IPSec VPN problem

Unanswered Question
Aug 17th, 2007

Hi all

I am having problem in bringing up VPN link between PIX firewall and 3825 router. It was working fine but all of a sudden it stopped. Debug of 3825 is attached for reference. Any work arounds??

Sheeraz

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Sun, 08/19/2007 - 11:58

The error is at phase 1 itself.

Are you sure you have the same properties at both the ends in terms on isakmp policies, encryption, hash, authentication and group?

Narayan

dradhika Sun, 08/19/2007 - 22:24

Hi Sheeraz,

On router can you replace,

crypto isakmp key 6 cisco123 address 203.82.55.106 255.255.255.252

with

crypto isakmp key cisco123 address 203.82.55.106 255.255.255.252

and check.

Also, if you can remove the netmask on both the device in the crypto isakmp key cli if you are establising the tunnel just between these two device.

Cli will to look as below w/o mask-

On router -

crypto isakmp key cisco123 address 203.82.55.106

on pix -

isakmp key cisco123 address 203.130.2.164

HTH,

Radhika

sheerazkhatri Mon, 08/20/2007 - 05:39

Thank you Radhika for the advise... I did what you suggested but didnt work... Anymore ideas ??

Sheeraz

dradhika Mon, 08/20/2007 - 09:39

have you deleted access-list 104 on router by any chance? or just did not include it in the attachment?

Thanks,

Radhika

sheerazkhatri Tue, 08/21/2007 - 05:17

Sorry for that... ACL 104 is not in the attachement. Following is the ACL 104.

access-list 104 permit ip 10.0.0.0 0.0.255.255 190.190.0.0 0.0.255.255

access-list 104 permit ip 172.16.0.0 0.0.255.255 190.190.0.0 0.0.255.255

access-list 104 permit ip 10.3.1.224 0.0.0.31 190.190.0.0 0.0.255.255

access-list 104 permit ip 10.0.0.0 0.0.255.255 172.16.21.0 0.0.0.255

access-list 104 permit ip 10.3.1.224 0.0.0.31 172.16.21.0 0.0.0.255

access-list 104 permit ip 172.16.0.0 0.0.255.255 172.16.21.0 0.0.0.255

Hope this works.

Sheeraz

dradhika Tue, 08/21/2007 - 09:10

From attached config files.

crypto access list on pix(101) seems to contain different ace's from that on router(104).

Otherwise all the vpn cli seems to be ok.

Can you check the nat is not done for the traffic on both the device.

2.

ip route 190.190.0.0 255.255.0.0 203.82.55.106

here I do not see any interface with ip on this subnet 203.82.55.106.

If 190.190.0.0 is the inside network of pix , then doesn't the next hop ip in this route needs to be 203.130.2.161 instead of 203.82.55.106.

Thanks,

Radhika

dradhika Tue, 08/21/2007 - 09:15

Also if possible , can you disable the ipsec on both the devices and check if you are able to ping the peer ip address and the inside network of the remote device from router (both outside interface and inside interface).

Thanks,

Radhika

Actions

This Discussion