cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1000
Views
0
Helpful
22
Replies

VPN L2L

niro
Level 1
Level 1

I'm having trouble setting up a pix to pix vpn connection...I'm running a pix 515 v 7.0 on one end and a pix 515e 6.3 on the other end, here's the vpn configs (I starred out the public IPs) The tunnel I'm working on is the vpntunnel 21 and europe:

europe:

access-list 101 extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list 101 extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

nat-control

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set RTS esp-3des esp-sha-hmac

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto map RTS 1 set peer *******

crypto map RTS 1 set transform-set RTS

crypto map vpntunnel 21 match address 101

crypto map vpntunnel 21 set peer ******

crypto map vpntunnel 21 set transform-set london

crypto map vpntunnel interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 10000

tunnel-group RTS type ipsec-l2l

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

London:

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list 101 permit ip 172.16.70.0 255.255.255.0 172.17.5.0 255.255.255.0

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list 101 permit ip 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

access-list hk permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list hk permit icmp 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list hk permit ip 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ny esp-des esp-md5-hmac

crypto ipsec transform-set europe esp-3des esp-md5-hmac

crypto map vpntunnel 1 ipsec-isakmp

crypto map vpntunnel 1 match address 102

crypto map vpntunnel 1 set peer ******

crypto map vpntunnel 1 set transform-set ny

crypto map europe 5 ipsec-isakmp

crypto map europe 5 match address hk

crypto map europe 5 set peer ******

crypto map europe 5 set transform-set london

crypto map europe interface outside

isakmp enable outside

isakmp key ******** address ****** netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 10000

isakmp policy 6 authentication pre-share

isakmp policy 6 encryption 3des

isakmp policy 6 hash md5

isakmp policy 6 group 2

isakmp policy 6 lifetime 86400

The tunnel seems to come up normal when I initiate it from the london side, but not from the europe side. Also even though the tunnel is up, no traffic seems to be going through, I'm not able to connect to any devices on the other side:

Europe:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: *******

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

London:

Total : 1

Embryonic : 0

dst src state pending created

****** 172.16.70.100 QM_IDLE 0 1

any ideas what I'm doing wrong here??

22 Replies 22

acomiskey
Level 10
Level 10

I would start by getting rid of

access-list hk permit icmp 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

as it is not needed and the acl's should be mirrors of eachother on the two fw's.

yea I did that, same problem. I only put it in there to test something and forgot to take it out. Still not working though. ;/

Try making 2 separate acl's for your europe fw, one for nat exemption and one for crypto, don't use 101 for both.

Yup tried that also...only reason I tried the same one for both was because it wasn't working. Anyway I just switched it back to seperate ACls, still same problem:

access-list london-nat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list london-nat extended permit ip 10.24.1.0 255.255.255.0 192.168.70.0 255.255.255.0

nat (inside) 0 access-list london-nat

Do you mean 10.20.1.0?

yea typo :) Been working on this too many hours:) Fixed it but still same problem...I'm getting these messages in syslog when trying to connect though:

when initiated from europe:

10.20.1.254,May 08 2007 14:05:57: %PIX-6-609001: Built local-host inside:10.20.1.250

10.20.1.254,May 08 2007 14:05:57: %PIX-6-305011: Built dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381

10.20.1.254,May 08 2007 14:05:57: %PIX-6-302013: Built outbound TCP connection 591 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/50498 (172.16.71.100/1381)

when intiated from london:

192.168.70.100,%PIX-6-302013: Built outbound TCP connection 19183 for outside:10.20.1.250/23 (10.20.1.250/23) to inside:192.168.70.253/63170 (192.168.70.253/63170)

10.20.1.254,May 08 2007 14:06:27: %PIX-6-302014: Teardown TCP connection 591 for outside:192.168.70.253/23 to inside:10.20.1.250/50498 duration 0:00:30 bytes 0 SYN Timeout

10.20.1.254,May 08 2007 14:06:57: %PIX-6-305012: Teardown dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381 duration 0:01:00

10.20.1.254,May 08 2007 14:06:57: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:01:00

Doesn't look like the traffic is actually crossing the tunnel.

What is 172.16.71.100, pat address? It seems like nat exemption is not working at europe fw.

that's the DMZ side of the FW in europe...I just tried from another host that definetly doesn't attempt any dmz connections to see if I see any translations created:

europeSW-01's IP is 192.168.71.200

europeSW-01#telnet 192.168.70.200

Trying 192.168.70.200 ...

% Connection timed out; remote host not responding

EUROPE-FW-01# sh log | i 70.200

May 08 2007 14:46:21: %PIX-6-609001: Built local-host outside:192.168.70.200

May 08 2007 14:46:21: %PIX-6-609002: Teardown local-host outside:192.168.70.200

duration 0:00:00

May 08 2007 14:46:25: %PIX-6-609001: Built local-host outside:192.168.70.200

May 08 2007 14:46:25: %PIX-6-609002: Teardown local-host outside:192.168.70.200

duration 0:00:00

EUROPE-FW-01# sh log | i 71.200

May 08 2007 14:46:33: %PIX-6-609001: Built local-host inside:192.168.71.200

May 08 2007 14:46:33: %PIX-6-609002: Teardown local-host inside:192.168.71.200 d

uration 0:00:00

EUROPE-FW-01# sh xlate | i 71.200

EUROPE-FW-01#

Doesn't this mean that 10.20.1.250 is being translated to 172.16.71.100?

Built dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381

Yea that was before I corrected the 10.24 acl...here's the new syslogs:

2007-05-09 11:10:36,Local4.Info,10.20.1.254,May 08 2007 15:10:57: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:36,Local4.Info,10.20.1.254,May 08 2007 15:10:57: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:00

2007-05-09 11:10:38,Local4.Info,10.20.1.254,May 08 2007 15:10:59: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:38,Local4.Info,10.20.1.254,May 08 2007 15:10:59: %PIX-6-302020: Built ICMP connection for faddr 192.168.70.253/0 gaddr 10.20.1.250/28 laddr 10.20.1.250/28

2007-05-09 11:10:46,Local4.Info,10.20.1.254,May 08 2007 15:11:07: %PIX-6-302021: Teardown ICMP connection for faddr 192.168.70.253/0 gaddr 10.20.1.250/28 laddr 10.20.1.250/28

2007-05-09 11:10:46,Local4.Info,10.20.1.254,May 08 2007 15:11:07: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:08

2007-05-09 11:10:52,Local4.Info,10.20.1.254,May 08 2007 15:11:12: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:52,Local4.Info,10.20.1.254,May 08 2007 15:11:12: %PIX-6-302013: Built outbound TCP connection 1202 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/46402 (10.20.1.250/46402)

007-05-09 11:11:22,Local4.Info,10.20.1.254,May 08 2007 15:11:42: %PIX-6-302014: Teardown TCP connection 1202 for outside:192.168.70.253/23 to inside:10.20.1.250/46402 duration 0:00:30 bytes 0 SYN Timeout

2007-05-09 11:11:22,Local4.Info,10.20.1.254,May 08 2007 15:11:42: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:30

2007-05-09 11:12:28,Local4.Info,10.20.1.254,May 08 2007 15:12:49: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:12:28,Local4.Info,10.20.1.254,May 08 2007 15:12:49: %PIX-6-302013: Built outbound TCP connection 1223 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/28994 (10.20.1.250/28994)

2007-05-09 11:12:58,Local4.Info,10.20.1.254,May 08 2007 15:13:19: %PIX-6-302014: Teardown TCP connection 1223 for outside:192.168.70.253/23 to inside:10.20.1.250/28994 duration 0:00:30 bytes 0 SYN Timeout

2007-05-09 11:12:58,Local4.Info,10.20.1.254,May 08 2007 15:13:19: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:30

I'm starting to think the problem is on the dmz router...here's the setup:

londonfw-dmzrouter-internet-europterouter-eurotefw

I'm getting these messages on the london router (the source and dest addresses are correct):

ip nat inside source static tcp 172.16.70.100 500 ***** 500 extendable

.May 9 15:35:11.019: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet ha

s invalid spi for

destaddr=*****, prot=50, spi=0x35B97736(901347126), srcaddr=*****

I just found this config left out by the previous engineer on the london router...I'm guessing this is conflicting. I'll try to remove the crypto map later on tonight and see if it works:

interface FastEthernet0

ip address ****** 255.255.255.248

ip access-group 130 in

ip nat outside

ip route-cache flow

speed auto

crypto map vpntunnel

Yup that's what it was..gotta love old left over configs from ages ago that never get removed.

Ok I got a new problem...now the tunnel gets created fine no matter where I initiate traffic from...however, if I initiate the traffic from london, after the tunnel gets created no traffic is able to pass through the tunnel. As soon as I send any kind of traffic out from europe everything works fine both ways. Any ideas why that would happen?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: