Site-to-Site VPN with MS CA

haithamnofal · ‎05-01-2008

Hi,

I am trying to configure a site-to-site VPN tunnel between PIX and 2811 router. The authentication is thru MS CA where both the PIX and the router have already got their certificates.

However, the vpn tunnel is not establishing and I get the following debug error on the PIX FW:

May 01 14:27:43 [IKEv1]: Error: Unable to remove PeerTblEntry

May 01 14:27:45 [IKEv1]: Removing peer from peer table failed, no match!

Please find attached both my PIX and router configs.

Any idea on what could the problme be related to?

R/ Haitham

kwillacey · ‎05-02-2008

It seems to me that you have not specified that it is a site to site VPN, the tunnel group that you have specifies only remote access. It also does not seem there is a problem with the certificates based on the error.

Try adding the following:

tunnel-group 10.1.1.254 type ipsec-l2l

tunnel-group 10.1.1.254 ipsec-attributes

pre-shared-key *

**Also the isakmp policy on the touter has no encryption where as the PIX has des, that could also cause a problem.**

haithamnofal · ‎05-02-2008

Hi,

Thanks for your reply... I applied what you suggested but I am still having the same problem.

Please find attached the debug output as well as the updated PIX & Router configs.

R/ Haitham

kwillacey · ‎05-05-2008

Your phase 1 attributes still dont match.

The router has:

crypto isakmp policy 20

encr 3des

hash md5

group 2

The PIX has:

crypto isakmp policy 10

authentication rsa-sig

encryption des

hash md5

group 5

lifetime 86400

Dont worry about the lifetime (86400) and the authentication (rsa-sig) on the router that is the default. The encryption and the dh group has to be the same on both devices, so you need to go with group 2 or 5 on both and des or 3des on both. It doesnt seem to be getting pass phase 1 but if you fix this it should.