Can't get site-to-site VPN working

Answered Question
Sep 3rd, 2008

Hi. I'm trying to get a site-to-site VPN to work between a Pix 515 (running 7.2) and a Cisco 1801 integrated services router (configs attached). Basically the tunnel will not come up. The 1801 was not configured by myself and I'm unfamiliar with it's functions, though I have remote access to it.

1801 network is - WAN 86.47.179.237/30, LAN 128.70.0.0/24.

Pix n/w is - WAN - 194.159.238.98, LAN - 10.10.29.0/24.

I suspect a config issue on the 1801 as i've configured the pix many times before without issue.

If it helps, the only syslog messages I can find relating to the 1801 is

2008-09-03 09:38:42	Local4.Info	10.10.29.1	%PIX-6-302020: Built ICMP connection for faddr 86.47.179.237/0 gaddr 194.159.238.98/0 laddr 194.159.238.98/0

2008-09-03 09:38:42	Local4.Info	10.10.29.1	%PIX-6-302021: Teardown ICMP connection for faddr 86.47.179.237/0 gaddr 194.159.238.98/0 laddr 194.159.238.98/0

Any help would be greatly appreciated.

Rex

I have this problem too.
0 votes
Correct Answer by jpoplawski about 8 years 3 months ago

On the PIX remove the PFS statement:

no crypto map crypto_mdc_outside 100 set pfs

On the Router remove the PFS statement

crypto map SDM_CMAP_1 1 ipsec-isakmp

no set pfs group2

write mem, reload both and see if that prevails.

check some debugs

PIX

debug crypto isakmp 255

show crypto isakmp sa

debug crypto ispec 255

show crypto ipsec sa

RTR

debug crypto isakmp

show crypto isakmp sa

debug crypto ispec

show crypto ipsec sa

Also a helpful guide I've used previously would be http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#pfs

That covers the previously mentioned pfs reference earlier as well.

HTH,

JB

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
grant.maynard Wed, 09/03/2008 - 03:14

A tomcat error is preventing me from downloading the configs. Could you post the following parts:

isakmp ...

ipsec ....

crypto ...

plus any vpn ACLs

Rex Biesty Wed, 09/03/2008 - 05:25

Thanks for the reply. COnfig from Pix is

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map cryptod_mdc_outside 5 set transform-set ESP-3DES-MD5

crypto map crypto_mdc_outside 20 match address outside_20_cryptomap

crypto map crypto_mdc_outside 20 set peer Metalogic_Warwick_Public

crypto map crypto_mdc_outside 20 set transform-set ESP-3DES-MD5

crypto map crypto_mdc_outside 20 set security-association lifetime seconds 86400

crypto map crypto_mdc_outside 40 match address outside_40_cryptomap

crypto map crypto_mdc_outside 40 set peer 217.155.130.97

crypto map crypto_mdc_outside 40 set transform-set ESP-3DES-MD5

crypto map crypto_mdc_outside 60 match address outside_60_cryptomap

crypto map crypto_mdc_outside 60 set pfs

crypto map crypto_mdc_outside 60 set peer 81.144.184.37

crypto map crypto_mdc_outside 60 set transform-set ESP-3DES-SHA

crypto map crypto_mdc_outside 80 match address outside_80_cryptomap

crypto map crypto_mdc_outside 80 set pfs

crypto map crypto_mdc_outside 80 set peer 217.41.116.53

crypto map crypto_mdc_outside 80 set transform-set ESP-3DES-SHA

crypto map crypto_mdc_outside 100 match address outside_100_cryptomap

crypto map crypto_mdc_outside 100 set pfs

crypto map crypto_mdc_outside 100 set peer 86.47.179.237

crypto map crypto_mdc_outside 100 set transform-set ESP-3DES-SHA

crypto map crypto_mdc_outside 65535 ipsec-isakmp dynamic cryptod_mdc_outside

crypto map crypto_mdc_outside interface outside

crypto map crypto_mdc_outside 65535 ipsec-isakmp dynamic cryptod_mdc_outside

crypto map crypto_mdc_outside interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

tunnel-group mih-remote type ipsec-ra

tunnel-group mih-remote general-attributes

address-pool VPN_Pool

default-group-policy mih-remote

tunnel-group mih-remote ipsec-attributes

pre-shared-key *

tunnel-group 62.69.58.233 type ipsec-l2l

tunnel-group 62.69.58.233 ipsec-attributes

pre-shared-key *

tunnel-group 217.155.130.97 type ipsec-l2l

tunnel-group 217.155.130.97 ipsec-attributes

pre-shared-key *

tunnel-group 81.144.184.37 type ipsec-l2l

tunnel-group 81.144.184.37 ipsec-attributes

pre-shared-key *

tunnel-group 217.41.116.53 type ipsec-l2l

tunnel-group 217.41.116.53 ipsec-attributes

pre-shared-key *

tunnel-group Northgate-Support type ipsec-ra

tunnel-group Northgate-Support general-attributes

address-pool Northgate_Pool

default-group-policy mih-remote

tunnel-group Northgate-Support ipsec-attributes

pre-shared-key *

tunnel-group Epicore_Support type ipsec-ra

tunnel-group Epicore_Support general-attributes

address-pool Epicor_Pool

default-group-policy mih-remote

tunnel-group Epicore_Support ipsec-attributes

pre-shared-key *

tunnel-group Pulsion_Support type ipsec-ra

tunnel-group Pulsion_Support general-attributes

address-pool Pulsion_Pool

tunnel-group Pulsion_Support ipsec-attributes

pre-shared-key *

tunnel-group 86.47.179.237 type ipsec-l2l

tunnel-group 86.47.179.237 ipsec-attributes

pre-shared-key *

tunnel-group Hytemp_Support type ipsec-ra

tunnel-group Hytemp_Support general-attributes

address-pool Hytemp_Pool

tunnel-group Hytemp_Support ipsec-attributes

pre-shared-key *

Rex Biesty Wed, 09/03/2008 - 05:31

Thanks. I'm not sure what you mean by pfs. Could you elaborate please?

Rex Biesty Wed, 09/03/2008 - 05:26

ACLs from Pix is

access-list outside_100_cryptomap extended permit ip 10.10.29.0 255.255.255.0 128.70.0.0 255.255.255.0

access-list acl_mdc_inside_nat0 extended permit ip 10.10.29.0 255.255.255.0 128.70.0.0 255.255.255.0

Rex Biesty Wed, 09/03/2008 - 05:28

COnfig from 1801

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cybert00l address 194.159.238.98 no-xauth

!

!

crypto ipsec transform-set atg ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to194.159.238.98

set peer 194.159.238.98

set transform-set ESP-3DES-SHA

set pfs group2

match address 103

!

archive

log config

hidekeys

!

!

!

track 1 rtr 1 reachability

!

!

!

interface FastEthernet0

description $ES_LAN$

no ip address

shutdown

duplex auto

speed auto

!

interface BRI0

description $BACKUP_INTF_ATM0.1_TRACK_1$

no ip address

encapsulation ppp

dialer pool-member 1

isdn switch-type basic-net3

isdn point-to-point-setup

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 2

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$

ip address 128.70.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

interface Dialer0

ip address 159.134.114.180 255.255.255.0

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer string 1893252525

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname austin09

ppp chap password 0 eircom1

!

interface Dialer1

ip address 86.47.179.237 255.255.255.252

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

no cdp enable

ppp authentication chap callin

ppp chap hostname eircom

ppp chap password 0 broadband1

crypto map SDM_CMAP_1

!

ip local policy route-map SDM_BACKUP_RMAP_1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 Dialer0 2

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source route-map nonat interface Dialer1 overload

!

ip sla 1

icmp-echo 194.159.238.98 source-interface Dialer1

timeout 1000

threshold 2

frequency 3

ip sla schedule 1 life forever start-time now

access-list 100 remark SDM Backup Route-Map ACL

access-list 100 remark SDM_ACL Category=1

access-list 100 permit icmp any host 194.159.238.98 echo

access-list 101 remark SDM_ACL Category=16

access-list 101 permit ip 128.70.0.0 0.0.0.255 10.10.29.0 0.0.0.255

access-list 102 remark SDM_ACL Category=18

access-list 102 remark IPSec Rule

access-list 102 deny ip 128.70.0.0 0.0.0.255 10.10.29.0 0.0.0.255

access-list 102 permit ip 128.70.0.0 0.0.0.255 any

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 128.70.0.0 0.0.0.255 10.10.29.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

Correct Answer
jpoplawski Thu, 09/04/2008 - 06:04

On the PIX remove the PFS statement:

no crypto map crypto_mdc_outside 100 set pfs

On the Router remove the PFS statement

crypto map SDM_CMAP_1 1 ipsec-isakmp

no set pfs group2

write mem, reload both and see if that prevails.

check some debugs

PIX

debug crypto isakmp 255

show crypto isakmp sa

debug crypto ispec 255

show crypto ipsec sa

RTR

debug crypto isakmp

show crypto isakmp sa

debug crypto ispec

show crypto ipsec sa

Also a helpful guide I've used previously would be http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#pfs

That covers the previously mentioned pfs reference earlier as well.

HTH,

JB

Rex Biesty Thu, 09/04/2008 - 07:39

Thanks for the reply. Removing pfs resolved the issue and all working fine now.

Actions

This Discussion