VPN IPSec site-to-site tunnel

Unanswered Question

I recently setup a VPN IPsec tunnel between two PIX devices. I ran into a problem with the remote PIX device when trying to route anything for a 10.x.x.x across the VPN tunnel. Here is the sample config that I was using.

interface Ethernet0

speed 10

duplex full

nameif outside

security-level 0

ip address 213.x.x.1 255.255.255.224

no shut

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.43.1.1 255.255.255.0

no shut

!

access-list inside extended permit icmp any any

access-list inside extended permit ip 10.43.1.0 255.255.255.0 any

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0

!

nat-control

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 10.43.1.0 255.255.255.0

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 216.1.1.30 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map Outside_map 20 match address Outside_cryptomap_20

crypto map Outside_map 20 set peer A.B.C.D

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

!

management-access inside

dhcpd address 10.43.1.20-10.43.1.199 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd option 3 ip 10.43.1.1

dhcpd enable inside

!

tunnel-group A.B.C.D type ipsec-l2l

tunnel-group A.B.C.D ipsec-attributes

pre-shared-key test

The only way I could get it to work was to replace the following commands

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0

with specific routes for 10.x.x.x

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.11.0.0 255.255.0.0

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.21.0.0 255.255.0.0

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.51.0.0 255.255.0.0

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.53.0.0 255.255.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.11.0.0 255.255.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.21.0.0 255.255.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.51.0.0 255.255.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.53.0.0 255.255.0.0

Can anyone explain why I couldn't use the permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0 route instead of putting specific routes for 10 dot?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Mon, 01/28/2008 - 11:25

One of the reason could be, that the remote side was configured with 4 ACL Entries for the IPSEC Traffic. Keep in mind, the Crypto ACL have to be mirror images of each other for the tunnel to come up and work properly.

Do you have a copy of the remote pix.

Let me know if it helps.

Regards,

Arul

** Please rate if it helps **

Here is the VPN device that the remote side communicates with.

!

PIX Version 7.2(2)

interface Ethernet0

speed 100

duplex full

nameif Outside

security-level 0

ip address 212.1.1.1 255.255.255.0

!

interface Ethernet1

speed 100

duplex full

nameif Inside

security-level 100

ip address 10.11.75.12 255.255.255.0

!

access-list Outside_cryptomap_20 extended permit ip 10.0.0.0 255.0.0.0 10.43.1.0 255.255.255.0

access-list Inside extended permit ip any any

access-list Inside extended permit tcp any any

access-list Inside extended permit udp any any

access-list Inside extended permit icmp any any

access-list Inside extended permit tcp any any eq telnet

access-list Inside extended permit tcp any any eq ssh

access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 10.43.1.0 255.255.255.0

!

nat (Inside) 0 access-list NONAT

nat (Inside) 0 0.0.0.0 0.0.0.0

access-group Inside in interface Inside

route Outside 213.1.1.1 255.255.255.255 212.1.1.30 1

route Outside 10.43.1.0 255.255.255.0 212.1.1.30 1

route Inside 0.0.0.0 0.0.0.0 10.11.75.1 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map Outside_map 20 match address Outside_cryptomap_20

crypto map Outside_map 20 set peer E.F.G.H

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group E.F.G.H type ipsec-l2l

tunnel-group E.F.G.H ipsec-attributes

pre-shared-key test

ajagadee Mon, 01/28/2008 - 14:35

I see couple of things, Default Route on the Pix pointing to the inside interface and the ISAKMP Lifetime not matching but that should not affect your tunnel from working with ACL of 10.0.0.0 255.0.0.0.

Is it possible for you to go back to the ACL with single entry, try to bring up the tunnel and post the outputs of:

1. Deb cry is

2. Deb cry ips

3. Sh cry is sa

4. Sh cry ips sa

5. Sh run from the pix after you make the changes

6. Sh route

Regards,

Arul

** Please rate all helpful posts **

Actions

This Discussion