IPSec tunnel not coming up between 515E and 1841

Unanswered Question
May 12th, 2007

Hi,

I used the config from the Cisco site to setup the IPSec tunnel between my PiX and a 1841 router. It does not seem to work. Please help.

I have attached my configs of 515E and 1841. Going forward the 1841 and 515E will have remote users connecting to them using Cisco VPN client software.

Thanks,

Rasheed

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Sat, 05/12/2007 - 16:05

Hi

Looking at the pix config your crypto map references an access-list called testing eg.

crypto map valuable 21 match address testing

This access-list is not defined anywhere in your config.

HTH

Jon

syedharoonrasheed Sun, 05/13/2007 - 03:42

Hi,

Thank you, I have changed that to access-list nonat which is defined. I still do not see the IPSec tunnel coming up.

Please help, it is urgent.

Rasheed

froggy3132000 Sun, 05/13/2007 - 06:07

Your encryption domains do not match.

on the pix you have:

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

on the router you have

access-list 120 permit ip 10.10.200.0 0.0.0.255 10.10.100.0 0.0.0.255

syedharoonrasheed Sun, 05/13/2007 - 08:32

Here are my new configs with the vpn configuration for cisco vpn clients which is working but the IPSec tunnel still does not work.

My network looks like this

Site A router----DSL Router---Internet---DSL Router----PiX.

Router and PiX are on static public IP's.

Attachment: 
froggy3132000 Sun, 05/13/2007 - 18:59

Have you debugged the traffic?

I also would add crypto map valuable 21 ipsec-isakmp.

syedharoonrasheed Mon, 05/14/2007 - 02:45

i have added the crypto ipsec-isakmp on the pix and the router but it does not help. debug does not give me any output though i have enabled logging. my remote users are able to do vpn to the router as well as to the pix using cisco vpn client but the ipsec tunnel between my router and the pix still does not come up.

when i do a ping to the router from the pix, this is all i get

LarnacaPIX# ping 192.168.107.190

Sending 5, 100-byte ICMP Echos to 192.168.107.190, timeout is 2 seconds:

%PIX-7-609001: Built local-host NP Identity Ifc:xx.xxx.xxx.19 (pix outside IP)

%PIX-7-609001: Built local-host outside:192.168.107.190

%PIX-6-302020: Built ICMP connection for faddr 192.168.107.190/0 gaddr xx.xxx.xx

x.19/4388 laddr xx.xxx.xxx.19/4388

????%PIX-7-710005: UDP request discarded from 10.10.2.4/138 to inside:10.10.2.25

5/138

?

Success rate is 0 percent (0/5)

LarnacaPIX# %PIX-5-111008: User 'haroon' executed the 'ping 192.168.107.190' com

mand.

%PIX-6-302021: Teardown ICMP connection for faddr 192.168.107.190/0 gaddr xx.xxx

.xxx.19/4388 laddr xx.xxx.xxx.19/4388

%PIX-7-609002: Teardown local-host NP Identity Ifc:xx.xxx.xxx.19 duration 0:00:1

0

%PIX-7-609002: Teardown local-host outside:192.168.107.190 duration 0:00:10

syedharoonrasheed Mon, 05/14/2007 - 05:00

Debug info

protocol : 17

port : 500

length : 12

*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Total payload length: 12

*May 14 11:20:23.634: CryptoEngine0: generate hmac context for conn id 4

*May 14 11:20:23.634: ISAKMP:(0:4:SW:1): sending packet to xx.xxx.xxx.19 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5

*May 14 11:20:24.118: ISAKMP (0:134217732): received packet from xx.xxx.xxx.19 dport 500 sport 500 Global (I) MM_KEY_EXCH

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 0

*May 14 11:20:24.122: ISAKMP (0:134217732): ID payload

next-payload : 8

type : 1

address : xx.xxx.xxx.19

protocol : 17

port : 500

length : 12

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):: peer matches *none* of the profiles

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 0

*May 14 11:20:24.122: CryptoEngine0: generate hmac context for conn id 4

*May 14 11:20:24.122: ISAKMP:received payload type 17

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing vendor id payload

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): vendor ID is DPD

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):SA authentication status:

authenticated

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):SA has been authenticated with xx.xxx.xxx.19

*May 14 11:20:24.122: ISAKMP: Trying to insert a peer xx.xxx.xx.62/xx.xxx.xxx.19/500/, and inserted successfully 6423A1E0.

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6

Actions

This Discussion