IPSec VPN between PIX and Cisco Router

Unanswered Question
Nov 16th, 2008

We have an issue with bringing up an IPSec connection. IKE phase 1 and 2 are up but we only see packet being decrypted but no encryption.

This VPN is between a PIX on our end and a Cisco Router.

The config and "sh ver" are shown below:

static (webNT,outside) 203.20.238.115 203.20.238.115 netmask 255.255.255.255 0 0

route outside 10.45.206.0 255.255.255.0 203.20.238.1 1

TFSDC001-RYF01# sh cryp isa sa

Total : 1

Embryonic : 0

dst src state pending created

124.6.200.4 203.20.238.2 QM_IDLE 0 0

TFSDC001-RYF01# sh cryp ipsec sa | begin 114

TFSDC001-RYF01# sh cryp ipsec sa | begin 124

current_peer: 124.6.200.4:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 203, #recv errors 0

local crypto endpt.: 203.20.238.2, remote crypto endpt.: 124.6.200.4

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

---

Here is the config that I have on pix.

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

access-list xfire-vodafone permit ip host 203.20.238.115 10.45.206.0 255.255.255.0

crypto IPSec transform-set xfire-vodafone esp-3des esp-md5-hmac

crypto map tyco-3rdparty 10 IPSec-isakmp

crypto map tyco-3rdparty 10 match address xfire-vodafone

crypto map tyco-3rdparty 10 set peer 124.6.200.4

crypto map tyco-3rdparty 10 set transform-set xfire

sh ver

======

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(2)

Compiled on Thu 04-Aug-05 21:40 by morlee

TFSDC001-RYF01 up 2 days 20 hours

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)

0: ethernet0: address is 0009.43a4.df0c, irq 10

1: ethernet1: address is 0009.43a4.df0d, irq 11

2: ethernet2: address is 00e0.b605.2f17, irq 11

3: ethernet3: address is 00e0.b605.2f16, irq 10

4: ethernet4: address is 00e0.b605.2f15, irq 9

5: ethernet5: address is 00e0.b605.2f14, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: xxx

Running Activation Key: xxx

Configuration last modified by pixuser at 17:26:59.676 AEDT Mon Nov 17 2008

Debug output were not very helpful. Hope someone can shed some light as what would be the cause of this issue.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 11/17/2008 - 14:37

Can you post your router side? The crypto map and the isakmp policy. Also your transform set. Can you also do a sh crypt session and post the results?

Thanks,

--John

k.ramalingam Mon, 11/17/2008 - 18:33

router#sh crypto ipsec sa vrf xfire.tyco.co.nz

interface: GigabitEthernet0/3

Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4

protected vrf: xfire.tyco.co.nz

local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)

current_peer 203.20.238.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 50, #recv errors 0

local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

show crypto session

Interface: GigabitEthernet0/3

Session status: DOWN

Peer: 203.20.238.2 port 500

IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115

Active SAs: 0, origin: crypto map

Show crypto isakmp sa detail

dv#show crypto isakmp sa vrf xfire.tyco.co.nz

dst src state conn-id slot status

203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)

Config

!

crypto keying cc-customers

pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!

!

crypto isakmp profile xfire.tyco.co.nz

vrf xfire.tyco.co.nz

keyring cc-customers

match identity address 203.20.238.2 255.255.255.255

!

crypto map cm-iavp02-g0-2 93 ipsec-isakmp

description Tyco New Zealand Ltd IPsec

set peer 203.20.238.2

set transform-set tranf-set-esp-3des-md5-hmac

set isakmp-profile xfire.tyco.co.nz

match address xfire.tyco.co.nz

!

ip access-list extended xfire.tyco.co.nz

permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115

ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global

k.ramalingam Mon, 11/17/2008 - 19:02

router#sh crypto ipsec sa vrf xfire.tyco.co.nz

interface: GigabitEthernet0/3

Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4

protected vrf: xfire.tyco.co.nz

local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)

current_peer 203.20.238.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 50, #recv errors 0

local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

show crypto session

Interface: GigabitEthernet0/3

Session status: DOWN

Peer: 203.20.238.2 port 500

IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115

Active SAs: 0, origin: crypto map

Show crypto isakmp sa detail

dv#show crypto isakmp sa vrf xfire.tyco.co.nz

dst src state conn-id slot status

203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)

Config

!

crypto keying cc-customers

pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!

!

crypto isakmp profile xfire.tyco.co.nz

vrf xfire.tyco.co.nz

keyring cc-customers

match identity address 203.20.238.2 255.255.255.255

!

crypto map cm-iavp02-g0-2 93 ipsec-isakmp

description Tyco New Zealand Ltd IPsec

set peer 203.20.238.2

set transform-set tranf-set-esp-3des-md5-hmac

set isakmp-profile xfire.tyco.co.nz

match address xfire.tyco.co.nz

!

ip access-list extended xfire.tyco.co.nz

permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115

ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global

sdoremus33 Mon, 11/17/2008 - 20:48

I believe your problem is that on the router side under isakmp config you have isakmp policy 1 group 2, but no matching on the Pix causing SA's to malform.you can slod try to set a PFS group for both router and Pix

sdoremus33 Tue, 11/18/2008 - 10:26

If its no trouble to verify my assesment, coule you pleaser provide the configs for both Pix devive and Router, specifically the ISAKMP (Management connection profile) , and all crypto maps. Thanks

Actions

This Discussion