×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

2 VPN Tunnels on a single Pix Firewall

Unanswered Question
Feb 5th, 2008
User Badges:

I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.


On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).


On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.


Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!

Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!

Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!

Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!


sh crypto isakmp sa


Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1 IKE Peer: 192.168.0.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE



Site HK - PIX1(192.168.0.1)

crypto ipsec transform-set chevvie esp-des esp-md5-hmac

(crypto map for existing VPN (VPN1)

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 192.168.0.2

crypto map transam 1 set transform-set chevvie


(New Crpto Map for new VPN (VPN2)

crypto map transam 2 ipsec-isakmp

crypto map transam 2 match address 101

crypto map transam 2 set peer 192.168.0.3

crypto map transam 2 set transform-set chevvie


crypto map transam interface outside

isakmp enable outside

isakmp key ****** address 192.168.0.2 netmask 255.255.255.255

isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp am-disable

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat


Site - Leeds PIX2 (192.168.0.3)


crypto ipsec transform-set ford esp-des esp-md5-hmac

crypto map VPNHK 2 match address outside_crypto_acl

crypto map VPNHK 2 set peer 192.168.0.1

crypto map VPNHK 2 set transform-set ford

crypto map VPNHK interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp am-disable

tunnel-group 192.168.0.1 type ipsec-l2l

tunnel-group 192.168.0.1 ipsec-attributes

pre-shared-key ev0lut10n

sysopt connection permit-ipsec


Your assistance will be grately appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dasgill Wed, 02/06/2008 - 05:08
User Badges:

The preshared key is fine. I have changed it but the error persists.



husycisco Wed, 02/06/2008 - 07:08
User Badges:
  • Gold, 750 points or more

Hi Donald


tunnel-group 192.168.0.1 ipsec-attributes

pre-shared-key ev0lut10n


isakmp key ****** address 192.168.0.2 netmask 255.255.255.255


Try changing the PSK in above lines as 1 and try again


Regards

dasgill Wed, 02/06/2008 - 09:52
User Badges:

PSK passwords set to the same. No joy. Same error message.



husycisco Wed, 02/06/2008 - 11:13
User Badges:
  • Gold, 750 points or more

In this case, I suggest upgrading PIX IOS 6.1(2) to 6.3(5)

Also your match-acl for tunnel 192.168.0.2 and 192.168.0.3 are the same (101). Use different match acls for different tunnels



pavlosd Tue, 02/19/2008 - 21:49
User Badges:

If I understand correctly, you new VPN tunnel, "protects" exactly the same traffic (same access-list). How if your firewall going to know which crypto map to follow? [i guess if they are the same it will use the map number.


Have tried to add to crypto map peers under the same crypto map and see if it works?



crypto ipsec transform-set chevvie esp-des esp-md5-hmac

(crypto map for existing VPN (VPN1)

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 192.168.0.2

crypto map transam 1 set peer 192.168.0.3

crypto map transam 1 set transform-set chevvie



Actions

This Discussion