09-30-2008 02:25 AM
Hi,i have configured my two pix firewalls for lan 2 lan vpn(ipsec).this two firewalls connects directly with ethernet 0 and each has a local lan on ethernet 1.when i try to ping station2 from station1 after one time out and when ike phases are complete ping comes up with reply but when i try to ping station 1 from station 2 i dont get any reply .Why my vpn connection comes up in one direction and it doesnt from other side??
(pix1)
ethernet0(outside):20.20.20.1
ethernet1(inside):10.10.10.1
station1 on inside:10.10.10.20
(pix2)
ethernet0(outside):20.20.20.2
ethernet1(inside):15.15.15.1
station2 on inside:15.15.15.20
pix1 config:
interface Ethernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
access-list ping extended permit icmp any any
access-list ping extended permit tcp any host 10.10.10.15 eq ftp
access-list traffic extended permit ip 10.10.10.0 255.255.255.0 15.15.15.0 255.255.255.0
nat (inside) 0 access-list traffic
access-group ping in interface outside
route outside 15.15.15.0 255.255.255.0 20.20.20.2 1
crypto ipsec transform-set ipsec esp-3des esp-sha-hmac
crypto map crymap 1 match address traffic
crypto map crymap 1 set peer 20.20.20.2
crypto map crymap 1 set transform-set ipsec
crypto map crymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1000
tunnel-group 20.20.20.2 type ipsec-l2l
tunnel-group 20.20.20.2 ipsec-attributes
pre-shared-key *
!!!!!!!!Pix 2 config
interface Ethernet0
nameif outside
security-level 0
ip address 20.20.20.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 15.15.15.1 255.255.255.0
!
access-list ping extended permit icmp any any
access-list ping extended permit tcp any host 15.15.15.20 eq ftp
access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list traffic
access-group ping in interface outside
route outside 10.10.10.0 255.255.255.0 20.20.20.1 1
crypto ipsec transform-set ipsec esp-3des esp-sha-hmac
crypto map crymap 1 match address traffic
crypto map crymap 1 set peer 20.20.20.2
crypto map crymap 1 set transform-set ipsec
crypto map crymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1000
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
pre-shared-key *
whe i get show crypto isakmp sa every thing looks fine just when i ping station 2 from St1 but after that if i clear isakmp sa and the try to ping station 1 from ST 2 show crypto isakmp sa returns with "no active SA" why?!!
Solved! Go to Solution.
10-01-2008 12:01 PM
Do 2 things :
1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .
2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.
For example on PIX2:
access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list traffic
crypto map crymap 1 match address VPNACL
Then check and post results.
HTH
Saju
Pls rate helpful posts
09-30-2008 07:42 AM
On PiX 2
crypto map crymap 1 set peer 20.20.20.2
---------------------------------------
It should be ip address of remote end as shown following.
crypto map crymap 1 set peer 20.20.20.1
HTH
Saju
09-30-2008 11:10 AM
crypto map crymap 1 set peer 20.20.20.2 in my configuration it is right its next peer ip address crypto map crymap 1 set peer 20.20.20.1 this was copy paste mistake.sorry! ok now what can cause me one way ping problem??
09-30-2008 02:33 PM
Other than that your config looks OK . what are the source and destination when you ping?
When you have this problem , can you enable debugs
debug crypto isakmp
debug crypto ipsec
and post results.
10-01-2008 11:51 AM
ok.here is debug out puts.......
when i ping station 1(10.10.10.20)(on pix 1) from station2 (15.15.15.20)(on pix 2) every thing is fine and this is sh crypto isakmp sa output:
PIX1# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 20.20.20.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
PIX2# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 20.20.20.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
but if i clear the isakmp sa and then try to ping station 2(15.15.15.20) from sation 1(10.10.10.20) ping doesnt work and this is debug crypto isakmp and ipsec outputs:
PIX1# Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_i
psec_delete(): No SPI to identify Phase 2 SA!
Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from
correlator table failed, no match!
Oct 01 19:29:45 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de
lete(): No SPI to identify Phase 2 SA!
Oct 01 19:29:45 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from
correlator table failed, no match!
Oct 01 19:29:49 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de
lete(): No SPI to identify Phase 2 SA!
Oct 01 19:29:49 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from
correlator table failed, no match!
Oct 01 19:29:52 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de
lete(): No SPI to identify Phase 2 SA!
Oct 01 19:29:52 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from
correlator table failed, no match!
PIX2# Oct 01 19:27:40 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM erro
r (P2 struct &0x2988630, mess id 0xa54f21b0)!
Oct 01 19:27:40 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from
correlator table failed, no match!
Oct 01 19:27:43 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s
truct &0x2988738, mess id 0xb1221bf2)!
Oct 01 19:27:43 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from
correlator table failed, no match!
Oct 01 19:27:46 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s
truct &0x2988738, mess id 0x925a2fc8)!
Oct 01 19:27:46 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from
correlator table failed, no match!
Oct 01 19:27:50 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s
truct &0x2988738, mess id 0x9224a705)!
Oct 01 19:27:50 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from
correlator table failed, no match!
what is the problem??? where is the problem???please help me to find out???
10-01-2008 12:01 PM
Do 2 things :
1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .
2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.
For example on PIX2:
access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list traffic
crypto map crymap 1 match address VPNACL
Then check and post results.
HTH
Saju
Pls rate helpful posts
10-01-2008 11:39 PM
Thanks.Now its working :).I Separated access list for crypto map and for NAT 0 and then every thing works fine.Thank You.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide