site to site vpn with pix 506

Discussion in 'Cisco' started by Christian Pelster, Jul 20, 2005.

  1. hi,

    at first my setup:

    we have a local net, a pix, a default router for internet (yyy.yyy.yyy.yyy)
    and a remote vpn gateway (zzz.zzz.zzz.zzz) from which we know that there
    are already about 5 pix sucessfully connecting to it, except for mine.

    local net (192.168.1.0/24) <-> pix (internal: 192.168.1.1, external
    xxx.xxx.xxx.xxx) <-> internet router (yyy.yyy.yyy.yyy) < -~ internet ~->
    remote vpn gateway (zzz.zzz.zzz.zzz) <-> remote host (10.10.11.1)


    pix config:

    *snip*
    -----------------------------------------------------------------------------
    Building configuration...
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    domain-name xxxx.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.0 local_net
    name zzz.zzz.zzz.zzz remote_gateway
    name 10.10.11.1 remote_host
    access-list inside_outbound_nat0_acl permit ip local_net 255.255.255.0 host
    remote_host
    access-list inside_access_in permit tcp local_net 255.255.255.0 any
    access-list inside_access_in permit icmp any any
    access-list outside_cryptomap_60 permit ip local_net 255.255.255.0 host
    remote_host
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.2.2 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 yyyy.yyy.yyy.yyy
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 60 ipsec-isakmp
    crypto map outside_map 60 match address outside_cryptomap_60
    crypto map outside_map 60 set peer zzz.zzz.zzz.zzz
    crypto map outside_map 60 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address zzz.zzz.zzz.zzz netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 60 authentication pre-share
    isakmp policy 60 encryption 3des
    isakmp policy 60 hash sha
    isakmp policy 60 group 2
    isakmp policy 60 lifetime 86400
    ssh timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    -----------------------------------------------------------------------------


    so when i try to connect to the remote host from an internal one, (let's say
    the internal host knows that he has to go over the pix to reach the host)
    the pix gibes me the following:

    *snip*
    -----------------------------------------------------------------------------
    ISAKMP (0): beginning Main Mode exchange

    crypto_isakmp_process_block:src:zzz.zzz.zzz.zzz, dest:xxx.xxx.xxx.xxx
    spt:500 dpt:5
    00
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 60 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_IPV4_ADDR

    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:zzz.zzz.zzz.zzz, dest:xxx.xxx.xxx.xxx
    spt:500 dpt:5
    00
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 500
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:zzz.zzz.zzz.zzz, dest:xxx.xxx.xxx.xxx
    spt:500 dpt:5
    00
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue
    even
    t...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with zzz.zzz.zzz.zzz

    ISAKMP (0): SA has been authenticated

    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    -1718807659:998d1395IPSEC(key
    _engine): got a queue event...
    IPSEC(spi_response): getting spi 0xa20042e1(2717926113) for SA
    from zzz.zzz.zzz.zzz to xxx.xxx.xxx.xxx for prot 3

    return status is IKMP_NO_ERROR
    VPN Peer: ISAKMP: Added new peer: ip:zzz.zzz.zzz.zzz/500 Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:zzz.zzz.zzz.zzz/500 Ref cnt incremented to:1 Total
    VPN
    Peers:1
    crypto_isakmp_process_block:src:zzz.zzz.zzz.zzz, dest:xxx.xxx.xxx.xxx
    spt:500 dpt:5
    00
    ISAKMP (0): processing NOTIFY payload 18 protocol 3
    spi 2717926113, message ID = 1820250745
    ISAKMP (0): deleting spi 3779199138 message ID = 2576159637
    return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired:
    cou
    nt = 1,
    (identity) local= xxx.xxx.xxx.xxx, remote= zzz.zzz.zzz.zzz,
    local_proxy= local_host/255.255.255.255/0/0 (type=1),
    remote_proxy= remote_host/255.255.255.255/0/0 (type=1)

    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    -1875695860:9033270cIPSEC(key
    _engine): got a queue event...
    IPSEC(spi_response): getting spi 0xfbb3c5ac(4222862764) for SA
    from zzz.zzz.zzz.zzz to xxx.xxx.xxx.xxx for prot 3

    crypto_isakmp_process_block:src:zzz.zzz.zzz.zzz, dest:xxx.xxx.xxx.xxx
    spt:500 dpt:5
    00
    ISAKMP (0): processing NOTIFY payload 18 protocol 3
    spi 4222862764, message ID = 3422322526
    ISAKMP (0): deleting spi 2898637819 message ID = 2419271436
    return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired:
    cou
    nt = 2,
    (identity) local= xxx.xxx.xxx.xxx, remote= zzz.zzz.zzz.zzz,
    local_proxy= local_host/255.255.255.255/0/0 (type=1),
    remote_proxy= remote_host/255.255.255.255/0/0 (type=1)

    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    -1987399972:898aaedcIPSEC(key
    _engine): got a queue event...
    IPSEC(spi_response): getting spi 0x44afbb14(1152367380) for SA
    from zzz.zzz.zzz.zzz to xxx.xxx.xxx.xxx for prot 3

    crypto_isakmp_process_block:src:zzz.zzz.zzz.zzz, dest:xxx.xxx.xxx.xxx
    spt:500 dpt:5
    00
    ISAKMP (0): processing NOTIFY payload 18 protocol 3
    spi 1152367380, message ID = 3628068065
    ISAKMP (0): deleting spi 347844420 message ID = 2307567324
    return status is IKMP_NO_ERR_NO_TRANS
    -----------------------------------------------------------------------------


    i can see a sucessfull vpn (or was ist called isakmp tunnel? i can't
    renember i'm not in the office at the moment) but no ipsec tunnel
    whatsoever?

    kann anyone explain me from the logs why not ipsec tunnel gets established?


    thanks,

    christian
     
    Christian Pelster, Jul 20, 2005
    #1
    1. Advertisements

  2. Christian Pelster

    rave Guest

    I guess this can be something to do with crypto acl not matching or
    pahse 2 policies not matching on both the sides.
    Please open a TAC case as we would require the full config from both
    the sides and maybe look into more detail
     
    rave, Jul 22, 2005
    #2
    1. Advertisements

  3. thanks for your repley but when i came to work yesterday it worked.
    don't ask me why, currently we try to fiddle out where the problem was.

    greetings,


    pelle
     
    Christian Pelster, Jul 23, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.