sit-to-site VPN with pppoe connection

Unanswered Question
Feb 5th, 2007

We have 2 pixes (a 515 and a 506e) doing a vpn between the 2. The tunnel is up but the 506e side can not connect to anything. I do see the tunnel between the two is up.

config of the 515 pix:

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 101 permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 101 permit ip 172.16.10.0 255.255.255.0 11.1.1.0 255.255.255.0

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 172.16.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 11.1.1.1-11.1.1.254

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 y.y.y.y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-cache src_dst 128KB

http server enable

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set myset

crypto map mymap 1 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vpn3000 address-pool vpnpool

vpngroup vpn3000 dns-server platt_dc

vpngroup vpn3000 default-domain company.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

vpngroup vpngroup idle-time 1800

ssh Cisco 255.255.255.255 outside

ssh timeout 5

terminal width 80

Config on pix 506e:

PIX Version 6.2(2)

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 101 permit tcp 192.168.0.0 255.255.255.0 172.16.10.0 255.255.255.0

pager lines 24

logging on

logging console debugging

logging monitor debugging

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.1 255.255.255.255 inside

http 192.168.0.51 255.255.255.255 inside

http 192.168.0.0 255.255.255.0 inside

telnet x.x.x.x 255.255.255.255 outside

telnet 172.16.10.0 255.255.255.0 outside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoegroup request dialout pppoe

vpdn group pppoegroup localname [email protected]

vpdn group pppoegroup ppp authentication pap

vpdn username [email protected] password ********

dhcpd address 192.168.0.50-192.168.0.100 inside

dhcpd dns 198.235.216.134 172.16.10.2

dhcpd lease 504000

dhcpd ping_timeout 750

dhcpd domain company.com

dhcpd enable inside

vpnclient vpngroup vpn3000 password ********

vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient enable

terminal width 80

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Mon, 02/05/2007 - 13:42

Can you send me the output of "sh cry ipsec sa" from the PIX 506 and PIX 515 side, please.

Thanks

gilbert

slashman26 Mon, 02/05/2007 - 13:50

from the 515:

interface: outside

Crypto map tag: mymap, local addr. x.x.x.x

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer: y.y.y.y

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 578894, #pkts encrypt: 578894, #pkts digest 578894

#pkts decaps: 510403, #pkts decrypt: 510403, #pkts verify 510403

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 6cb5050f

inbound esp sas:

spi: 0xc3e68cb8(3286666424)

transform: esp-3des esp-md5-hmac ,

slot: 0, conn id: 4, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4554513/4548)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6cb5050f(1823802639)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4427269/4518)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (y.y.y.y/255.255.255.255/0/0)

current_peer: y.y.y.y

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 755, #pkts encrypt: 755, #pkts digest 755

#pkts decaps: 1031, #pkts decrypt: 1031, #pkts verify 1031

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 72df43d3

inbound esp sas:

spi: 0xf2df4b77(4074720119)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607906/3246)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x72df43d3(1927234515)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607969/3237)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

ggilbert Mon, 02/05/2007 - 14:07

According to this output, it seems like the packets are getting encrypted and decrypted.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (y.y.y.y/255.255.255.255/0/0)

current_peer: y.y.y.y

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 755, #pkts encrypt: 755, #pkts digest 755

#pkts decaps: 1031, #pkts decrypt: 1031, #pkts verify 1031

Can you explain to me what you meant by the term "connected" in your original problem description.

Are you able to ping from the client side to the remote network (PC to PC).?

Thanks

gilbert

slashman26 Tue, 02/06/2007 - 05:24

doing a sh cry isakmp sa shows a dst IP and src IP; state of QM_IDLE and created of 2 on both sides. Pinging from either pix to outside interface of the other pix works. Ping inside interface of one pix from other pix does not work. The 506e is a PPPOE dsl connection so its public IP is always changing. (we have a static and more bandwidth on order just waiting for the confirmation on it).

Actions

This Discussion