cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
886
Views
0
Helpful
10
Replies

IPSec VPN problem

sheerazkhatri
Level 1
Level 1

Hi all

I am having problem in bringing up VPN link between PIX firewall and 3825 router. It was working fine but all of a sudden it stopped. Debug of 3825 is attached for reference. Any work arounds??

Sheeraz

10 Replies 10

DfyAnt
Level 1
Level 1

Please post your configs.

The error is at phase 1 itself.

Are you sure you have the same properties at both the ends in terms on isakmp policies, encryption, hash, authentication and group?

Narayan

again, please post your configs.

one side of vpn is 3825 router and the other is pix. configurations are attached. Please any help.

Sheeraz

Hi Sheeraz,

On router can you replace,

crypto isakmp key 6 cisco123 address 203.82.55.106 255.255.255.252

with

crypto isakmp key cisco123 address 203.82.55.106 255.255.255.252

and check.

Also, if you can remove the netmask on both the device in the crypto isakmp key cli if you are establising the tunnel just between these two device.

Cli will to look as below w/o mask-

On router -

crypto isakmp key cisco123 address 203.82.55.106

on pix -

isakmp key cisco123 address 203.130.2.164

HTH,

Radhika

Thank you Radhika for the advise... I did what you suggested but didnt work... Anymore ideas ??

Sheeraz

have you deleted access-list 104 on router by any chance? or just did not include it in the attachment?

Thanks,

Radhika

Sorry for that... ACL 104 is not in the attachement. Following is the ACL 104.

access-list 104 permit ip 10.0.0.0 0.0.255.255 190.190.0.0 0.0.255.255

access-list 104 permit ip 172.16.0.0 0.0.255.255 190.190.0.0 0.0.255.255

access-list 104 permit ip 10.3.1.224 0.0.0.31 190.190.0.0 0.0.255.255

access-list 104 permit ip 10.0.0.0 0.0.255.255 172.16.21.0 0.0.0.255

access-list 104 permit ip 10.3.1.224 0.0.0.31 172.16.21.0 0.0.0.255

access-list 104 permit ip 172.16.0.0 0.0.255.255 172.16.21.0 0.0.0.255

Hope this works.

Sheeraz

From attached config files.

crypto access list on pix(101) seems to contain different ace's from that on router(104).

Otherwise all the vpn cli seems to be ok.

Can you check the nat is not done for the traffic on both the device.

2.

ip route 190.190.0.0 255.255.0.0 203.82.55.106

here I do not see any interface with ip on this subnet 203.82.55.106.

If 190.190.0.0 is the inside network of pix , then doesn't the next hop ip in this route needs to be 203.130.2.161 instead of 203.82.55.106.

Thanks,

Radhika

Also if possible , can you disable the ipsec on both the devices and check if you are able to ping the peer ip address and the inside network of the remote device from router (both outside interface and inside interface).

Thanks,

Radhika

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: