site-to-site VPN in differenet IOS for PIX device

Discussion in 'Cisco' started by bensonlei@yahoo.com.hk, Jul 16, 2007.

  1. Guest

    Hi, all,


    We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however
    we found that no upgrade IOS for PIX506E IOS V6.3.

    Our network has one PIX515E and three PIX506E, they are forming the
    site-to-site VPN as the hub-and-spoke structure.

    We found today, we could not form the site-to-site VPN between PIX515E
    IOS v7.2 & PIX506E IOS V6.3.

    Any suggestion ?


    Thank you
    , Jul 16, 2007
    #1
    1. Advertising

  2. Omadon Guest

    On Mon, 16 Jul 2007 03:16:02 -0700,
    <> wrote:
    > Hi, all,
    >
    >
    > We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however
    > we found that no upgrade IOS for PIX506E IOS V6.3.
    >
    > Our network has one PIX515E and three PIX506E, they are forming the
    > site-to-site VPN as the hub-and-spoke structure.
    >
    > We found today, we could not form the site-to-site VPN between PIX515E
    > IOS v7.2 & PIX506E IOS V6.3.
    >


    And why not, it should work....

    --
    Dee Dee: You need a character too.
    Dexter: I want to be Gygex, the 27th level warrior mage with
    a class 18 soul-sucking-sword and...
    Dee Dee: Here you go, you can be this guy.
    Valarian: Well, it seems Hodo the furry footed burrower has joined our quest.

    Omadon, Jul 16, 2007
    #2
    1. Advertising

  3. Guest

    On 7 16 , 6 16 , wrote:
    > Hi, all,
    >
    > We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however
    > we found that no upgrade IOS for PIX506E IOS V6.3.
    >
    > Our network has one PIX515E and three PIX506E, they are forming the
    > site-to-site VPN as the hub-and-spoke structure.
    >
    > We found today, we could not form the site-to-site VPN between PIX515E
    > IOS v7.2 & PIX506E IOS V6.3.
    >
    > Any suggestion ?
    >
    > Thank you




    Further debug result :

    PI-Line(config)#
    ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
    ISAKMP (0): beginning Main Mode exchange
    crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_FQDN
    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    ISAKMP (0:0): Detected port floating
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): received xauth v6 vendor id

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a VPN3000 concentrator

    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match MINE hash
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match HIS hash
    ISAKMP (0): ID payload
    next-payload : 8
    type : 2
    protocol : 17
    port : 500
    length : 25
    ISAKMP (0): Total payload length: 29
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500

    .............................
    ..............................
    .....................................

    VPN Peer:ISAKMP: Peer Info for JIL_FW/500 not found - peers:0
    IPSEC(key_engine): request timer fired: count = 2,
    (identity) local= Local_FW, remote= JIL_FW,
    local_proxy= 172.27.30.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.27.1.0/255.255.255.0/0/0 (type=4)

    ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
    ISAKMP (0): beginning Main Mode exchange
    crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_FQDN
    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    ISAKMP (0:0): Detected port floating
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
    ISAKMP: sa not found for ike msg
    .................................
    crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): received xauth v6 vendor id

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a VPN3000 concentrator

    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match MINE hash
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match HIS hash
    ISAKMP (0): ID payload
    next-payload : 8
    type : 2
    protocol : 17
    port : 500
    length : 25
    ISAKMP (0): Total payload length: 29
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
    ISAKMP: error, msg not encrypted
    PI-Line(config)# IPSEC(key_engine): request timer fired: count = 1,
    (identity) local= Local_FW, remote= JIL_FW,
    local_proxy= 172.27.30.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.27.1.0/255.255.255.0/0/0 (type=4)

    ISAKMP (0): deleting SA: src Local_FW, dst JIL_FW
    ISADB: reaper checking SA 0xfa77e4, conn_id = 0 DELETE IT!
    , Jul 17, 2007
    #3
  4. John Rennie Guest

    I'm fairly sure the 506e won't run v7.x software.

    However there should be no problem with a normal LAN to LAN VPN between a 515E
    running v7.x and a 506E running v6.3. It's not clear to me what's wrong from
    the debug output, but it looks as though it's the security association that's
    failing. Did you use the PDM wizard to create the VPN, or did you hand craft
    it?

    JR

    On Tue, 17 Jul 2007 02:18:26 -0700, wrote:

    >On 7 16 , 6 16 , wrote:
    >> Hi, all,
    >>
    >> We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however
    >> we found that no upgrade IOS for PIX506E IOS V6.3.
    >>
    >> Our network has one PIX515E and three PIX506E, they are forming the
    >> site-to-site VPN as the hub-and-spoke structure.
    >>
    >> We found today, we could not form the site-to-site VPN between PIX515E
    >> IOS v7.2 & PIX506E IOS V6.3.
    >>
    >> Any suggestion ?
    >>
    >> Thank you

    >
    >
    >
    >Further debug result :
    >
    >PI-Line(config)#
    >ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
    >ISAKMP (0): beginning Main Mode exchange
    >crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
    >OAK_MM exchange
    >ISAKMP (0): processing SA payload. message ID = 0
    John Rennie, Jul 17, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,915
    tical
    May 27, 2004
  2. Rick Stromberg
    Replies:
    7
    Views:
    9,891
    luisjimher
    Jun 3, 2011
  3. Mike Rahl
    Replies:
    1
    Views:
    1,238
    Trendkill
    May 30, 2007
  4. pasatealinux
    Replies:
    1
    Views:
    2,040
    pasatealinux
    Dec 17, 2007
  5. Giuen
    Replies:
    0
    Views:
    875
    Giuen
    Sep 12, 2008
Loading...

Share This Page