VPN L2L

Unanswered Question

I'm having trouble setting up a pix to pix vpn connection...I'm running a pix 515 v 7.0 on one end and a pix 515e 6.3 on the other end, here's the vpn configs (I starred out the public IPs) The tunnel I'm working on is the vpntunnel 21 and europe:


europe:

access-list 101 extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list 101 extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

nat-control

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set RTS esp-3des esp-sha-hmac

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto map RTS 1 set peer *******

crypto map RTS 1 set transform-set RTS

crypto map vpntunnel 21 match address 101

crypto map vpntunnel 21 set peer ******

crypto map vpntunnel 21 set transform-set london

crypto map vpntunnel interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 10000

tunnel-group RTS type ipsec-l2l

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *


London:

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list 101 permit ip 172.16.70.0 255.255.255.0 172.17.5.0 255.255.255.0

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list 101 permit ip 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

access-list hk permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list hk permit icmp 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list hk permit ip 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ny esp-des esp-md5-hmac

crypto ipsec transform-set europe esp-3des esp-md5-hmac

crypto map vpntunnel 1 ipsec-isakmp

crypto map vpntunnel 1 match address 102

crypto map vpntunnel 1 set peer ******

crypto map vpntunnel 1 set transform-set ny

crypto map europe 5 ipsec-isakmp

crypto map europe 5 match address hk

crypto map europe 5 set peer ******

crypto map europe 5 set transform-set london

crypto map europe interface outside

isakmp enable outside

isakmp key ******** address ****** netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 10000

isakmp policy 6 authentication pre-share

isakmp policy 6 encryption 3des

isakmp policy 6 hash md5

isakmp policy 6 group 2

isakmp policy 6 lifetime 86400


The tunnel seems to come up normal when I initiate it from the london side, but not from the europe side. Also even though the tunnel is up, no traffic seems to be going through, I'm not able to connect to any devices on the other side:


Europe:


Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1 IKE Peer: *******

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE



London:

Total : 1

Embryonic : 0

dst src state pending created

****** 172.16.70.100 QM_IDLE 0 1


any ideas what I'm doing wrong here??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 05/09/2007 - 05:42
User Badges:
  • Green, 3000 points or more

I would start by getting rid of

access-list hk permit icmp 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

as it is not needed and the acl's should be mirrors of eachother on the two fw's.

acomiskey Wed, 05/09/2007 - 05:52
User Badges:
  • Green, 3000 points or more

Try making 2 separate acl's for your europe fw, one for nat exemption and one for crypto, don't use 101 for both.

Yup tried that also...only reason I tried the same one for both was because it wasn't working. Anyway I just switched it back to seperate ACls, still same problem:


access-list london-nat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list london-nat extended permit ip 10.24.1.0 255.255.255.0 192.168.70.0 255.255.255.0

nat (inside) 0 access-list london-nat

acomiskey Wed, 05/09/2007 - 06:00
User Badges:
  • Green, 3000 points or more

Do you mean 10.20.1.0?

yea typo :) Been working on this too many hours:) Fixed it but still same problem...I'm getting these messages in syslog when trying to connect though:


when initiated from europe:

10.20.1.254,May 08 2007 14:05:57: %PIX-6-609001: Built local-host inside:10.20.1.250

10.20.1.254,May 08 2007 14:05:57: %PIX-6-305011: Built dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381

10.20.1.254,May 08 2007 14:05:57: %PIX-6-302013: Built outbound TCP connection 591 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/50498 (172.16.71.100/1381)


when intiated from london:

192.168.70.100,%PIX-6-302013: Built outbound TCP connection 19183 for outside:10.20.1.250/23 (10.20.1.250/23) to inside:192.168.70.253/63170 (192.168.70.253/63170)

10.20.1.254,May 08 2007 14:06:27: %PIX-6-302014: Teardown TCP connection 591 for outside:192.168.70.253/23 to inside:10.20.1.250/50498 duration 0:00:30 bytes 0 SYN Timeout

10.20.1.254,May 08 2007 14:06:57: %PIX-6-305012: Teardown dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381 duration 0:01:00

10.20.1.254,May 08 2007 14:06:57: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:01:00




Doesn't look like the traffic is actually crossing the tunnel.

acomiskey Wed, 05/09/2007 - 06:42
User Badges:
  • Green, 3000 points or more

What is 172.16.71.100, pat address? It seems like nat exemption is not working at europe fw.

that's the DMZ side of the FW in europe...I just tried from another host that definetly doesn't attempt any dmz connections to see if I see any translations created:



europeSW-01's IP is 192.168.71.200



europeSW-01#telnet 192.168.70.200

Trying 192.168.70.200 ...

% Connection timed out; remote host not responding


EUROPE-FW-01# sh log | i 70.200

May 08 2007 14:46:21: %PIX-6-609001: Built local-host outside:192.168.70.200

May 08 2007 14:46:21: %PIX-6-609002: Teardown local-host outside:192.168.70.200

duration 0:00:00

May 08 2007 14:46:25: %PIX-6-609001: Built local-host outside:192.168.70.200

May 08 2007 14:46:25: %PIX-6-609002: Teardown local-host outside:192.168.70.200

duration 0:00:00

EUROPE-FW-01# sh log | i 71.200

May 08 2007 14:46:33: %PIX-6-609001: Built local-host inside:192.168.71.200

May 08 2007 14:46:33: %PIX-6-609002: Teardown local-host inside:192.168.71.200 d

uration 0:00:00

EUROPE-FW-01# sh xlate | i 71.200

EUROPE-FW-01#

acomiskey Wed, 05/09/2007 - 06:59
User Badges:
  • Green, 3000 points or more

Doesn't this mean that 10.20.1.250 is being translated to 172.16.71.100?


Built dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381


Yea that was before I corrected the 10.24 acl...here's the new syslogs:


2007-05-09 11:10:36,Local4.Info,10.20.1.254,May 08 2007 15:10:57: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:36,Local4.Info,10.20.1.254,May 08 2007 15:10:57: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:00

2007-05-09 11:10:38,Local4.Info,10.20.1.254,May 08 2007 15:10:59: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:38,Local4.Info,10.20.1.254,May 08 2007 15:10:59: %PIX-6-302020: Built ICMP connection for faddr 192.168.70.253/0 gaddr 10.20.1.250/28 laddr 10.20.1.250/28

2007-05-09 11:10:46,Local4.Info,10.20.1.254,May 08 2007 15:11:07: %PIX-6-302021: Teardown ICMP connection for faddr 192.168.70.253/0 gaddr 10.20.1.250/28 laddr 10.20.1.250/28

2007-05-09 11:10:46,Local4.Info,10.20.1.254,May 08 2007 15:11:07: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:08

2007-05-09 11:10:52,Local4.Info,10.20.1.254,May 08 2007 15:11:12: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:52,Local4.Info,10.20.1.254,May 08 2007 15:11:12: %PIX-6-302013: Built outbound TCP connection 1202 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/46402 (10.20.1.250/46402)

007-05-09 11:11:22,Local4.Info,10.20.1.254,May 08 2007 15:11:42: %PIX-6-302014: Teardown TCP connection 1202 for outside:192.168.70.253/23 to inside:10.20.1.250/46402 duration 0:00:30 bytes 0 SYN Timeout

2007-05-09 11:11:22,Local4.Info,10.20.1.254,May 08 2007 15:11:42: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:30

2007-05-09 11:12:28,Local4.Info,10.20.1.254,May 08 2007 15:12:49: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:12:28,Local4.Info,10.20.1.254,May 08 2007 15:12:49: %PIX-6-302013: Built outbound TCP connection 1223 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/28994 (10.20.1.250/28994)

2007-05-09 11:12:58,Local4.Info,10.20.1.254,May 08 2007 15:13:19: %PIX-6-302014: Teardown TCP connection 1223 for outside:192.168.70.253/23 to inside:10.20.1.250/28994 duration 0:00:30 bytes 0 SYN Timeout

2007-05-09 11:12:58,Local4.Info,10.20.1.254,May 08 2007 15:13:19: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:30


I'm starting to think the problem is on the dmz router...here's the setup:


londonfw-dmzrouter-internet-europterouter-eurotefw



I'm getting these messages on the london router (the source and dest addresses are correct):



ip nat inside source static tcp 172.16.70.100 500 ***** 500 extendable


.May 9 15:35:11.019: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet ha

s invalid spi for

destaddr=*****, prot=50, spi=0x35B97736(901347126), srcaddr=*****

I just found this config left out by the previous engineer on the london router...I'm guessing this is conflicting. I'll try to remove the crypto map later on tonight and see if it works:


interface FastEthernet0

ip address ****** 255.255.255.248

ip access-group 130 in

ip nat outside

ip route-cache flow

speed auto

crypto map vpntunnel

Ok I got a new problem...now the tunnel gets created fine no matter where I initiate traffic from...however, if I initiate the traffic from london, after the tunnel gets created no traffic is able to pass through the tunnel. As soon as I send any kind of traffic out from europe everything works fine both ways. Any ideas why that would happen?

Ok this is starting to drive me crazy I think. It looks like I have to initiate interesting traffic from both ends before the connection actually works. On the London router (not the FW) I'm getting these messages:

May 10 17:16:42.170: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has

invalid spi for

destaddr=*.*.*.*, prot=50, spi=0x354F6836(894396470), srcaddr=*.*.*.*


I'm using a static nat on that router for the fw (the public IP is the same as the outside interface):


ip nat inside source static tcp 172.16.70.100 500 217.196.246.234 500 extendable



hoogen_82 Thu, 05/10/2007 - 10:10
User Badges:
  • Silver, 250 points or more

OKay i will try to rebuild your configuration also for your case do try to clear crypto ipsec sa and clear crypto isakmp sa and try setting up the tunnel and see if traffic is flowing through.


!


hostname europe


enable password 2KFQnbNIdI.2KYOU encrypted


names


!

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list nonat extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

!

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

!

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

!

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

!


$$$$$$$$


!


hostname europe


enable password 2KFQnbNIdI.2KYOU encrypted


names


!

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list nonat extended permit 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

!

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

!

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

!

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

!


###########################################


One thing to notice the extra intresting traffic from London to europe PIX, if you notice in Europe you dont have it marked as interesting.


HTH

Hoogen

hoogen_82 Thu, 05/10/2007 - 10:13
User Badges:
  • Silver, 250 points or more

Oops lots of changes before i could post mine. Well do you have a diagram and what are you trying to achieve..


-Hoogen

hoogen_82 Thu, 05/10/2007 - 11:16
User Badges:
  • Silver, 250 points or more

Okay this should be your config


!


hostname europe


enable password xxx


names


!

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list nonat extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

!

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer 172.16.70.100

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

!

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

!

tunnel-group 172.16.70.100 type ipsec-l2l

tunnel-group 172.16.70.100 ipsec-attributes

pre-shared-key *

!


$$$$$$$$


!


hostname europe


enable password xxx


names


!

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list nonat extended permit 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.71.253

!

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer 172.16.71.100

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

!

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

!

tunnel-group 172.16.71.100 type ipsec-l2l

tunnel-group 172.16.71.100 ipsec-attributes

pre-shared-key *

!


###########################################


THe above config should work good. Just confused about the Ip'S on your routers though, let your routers only do routing, leave the firewall portforwarding tunnel stuff to the pix.


HTH

Hoogen

Yea the tunnel is created on the pix...the only relevent lines in the routers are:


London:

ip nat inside source static tcp 172.16.70.100 500 *.*.*.* 500 extendable


Europe:

ip nat inside source static udp 172.16.71.100 500 *.*.*.* 500 extendable


Because the target public IP for the tunnel is the same as the public IP of the outside (which it's overloading).


I'll compare my configs with yours and see what's missing.

Nope I still got the same issue...here's my configs:


Europe:


nat (inside) 0 access-list london-nat

access-list london-nat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0


access-list 101 extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0


crypto ipsec transform-set RTS esp-3des esp-sha-hmac

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map RTS 1 set peer ******

crypto map RTS 1 set transform-set RTS

crypto map RTS 1 set security-association lifetime seconds 28800

crypto map vpntunnel 21 match address 101

crypto map vpntunnel 21 set peer ***public ip of london router****

crypto map vpntunnel 21 set transform-set london

crypto map vpntunnel 21 set security-association lifetime seconds 28800

crypto map vpntunnel interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

tunnel-group RTS type ipsec-l2l

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

tunnel-group ***** type ipsec-l2l

tunnel-group ***** ipsec-attributes

pre-shared-key *



London:


nat (inside) 0 access-list 101

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0



access-list london permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0


sysopt connection permit-ipsec

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map hongkongvpn 5 ipsec-isakmp

crypto map hongkongvpn 5 match address hk

crypto map hongkongvpn 5 set peer ***public ip of europe router***

crypto map hongkongvpn 5 set transform-set london

crypto map hongkongvpn 5 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map hongkongvpn interface outside

isakmp enable outside

isakmp key ******** address ***** netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400




When I initiate from Europe...I get this on the europe fw:



Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1 IKE Peer: ******

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2


but nothing on the london FW, and vice versa. I need to initiate both connections before the tunnel times out to get any connectivity going.

Actions

This Discussion