Farrukh Haroon Mon, 06/09/2008 - 06:05
User Badges:
  • Red, 2250 points or more

Can you be more specific as to exactly what is not working?


If possible provide the following from both:

show crypto isakmp sa

show crypto ipsec sa


Also debug outputs:

debug crypto isakmp

debug crypto ipsec


Regards


Farrukh

Carsten Radke Mon, 06/09/2008 - 07:40
User Badges:

Hi Farrukh,


here are the outputs:


router#sh crypto isa sa

dst src state conn-id slot status


router#sh crypto ipsec sa


interface: Dialer0

Crypto map tag: vpnmap, local addr 9.23.111.155


protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.7.10/255.255.255.255/0/0)

current_peer 8.24.131.96 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 9.23.111.155, remote crypto endpt.: 8.24.131.96

path mtu 1452, ip mtu 1452

current outbound spi: 0x0(0)


inbound esp sas:


inbound ah sas:


inbound pcp sas:


outbound esp sas:


outbound ah sas:


outbound pcp sas:


interface: Virtual-Access1

Crypto map tag: vpnmap, local addr 9.23.111.155


protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.7.10/255.255.255.255/0/0)

current_peer 8.24.131.96 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 9.23.111.155, remote crypto endpt.: 8.24.131.96

path mtu 1452, ip mtu 1452

current outbound spi: 0x0(0)


inbound esp sas:


inbound ah sas:


inbound pcp sas:


outbound esp sas:


outbound ah sas:


outbound pcp sas:

____________________________________________

Firewall# sh crypto ipsec trans

Transform set myset: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

Firewall# sh crypto isakmp

isakmp enable outside

isakmp key ******** address 9.23.111.155 netmask 255.255.255.255

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Firewall# sh crypto isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

Firewall#


Carsten

singhsaju Mon, 06/09/2008 - 06:40
User Badges:
  • Silver, 250 points or more

In the router config as following :

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

lifetime 1000


what is the group value ? It should be 1 matching to the pix isakmp policy.

Carsten Radke Mon, 06/09/2008 - 06:59
User Badges:

The group is 1:


836 router#sh crypto isakmp pol


Global IKE policy

Protection suite of priority 10

encryption algorithm: Three key triple DES

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 1000 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Farrukh Haroon Mon, 06/09/2008 - 08:48
User Badges:
  • Red, 2250 points or more

Hello


Thank you for providing the show output. But assuming you captured these commands after generating interesting traffic, it seems nothing is happening. Please check your crypto ACLs and then generate some interesting traffic for VPN. Then attach the debug output requested earlier.


debug outputs:

debug crypto isakmp

debug crypto ipsec

debug crypto engine


Thanks


Farrukh

Carsten Radke Mon, 06/09/2008 - 09:41
User Badges:

here is an output from the pix:


IPSEC(sa_initiate): ACL = deny; no sa created

IPSEC(sa_initiate): ACL = deny; no sa created

IPSEC(sa_initiate): ACL = deny; no sa created


Carsten

Farrukh Haroon Mon, 06/09/2008 - 11:01
User Badges:
  • Red, 2250 points or more

Firstly, on the router, you have this ACL:


access-list 102 deny ip 192.168.8.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 192.168.8.0 0.0.0.255 any

access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255


change this to:


access-list 102 deny ip 192.168.8.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 102 permit ip 192.168.8.0 0.0.0.255 any


Else the VPN traffic will never match line three (it will always match the second line) and therefore will not be exempted from NAT.


Secondly, what are you using to 'Generate' Interesting traffic for the VPN? From your ACL applied to the inside interface on the Firewall, it seems only UDP and TCP traffic is allowed. I hope you are not testing using ICMP?


Regards


Farrukh



Farrukh Haroon Tue, 06/10/2008 - 11:55
User Badges:
  • Red, 2250 points or more

Hello, did you manage to get this working?

Actions

This Discussion