Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
4
Replies

Urgent problem: vpn with multiple lans

danibyte27
Level 1
Level 1

‎02-19-2007 05:51 AM

Hello!!

I cannot resolve this problem..I've a Cisco Pix 515e with ios 7.1 - I want to configure a vpn from another peer (Linux firewall) which want to access all 3 lans behind the pix (eth2, eth3, eth4). The other peer can access to ONE LAN ONLY at every access, but the other 2 lans are not accessible.. Do I have to configure something of special to make it work?

The error on the logs is: "%PIX-3-713042: IKE INITIATOR unable to find policy: Intf 1, Src 172.16.222.18 - Dst: 192.168.10.14".

Many thanks!!!

Daniela

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎02-19-2007 09:11 AM

Hi Daniela

From the Cisco Pix 7.1 error message doc:

==============================================

713042

Error Message %PIX|ASA-3-713042: IKE Initiator unable to find policy: Intf

interface_number, Src: source_address, Dst: dest_address

Explanation This message indicates that the IPSec fast path processed a packet that triggered IKE, but IKE's policy lookup failed. This error could be timing related. The ACLs that triggered IKE might have been deleted before IKE processed the initiation request. This problem will most likely correct itself.

Explanation If the condition persists, check the L2L configuration, paying special attention to the ACLs associated with crypto maps.

==============================================

First thing to check are your acl's that define interesting traffic on your crypto maps.

Could you post the crypto map access-list from both ends.

HTH

Jon

0 Helpful

Kamal Malhotra
Cisco Employee
Cisco Employee

‎02-19-2007 09:27 AM

Hi Daniela,

I'm not sure about how Linux firewall works but I have seen on some non-Cisco devices, that you need to create a new tunnel for each set of proxy identities. I would sugegst you to confirm if we need to do the same on the Linux firewall.

Regards,

Kamal

0 Helpful

danibyte27
Level 1
Level 1
In response to Kamal Malhotra

‎02-21-2007 06:17 AM

Hello,

I cannot get work this configuration.. :-((

Please help me!!

Here are the vpn configurations from the 2 peer..

One is a Cisco Pix 515e and the other is a linux box with racoon ips tools (openvpn).

THANKSSSSSS Dany

1) PIX 515E

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 172.16.221.0 255.255.255.0

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 172.16.222.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 172.16.220.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 172.16.222.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 172.16.220.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 172.16.221.0 255.255.255.0

access-list nonat-FE extended permit ip 172.16.220.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat-BE extended permit ip 172.16.221.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat-TERA extended permit ip 172.16.222.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (FE) 0 access-list 110

nat (BE) 0 access-list 110

nat (TERA) 0 access-list 110

crypto ipsec transform-set VPN-YTECH esp-3des esp-sha-hmac

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 84.253.169.58

crypto map mymap 10 set transform-set VPN-YTECH

crypto map mymap 10 set security-association lifetime seconds 86400

crypto map mymap 10 set security-association lifetime kilobytes 4800000

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp ipsec-over-tcp port 10000

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 60 retry 5

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 60 retry 5

tunnel-group 84.253.169.58 type ipsec-l2l

tunnel-group 84.253.169.58 ipsec-attributes

pre-shared-key *

2) LINUX RACOON IPSEC

remote 151.1.220.64

exchange_mode main;

proposal_check claim;

proposal [

encryption_algorithm 3des

hash_algorithm sha1

authentication_method pre_shared_key

dh_group modp1024

sainfo address 192.168.10.0/24 any address 172.16.220.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

sainfo address 192.168.10.0/24 any address 172.16.221.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

sainfo address 192.168.10.0/24 any address 172.16.221.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

sainfo address 192.168.10.0/24 any address 172.16.221.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

sainfo address 192.168.10.0/24 any address 172.16.222.0/24 any

encryption_algorithm des, 3des

authentication_algorithm hmac_md5, hmac_sha1

compression_algorithm deflate

#Security policies

spdadd 192.168.10.0/24 172.16.220.0/24 any -P out ipsec

esp/tunnel/84.253.169.58-151.1.220.64/require;

spdadd 172.16.220.0/24 192.168.10.0/24 any -P out ipsec

esp/tunnel/151.1.220.64-84.253.169.58/require;

spdadd 192.168.10.0/24 172.16.221.0/24 any -P out ipsec

esp/tunnel/84.253.169.58-151.1.220.64/require;

spdadd 172.16.221.0/24 192.168.10.0/24 any -P out ipsec

esp/tunnel/151.1.220.64-84.253.169.58/require;

spdadd 192.168.10.0/24 172.16.222.0/24 any -P out ipsec

esp/tunnel/84.253.169.58-151.1.220.64/require;

spdadd 172.16.222.0/24 192.168.10.0/24 any -P out ipsec

esp/tunnel/151.1.220.64-84.253.169.58/require;

0 Helpful

Kamal Malhotra
Cisco Employee
Cisco Employee
In response to danibyte27

‎02-21-2007 08:25 AM

Hi,

Since I don't have the complete information about your setup and about the Linux firewall, I can't say for sure but it seems that the crypto ACLs don't match. Please notice :

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 172.16.221.0 255.255.255.0

access-list 110 extended permit ip 172.16.220.0 255.255.255.0 172.16.222.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 172.16.220.0 255.255.255.0

access-list 110 extended permit ip 172.16.221.0 255.255.255.0 172.16.222.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 172.16.220.0 255.255.255.0

access-list 110 extended permit ip 172.16.222.0 255.255.255.0 172.16.221.0 255.255.255.0

The first 3 statements look good but rest of those seem unnecessary. Please look into it.

HTH,

Please rate if it helps.

Regards,

Kamal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents