sha-hmac
    in use settings ={RA, Tunnel, TCP-Encaps, }
    slot: 0, conn_id: 2149, crypto-map: dynmap
    sa timing: remaining key lifetime (sec): 27905
    IV size: 8 bytes
    replay detection support: Y

    Crypto map tag: dynmap, seq num: 10, local addr: x.x.x.x

    local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port):
    (192.168.56.104/255.255.255.255/0/0)
    current_peer: x.x.x.x, username: jj
    dynamic allocated peer ip: 0.0.0.0

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
    reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: x.x.x.x, remote crypto endpt.:

    path mtu 1500, ipsec overhead 58, media mtu 1500
    current outbound spi: 06B31C7E

    inbound esp sas:
    spi: 0x8212EB42 (2182277954)
    transform: esp-3des esp-sha-hmac
    in use settings ={RA, Tunnel, }
    slot: 0, conn_id: 2154, crypto-map: dynmap
    sa timing: remaining key lifetime (sec): 28610
    IV size: 8 bytes
    replay detection support: Y
    outbound esp sas:
    spi: 0x06B31C7E (112401534)
    transform: esp-3des esp-sha-hmac
    in use settings ={RA, Tunnel, }
    slot: 0, conn_id: 2154, crypto-map: dynmap
    sa timing: remaining key lifetime (sec): 28610
    IV size: 8 bytes
    replay detection support: Y
     
    lfnetworking, Sep 7, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Søren Hansen

    Easy VPN on PIX501

    Søren Hansen, Nov 7, 2003, in forum: Cisco
    Replies:
    1
    Views:
    431
    Walter Roberson
    Nov 7, 2003
  2. Andrea

    Need help with Pix515 VPN

    Andrea, Jan 12, 2004, in forum: Cisco
    Replies:
    0
    Views:
    1,745
    Andrea
    Jan 12, 2004
  3. Eldridge
    Replies:
    1
    Views:
    427
    Walter Roberson
    Feb 2, 2004
  4. jif
    Replies:
    2
    Views:
    1,657
    Steve Birchfield
    Apr 1, 2004
  5. Tom
    Replies:
    4
    Views:
    699
Loading...

Share This Page