PIX Lan2Lan VPN strange Problem!

Answered Question
Sep 30th, 2008

Hi,i have configured my two pix firewalls for lan 2 lan vpn(ipsec).this two firewalls connects directly with ethernet 0 and each has a local lan on ethernet 1.when i try to ping station2 from station1 after one time out and when ike phases are complete ping comes up with reply but when i try to ping station 1 from station 2 i dont get any reply .Why my vpn connection comes up in one direction and it doesnt from other side??

(pix1)

ethernet0(outside):20.20.20.1

ethernet1(inside):10.10.10.1

station1 on inside:10.10.10.20

(pix2)

ethernet0(outside):20.20.20.2

ethernet1(inside):15.15.15.1

station2 on inside:15.15.15.20


pix1 config:

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.20.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

access-list ping extended permit icmp any any

access-list ping extended permit tcp any host 10.10.10.15 eq ftp

access-list traffic extended permit ip 10.10.10.0 255.255.255.0 15.15.15.0 255.255.255.0

nat (inside) 0 access-list traffic

access-group ping in interface outside

route outside 15.15.15.0 255.255.255.0 20.20.20.2 1

crypto ipsec transform-set ipsec esp-3des esp-sha-hmac

crypto map crymap 1 match address traffic

crypto map crymap 1 set peer 20.20.20.2

crypto map crymap 1 set transform-set ipsec

crypto map crymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 1000

tunnel-group 20.20.20.2 type ipsec-l2l

tunnel-group 20.20.20.2 ipsec-attributes

pre-shared-key *

!!!!!!!!Pix 2 config

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.20.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 15.15.15.1 255.255.255.0

!

access-list ping extended permit icmp any any

access-list ping extended permit tcp any host 15.15.15.20 eq ftp

access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list traffic

access-group ping in interface outside

route outside 10.10.10.0 255.255.255.0 20.20.20.1 1

crypto ipsec transform-set ipsec esp-3des esp-sha-hmac

crypto map crymap 1 match address traffic

crypto map crymap 1 set peer 20.20.20.2

crypto map crymap 1 set transform-set ipsec

crypto map crymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 1000

tunnel-group 20.20.20.1 type ipsec-l2l

tunnel-group 20.20.20.1 ipsec-attributes

pre-shared-key *

whe i get show crypto isakmp sa every thing looks fine just when i ping station 2 from St1 but after that if i clear isakmp sa and the try to ping station 1 from ST 2 show crypto isakmp sa returns with "no active SA" why?!!



Correct Answer by singhsaju about 8 years 5 months ago

Do 2 things :


1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .


2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.


For example on PIX2:

access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0


access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0


nat (inside) 0 access-list traffic

crypto map crymap 1 match address VPNACL



Then check and post results.


HTH

Saju

Pls rate helpful posts





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
singhsaju Tue, 09/30/2008 - 07:42

On PiX 2


crypto map crymap 1 set peer 20.20.20.2

---------------------------------------

It should be ip address of remote end as shown following.


crypto map crymap 1 set peer 20.20.20.1


HTH

Saju

blackhat2020 Tue, 09/30/2008 - 11:10

crypto map crymap 1 set peer 20.20.20.2 in my configuration it is right its next peer ip address crypto map crymap 1 set peer 20.20.20.1 this was copy paste mistake.sorry! ok now what can cause me one way ping problem??

singhsaju Tue, 09/30/2008 - 14:33

Other than that your config looks OK . what are the source and destination when you ping?

When you have this problem , can you enable debugs


debug crypto isakmp

debug crypto ipsec


and post results.

blackhat2020 Wed, 10/01/2008 - 11:51

ok.here is debug out puts.......

when i ping station 1(10.10.10.20)(on pix 1) from station2 (15.15.15.20)(on pix 2) every thing is fine and this is sh crypto isakmp sa output:

PIX1# sh crypto isakmp sa


Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1 IKE Peer: 20.20.20.2

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE




PIX2# sh crypto isakmp sa


Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1 IKE Peer: 20.20.20.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE


but if i clear the isakmp sa and then try to ping station 2(15.15.15.20) from sation 1(10.10.10.20) ping doesnt work and this is debug crypto isakmp and ipsec outputs:


PIX1# Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_i

psec_delete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from

correlator table failed, no match!

Oct 01 19:29:45 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de

lete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:45 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from

correlator table failed, no match!

Oct 01 19:29:49 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de

lete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:49 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from

correlator table failed, no match!

Oct 01 19:29:52 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de

lete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:52 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from

correlator table failed, no match!




PIX2# Oct 01 19:27:40 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM erro

r (P2 struct &0x2988630, mess id 0xa54f21b0)!

Oct 01 19:27:40 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from

correlator table failed, no match!

Oct 01 19:27:43 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s

truct &0x2988738, mess id 0xb1221bf2)!

Oct 01 19:27:43 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from

correlator table failed, no match!

Oct 01 19:27:46 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s

truct &0x2988738, mess id 0x925a2fc8)!

Oct 01 19:27:46 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from

correlator table failed, no match!

Oct 01 19:27:50 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s

truct &0x2988738, mess id 0x9224a705)!

Oct 01 19:27:50 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from

correlator table failed, no match!



what is the problem??? where is the problem???please help me to find out???



Correct Answer
singhsaju Wed, 10/01/2008 - 12:01

Do 2 things :


1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .


2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.


For example on PIX2:

access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0


access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0


nat (inside) 0 access-list traffic

crypto map crymap 1 match address VPNACL



Then check and post results.


HTH

Saju

Pls rate helpful posts





blackhat2020 Wed, 10/01/2008 - 23:39

Thanks.Now its working :).I Separated access list for crypto map and for NAT 0 and then every thing works fine.Thank You.

Actions

This Discussion