03-20-2008 08:16 AM
We are trying to configure an 851 to work with a Firebox and are not able to bring the tunnel up.
We don't have access to the firebox, but the vendor gave us the following information to configure our 851:
___________________________________
Phase 1, Main Mode, falls back to Aggressive
3DES/SHA1, DH Group 1, SA Life 8 hours.
Phase 2, ESP, 3DES, SHA1, NO PFS
local LAN (192.168.27.0/24)
We're passing ALL traffic between the two networks (all TCP/UDP).
YOUR SIDE - CISC0
LAN 10.10.10.0/24
___________________________________
When I go through the VPN setup wizard on my router I get the following for "Generate Mirror config"
*******************************
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 1
lifetime 28800
exit
crypto isakmp key (preshare key) address (public ip address of my 851)
crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_1
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 192.168.27.0 0.0.0.255 10.10.10.0 0.0.0.255
exit
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address (public ip address of the remote firewall) that connects to this router.
set transform-set ESP-3DES-SHA
set peer (public ip address of my 851)
match address SDM_1
exit
******************************************************************
I am attaching the 851 config.
The only issue which might impact this is that I can't ping the private side of the Firebox interface, but I didn't think that would cause the tunnel not to come up.
I have also set this same config up locally using an 871 as the remote and a 3825 as the central interface, working fine.
Thanks,
03-20-2008 01:03 PM
Can you post the outputs of "deb cry is" and "deb cry ips" when you try to bring up the tunnel.
Regards,
Arul
03-20-2008 01:48 PM
I have included the attachment.
55.55.55.55. is the side with the 851
77.77.77.77. is the side with the firebox.
This debug was captured while I was doing the test tunnel interface in SDM.
The SDM message showed
Failure Reason
The peer 55.55.55.55 is responding but the VPN tunnel in not established. IPSec policies of this router are not matching with the IPSec policies of the peer device.
Recommended Action
If the IPSec policy parameters of the peer device is known then go to 'Configure->VPN->VPN Components->IPSec->IPSec Policies', select this IPSec policy, click on 'Edit' and ensure that policy parameters are correct. 2) Generate the mirror configuration from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer device's IPSec policy.
Failure Reason:
03-20-2008 07:53 PM
Based on the debugs, there are couple of things I would check on the remote site:
1. Transform set
2. IPSEC ACLs
Also, make sure that your routing is configured correctly. Meaning, there is 130.177.117.56 address as local and your default gateway is pointing to 208.180.11.1.
Regards,
Arul
** Please rate all helpful posts **
03-20-2008 10:11 PM
Okay I had not noticed that address and have no idea where it would be coming from.
10.10.10.x is my remote LAN and 192.168.27.x is my central lan. It is not one of my public networks either. Maybe coming from the firebox?
----------------------------------------
If I did need to put a route statement for this network, wouldn't I need to add it to the access list and not make an actual route statement? Please correct me if I'm wrong.
Thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: