05-12-2007 01:13 PM - edited 02-21-2020 03:03 PM
Hi,
I used the config from the Cisco site to setup the IPSec tunnel between my PiX and a 1841 router. It does not seem to work. Please help.
I have attached my configs of 515E and 1841. Going forward the 1841 and 515E will have remote users connecting to them using Cisco VPN client software.
Thanks,
Rasheed
05-12-2007 04:05 PM
Hi
Looking at the pix config your crypto map references an access-list called testing eg.
crypto map valuable 21 match address testing
This access-list is not defined anywhere in your config.
HTH
Jon
05-13-2007 03:42 AM
Hi,
Thank you, I have changed that to access-list nonat which is defined. I still do not see the IPSec tunnel coming up.
Please help, it is urgent.
Rasheed
05-13-2007 06:07 AM
Your encryption domains do not match.
on the pix you have:
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
on the router you have
access-list 120 permit ip 10.10.200.0 0.0.0.255 10.10.100.0 0.0.0.255
05-13-2007 08:00 AM
Thanks, i have corrected my acl but it still does not work
05-13-2007 08:32 AM
05-13-2007 06:59 PM
Have you debugged the traffic?
I also would add crypto map valuable 21 ipsec-isakmp.
05-14-2007 02:45 AM
i have added the crypto ipsec-isakmp on the pix and the router but it does not help. debug does not give me any output though i have enabled logging. my remote users are able to do vpn to the router as well as to the pix using cisco vpn client but the ipsec tunnel between my router and the pix still does not come up.
when i do a ping to the router from the pix, this is all i get
LarnacaPIX# ping 192.168.107.190
Sending 5, 100-byte ICMP Echos to 192.168.107.190, timeout is 2 seconds:
%PIX-7-609001: Built local-host NP Identity Ifc:xx.xxx.xxx.19 (pix outside IP)
%PIX-7-609001: Built local-host outside:192.168.107.190
%PIX-6-302020: Built ICMP connection for faddr 192.168.107.190/0 gaddr xx.xxx.xx
x.19/4388 laddr xx.xxx.xxx.19/4388
????%PIX-7-710005: UDP request discarded from 10.10.2.4/138 to inside:10.10.2.25
5/138
?
Success rate is 0 percent (0/5)
LarnacaPIX# %PIX-5-111008: User 'haroon' executed the 'ping 192.168.107.190' com
mand.
%PIX-6-302021: Teardown ICMP connection for faddr 192.168.107.190/0 gaddr xx.xxx
.xxx.19/4388 laddr xx.xxx.xxx.19/4388
%PIX-7-609002: Teardown local-host NP Identity Ifc:xx.xxx.xxx.19 duration 0:00:1
0
%PIX-7-609002: Teardown local-host outside:192.168.107.190 duration 0:00:10
05-14-2007 05:00 AM
Debug info
protocol : 17
port : 500
length : 12
*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Total payload length: 12
*May 14 11:20:23.634: CryptoEngine0: generate hmac context for conn id 4
*May 14 11:20:23.634: ISAKMP:(0:4:SW:1): sending packet to xx.xxx.xxx.19 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 14 11:20:24.118: ISAKMP (0:134217732): received packet from xx.xxx.xxx.19 dport 500 sport 500 Global (I) MM_KEY_EXCH
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 0
*May 14 11:20:24.122: ISAKMP (0:134217732): ID payload
next-payload : 8
type : 1
address : xx.xxx.xxx.19
protocol : 17
port : 500
length : 12
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):: peer matches *none* of the profiles
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 0
*May 14 11:20:24.122: CryptoEngine0: generate hmac context for conn id 4
*May 14 11:20:24.122: ISAKMP:received payload type 17
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing vendor id payload
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): vendor ID is DPD
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):SA authentication status:
authenticated
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):SA has been authenticated with xx.xxx.xxx.19
*May 14 11:20:24.122: ISAKMP: Trying to insert a peer xx.xxx.xx.62/xx.xxx.xxx.19/500/, and inserted successfully 6423A1E0.
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide