Site-to-Site VPN with MS CA

Unanswered Question
May 1st, 2008
User Badges:

Hi,


I am trying to configure a site-to-site VPN tunnel between PIX and 2811 router. The authentication is thru MS CA where both the PIX and the router have already got their certificates.


However, the vpn tunnel is not establishing and I get the following debug error on the PIX FW:


May 01 14:27:43 [IKEv1]: Error: Unable to remove PeerTblEntry

May 01 14:27:45 [IKEv1]: Removing peer from peer table failed, no match!


Please find attached both my PIX and router configs.


Any idea on what could the problme be related to?


R/ Haitham



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kwillacey Fri, 05/02/2008 - 11:53
User Badges:
  • Bronze, 100 points or more

It seems to me that you have not specified that it is a site to site VPN, the tunnel group that you have specifies only remote access. It also does not seem there is a problem with the certificates based on the error.


Try adding the following:


tunnel-group 10.1.1.254 type ipsec-l2l

tunnel-group 10.1.1.254 ipsec-attributes

pre-shared-key *


**Also the isakmp policy on the touter has no encryption where as the PIX has des, that could also cause a problem.**

haithamnofal Fri, 05/02/2008 - 14:44
User Badges:

Hi,


Thanks for your reply... I applied what you suggested but I am still having the same problem.


Please find attached the debug output as well as the updated PIX & Router configs.


R/ Haitham



Attachment: 
kwillacey Mon, 05/05/2008 - 06:01
User Badges:
  • Bronze, 100 points or more

Your phase 1 attributes still dont match.


The router has:


crypto isakmp policy 20

encr 3des

hash md5

group 2


The PIX has:


crypto isakmp policy 10

authentication rsa-sig

encryption des

hash md5

group 5

lifetime 86400


Dont worry about the lifetime (86400) and the authentication (rsa-sig) on the router that is the default. The encryption and the dh group has to be the same on both devices, so you need to go with group 2 or 5 on both and des or 3des on both. It doesnt seem to be getting pass phase 1 but if you fix this it should.




Actions

This Discussion