PIX 515e Site to Site VPN

donald.williams · ‎01-15-2008

I am attempting to set up a site to site VPN with a Checkpoint firewall without much success. My end is a failover pair of PIX 515e firewalls running 6.3(5). Both have a 3DES license. My understanding of failover is the primary has an outside address (nnn.mmm.206.130) and the failover PIX has a different outside address (nnn.mmm.206.136) but assumes the primary address (nnn.mmm.206.130) when it acts as primary. For the VPN peer I would use the primary address nnn.mmm.206.130, correct? After failover the tunnel would come back up on the failover box using the primary address nnn.mmm.206.130 as the peer? Thanks.

Don Williams

ajagadee · ‎01-15-2008

Yes, your understanding is correct. Can you post your configuration along with the outputs of "deb cry is" and "deb cry ipsec". The debugs should point us in some direction to troubleshoot and identify the issue.

Regards,

Arul

donald.williams · ‎01-15-2008

Thank you. I have uploaded the config. The debug produces no output that I can see.

Don Williams

ajagadee · ‎01-15-2008

Thanks! I assume that 10.170.16.0 255.255.252.0, 10.170.20.128 255.255.255.128 and 10.170.21.0 255.255.255.192 know that they need to route the traffic to the pix in order to reach 10.204.128.16 and 89.0.x.x addresses.

Also, is this pix the primary pix. If so, can you do a "clear xlate" and then try bringing up the tunnel and look for debugs.

Regards,

Arul

donald.williams · ‎01-15-2008

Thanks. Yes. All the 10.170 networks are legs of our core router. I have verified the static routes to the 10.200.0.0 and 10.204.0.0, etc. networks. I am telnneting to the "primary" inside address so I assume that I am connected to the device that is currently acting as primary. I have performed a clear xlat and tried to open the tunnel again. Does it matter if the crypto map uses 10 as the identifier and the debug references 1? Deb cry ip 10 gives periodic REAPER statements. Neither 1 nor 10 give the expected IPSEC / ISAKMP debug statements. Perhaps I am not directing them correctly?Thanks.

Don Williams

ajagadee · ‎01-15-2008

Don,

Interesting you are not seeing any debugs. Couple of things I would do.

1. Can you console into the pix and look for debugs.

2. If you telnet to the pix, make sure that you are the only one logged on to the pix. Because crypto debugs can only be logged on to one terminal, so if there is someone else also telnetted or SSHed into the pix, you most likely will not see the debugs.

3. Dont forget to enable term mon to look at debugs.

4. Also, just type in "deb cry is" and "deb crypto ipsec" for debugs.

5. If you still do not see any debugs, can you remove the crypto map from the outside interface and reapply it.

Regards,

Arul

donald.williams · ‎01-16-2008

Thank you for your persistence. I do appreciate it. I removed the crypto map and isakmp statements with clear crypto map and clear isakmp. I then rebuilt the the statements and attempted to debug again. Unfortunately no luck. I'm guessing there is something terribly obvious that I am missing but I can not see what it is. Thanks.

Don Williams

ajagadee · ‎01-16-2008

Don,

What is the source and destination IP Addresses and port that you are using to initiate the tunnel. I hope that you know that you cannot initiate the tunnel from the pix.

Also, make sure that the traffic that you are using to initiate the tunnel falls within one of the ACL Entry configured under the crypto ACL.

Regards,

Arul

donald.williams · ‎01-16-2008

Telnet on port 80 to 10.204.118.35 and

telnet on port 80 to 10.204.118.45 and

both from my workstation which has address 10.170.16.46.

e.g., telnet 10.204.118.35 80

Thanks.

Don Williams