Solved: PIX Site to Site VPN problems

itfwsteel · ‎02-06-2007

Hi, I currently have a site to site vpn up and running and it's working fine. I'm trying to bring two more online and just can't get them working. I used the same config from the working one but I can't get the tunnel to come up. I've seen various errors while debugging isakmp and ipsec and they are at the end of my configs. Anybody have any ideas? Thanks

Main site - has vpn clients connecting too it and pt to pt vpn's to 3 endpoints

Cisco PIX Firewall Version 6.3(3)

** Main Site Config **

access-list client_vpn permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list VPN_to_Site2 permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list client_vpn

sysopt connection permit-ipsec

crypto ipsec transform-set fws_encry_set esp-3des esp-md5-hmac

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address VPN_to_Site2

crypto map outside_map 60 set peer 64.X.X.19

crypto map outside_map 60 set transform-set fws_encry_set

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 64.X.X.19 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Site 2 config

** only because pt to pt doesn't work i have it setup to allow vpn clients to pass through it to connect to the main site.

Cisco PIX Firewall Version 6.3(5) **

access-list VPN_to_Main permit ip 192.168.0.0 255.255.255.0 10.10.0.0 255.255.0.0

nat (inside) 0 access-list VPN_to_Main

sysopt connection permit-ipsec

crypto ipsec transform-set fws_encry_set esp-3des esp-md5-hmac

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address VPN_to_Main

crypto map outside_map 10 set peer 207.X.X.13

crypto map outside_map 10 set transform-set fws_encry_set

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 207.X.X.13 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Errors

PIX(config)# IPSEC(sa_initiate): ACL = deny; no sa created

authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address

I have an existing link that works fine. I copied the config from there, changed the ip info and it won't work. The only diffences in the configs are no sysopt route dnat and it's on Version 6.2(2)

Ajit Singh · ‎02-27-2007

IPSEC(sa_initiate): ACL = deny; no sa created

I believe you configured a VPN tunnel without removing the crypto map from the outside interface. The above message is the error we get under such situation.

I would suggest you the following workaround:

- remove the crypto map from the outside interface ( Both pix)

- Clear cry isa sa and clear cry ipsec sa ( both pix)

- Re-apply the crypto map on the outside interfaces.

If this do not resolve the issue, reboot the devices.

Regards,

Ajit

View solution in original post

sachinraja · ‎02-06-2007

Hello,

Did you also copy/paste the pre-shared keys ? can you manually enter on both the sides and try ? Can you give us some more debug outputs ?? I hope you tried the ACL VPN_t-Site2 on your nat 0 statement before ? Are there any other ACL's on the inside interface ?

Raj

itfwsteel · ‎02-07-2007

Hi,

Yes I did try entering the pre-shared keys again , that was one of the first things I suspected. The debug only gives me

IPSEC(sa_initiate): ACL = deny; no sa created

As for ACL's, I do have the standard, inside acl for all outbound traffic. My nat 0 is for ACL client_vpn which handles both the point to point vpn's and the client. As you can see on the crypto statements the VPN_to_Main is the ACL that handles the 'interesting' traffic for that network to be encrypted.

Like I said, as it is now it's working with one site just fine and this new site I setup exactly the same, no go and I don't see why?

Thanks for the help

Jon Marshall · ‎02-07-2007

Hi

This is the official response on the error message from Cisco:-

"%PIX-3-302302: ACL = deny; no sa created

Explanation IPSec proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.

Action Check the access-list command statement in the configuration. Contact the administrator for the peer."

Having said that i have come across this quite a few times before when setting up VPN's. Always on the device initiating the tunnel. Sad to say that rebooting the device more often than not sorted the problem out. Yes it's not a very good solution but the Pix seems to get itself into a bit of mess sometimes.

HTH

Jon

sachinraja · ‎02-13-2007

Hello brian,

do you still have issues with this ? If so please let us know....

Raj

Ajit Singh · ‎02-27-2007

IPSEC(sa_initiate): ACL = deny; no sa created

I believe you configured a VPN tunnel without removing the crypto map from the outside interface. The above message is the error we get under such situation.

I would suggest you the following workaround:

- remove the crypto map from the outside interface ( Both pix)

- Clear cry isa sa and clear cry ipsec sa ( both pix)

- Re-apply the crypto map on the outside interfaces.

If this do not resolve the issue, reboot the devices.

Regards,

Ajit