Urgent problem: vpn with multiple lans

Unanswered Question
Feb 19th, 2007

Hello!!

I cannot resolve this problem..I've a Cisco Pix 515e with ios 7.1 - I want to configure a vpn from another peer (Linux firewall) which want to access all 3 lans behind the pix (eth2, eth3, eth4). The other peer can access to ONE LAN ONLY at every access, but the other 2 lans are not accessible.. Do I have to configure something of special to make it work?

The error on the logs is: "%PIX-3-713042: IKE INITIATOR unable to find policy: Intf 1, Src 172.16.222.18 - Dst: 192.168.10.14".

Many thanks!!!

Daniela

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 02/19/2007 - 09:11

Hi Daniela

From the Cisco Pix 7.1 error message doc:

==============================================

713042

Error Message %PIX|ASA-3-713042: IKE Initiator unable to find policy: Intf

interface_number, Src: source_address, Dst: dest_address

Explanation This message indicates that the IPSec fast path processed a packet that triggered IKE, but IKE's policy lookup failed. This error could be timing related. The ACLs that triggered IKE might have been deleted before IKE processed the initiation request. This problem will most likely correct itself.

Explanation If the condition persists, check the L2L configuration, paying special attention to the ACLs associated with crypto maps.

==============================================

First thing to check are your acl's that define interesting traffic on your crypto maps.

Could you post the crypto map access-list from both ends.

HTH

Jon

Kamal Malhotra Mon, 02/19/2007 - 09:27

Hi Daniela,

I'm not sure about how Linux firewall works but I have seen on some non-Cisco devices, that you need to create a new tunnel for each set of proxy identities. I would sugegst you to confirm if we need to do the same on the Linux firewall.

Regards,

Kamal

danibyte27 Wed, 02/21/2007 - 06:17

Hello,

I cannot get work this configuration.. :-((

Please help me!!

Here are the vpn configurations from the 2 peer..

One is a Cisco Pix 515e and the other is a linux box with racoon ips tools (openvpn).

THANKSSSSSS Dany

1) PIX 515E

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 172.16.221.0 255.255.255.0

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 172.16.222.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 172.16.220.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 172.16.222.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 172.16.220.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 172.16.221.0 255.255.255.0

access-list nonat-FE extended permit ip 172.16.220.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat-BE extended permit ip 172.16.221.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat-TERA extended permit ip 172.16.222.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (FE) 0 access-list 110

nat (BE) 0 access-list 110

nat (TERA) 0 access-list 110

crypto ipsec transform-set VPN-YTECH esp-3des esp-sha-hmac

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 84.253.169.58

crypto map mymap 10 set transform-set VPN-YTECH

crypto map mymap 10 set security-association lifetime seconds 86400

crypto map mymap 10 set security-association lifetime kilobytes 4800000

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp ipsec-over-tcp port 10000

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 60 retry 5

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 60 retry 5

tunnel-group 84.253.169.58 type ipsec-l2l

tunnel-group 84.253.169.58 ipsec-attributes

pre-shared-key *

2) LINUX RACOON IPSEC

remote 151.1.220.64

exchange_mode main;

proposal_check claim;

proposal [

encryption_algorithm 3des

hash_algorithm sha1

authentication_method pre_shared_key

dh_group modp1024

sainfo address 192.168.10.0/24 any address 172.16.220.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

sainfo address 192.168.10.0/24 any address 172.16.221.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

sainfo address 192.168.10.0/24 any address 172.16.221.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

sainfo address 192.168.10.0/24 any address 172.16.221.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

sainfo address 192.168.10.0/24 any address 172.16.222.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

#Security policies

spdadd 192.168.10.0/24 172.16.220.0/24 any -P out ipsec

esp/tunnel/84.253.169.58-151.1.220.64/require;

spdadd 172.16.220.0/24 192.168.10.0/24 any -P out ipsec

esp/tunnel/151.1.220.64-84.253.169.58/require;

spdadd 192.168.10.0/24 172.16.221.0/24 any -P out ipsec

esp/tunnel/84.253.169.58-151.1.220.64/require;

spdadd 172.16.221.0/24 192.168.10.0/24 any -P out ipsec

esp/tunnel/151.1.220.64-84.253.169.58/require;

spdadd 192.168.10.0/24 172.16.222.0/24 any -P out ipsec

esp/tunnel/84.253.169.58-151.1.220.64/require;

spdadd 172.16.222.0/24 192.168.10.0/24 any -P out ipsec

esp/tunnel/151.1.220.64-84.253.169.58/require;

Kamal Malhotra Wed, 02/21/2007 - 08:25

Hi,

Since I don't have the complete information about your setup and about the Linux firewall, I can't say for sure but it seems that the crypto ACLs don't match. Please notice :

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 172.16.221.0 255.255.255.0

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 172.16.222.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 172.16.220.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 172.16.222.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 172.16.220.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 172.16.221.0 255.255.255.0

The first 3 statements look good but rest of those seem unnecessary. Please look into it.

HTH,

Please rate if it helps.

Regards,

Kamal

Actions

This Discussion