PIX501 IPSec Troubleshootings with ISAKMP Messages

Discussion in 'Cisco' started by KurtLue, Jan 2, 2007.

  1. KurtLue

    KurtLue Guest

    Hallo, All

    Here i have a question about the IPSec VPN connection between two
    PIX501.The details are listed by following:

    IOS:pIX-A 6.2(3) and PIX-B 6.3(5)
    Topology:
    LAN-A --------- PIX-A
    ------------Intra-Router----------PIX-B ------------LAN-2
    a1 a2 b1 b2
    c1 c2 d1 d2

    a1: 10.6.2.201 a2: 10.6.2.200
    b1: 139.24.179.27 b2: 139.24.179.2
    c1: 140.231.179.97 c2: 140.231.182.225
    d1: 10.6.4.200 d2: 10.6.4.201

    B1 could connect C1 (PING) since they are both in our Intranet. A1 and
    D2 are both private LAN which need to establish the IPSec connection.
    Besides, the A1 and D2 also need to connect the Intranet through PIX by
    using NAT.

    Here are configurations of both devices
    PIX-A
    PIX Version 6.3(5)
    .............
    names
    access-list 100 permit ip 10.6.2.0 255.255.255.0 10.6.4.0 255.255.255.0
    ip address outside 139.24.179.27 255.255.255.0
    ip address inside 10.6.2.200 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 2 139.24.179.40
    nat (inside) 0 access-list 100
    nat (inside) 2 0.0.0.0 0.0.0.0 0 0
    conduit permit icmp any any
    route outside 0.0.0.0 0.0.0.0 139.24.179.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-des esp-md5-hmac
    crypto map toNippon 20 ipsec-isakmp
    crypto map toNippon 20 match address 100
    crypto map toNippon 20 set peer 140.231.182.225
    crypto map toNippon 20 set transform-set strong
    crypto map toNippon interface outside
    isakmp enable outside
    isakmp key 123456 address 140.231.182.225 netmask 255.255.255.255
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    : end

    PIX-B
    PIX Version 6.2(3)101
    .....................
    names
    access-list 110 permit ip 10.6.4.0 255.255.255.0 10.6.2.0 255.255.255.0
    ip address outside 140.231.182.225 255.255.255.0
    ip address inside 10.6.4.200 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 140.231.182.226-140.231.182.228
    nat (inside) 0 access-list 110
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    conduit permit icmp any any
    route outside 0.0.0.0 0.0.0.0 140.231.179.97 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set strong esp-des esp-md5-hmac
    crypto map toChina 10 ipsec-isakmp
    crypto map toChina 10 match address 110
    crypto map toChina 10 set peer 139.24.179.27
    crypto map toChina 10 set transform-set strong
    crypto map toChina interface outside
    isakmp enable outside
    isakmp key 123456 address 139.24.179.27 netmask 255.255.255.255
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption des
    isakmp policy 8 hash md5
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    :end

    Test cases:
    1. Ping from a1 to c1,c2, Okay
    2. Ping from b1 to c2, Okay
    3. Ping from d2 to b1, b2, Okay
    These three steps meant the SNX networking between PIX-A and PIX-B was
    Okay, and also PIX NAT settings were fine.
    4. Ping from a1 to d2 not Okay. (vice versa)

    When the step-4 was ongoing, i could monitored the traces from PIX-A
    there were kind of "Peer Not Find" error.
    Here are debug information
    debug crypto ipsec
    debug crypto isakmp
    debug crypto engine
    ======================================
    ISAKMP (0): beginning Main Mode exchange
    ISAKMP (0): retransmitting phase 1 (0)...
    ISAKMP (0): retransmitting phase 1 (1)...
    ISAKMP (0): retransmitting phase 1 (2)...
    ISAKMP (0): retransmitting phase 1 (3)...
    ISAKMP (0): retransmitting phase 1 (4)...

    IPSEC(key_engine): request timer fired: count = 1,
    (identity) local= 139.24.179.27, remote= 140.231.182.225,
    local_proxy= 10.6.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.6.4.0/255.255.255.0/0/0 (type=4)

    ISAKMP (0): deleting SA: src 139.24.179.27, dst 140.231.182.225
    ISADB: reaper checking SA 0xabecb4, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 140.231.182.225/500 not found - peers:0

    IPSEC(key_engine): request timer fired: count = 2,
    (identity) local= 139.24.179.27, remote= 140.231.182.225,
    local_proxy= 10.6.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.6.4.0/255.255.255.0/0/0 (type=4)
    ==========================================
    show ipsec sa
    ========
    interface: outside
    Crypto map tag: toNippon, local addr. 139.24.179.27

    local ident (addr/mask/prot/port): (10.6.2.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (10.6.4.0/255.255.255.0/0/0)
    current_peer: 140.231.182.225:0
    PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 270, #recv errors 0

    local crypto endpt.: 139.24.179.27, remote crypto endpt.:
    140.231.182.225
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:
    ==============================
    Obviously, there was no SA being established.

    I did some simular tests locally by using another PIX (same IOS with
    PIX-A, and same IP segment). The rest of configuration were totally
    same, the error never happened. I have no idea of what was wrong with
    such a process? Could it be possible coming from different IOS version?
    Is there anybody who could give me a hand for that?

    Thanks a lot in advance.

    Kurt
     
    KurtLue, Jan 2, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.