IPSec VPN between PIX and Cisco Router

Unanswered Question
Nov 16th, 2008
User Badges:

We have an issue with bringing up an IPSec connection. IKE phase 1 and 2 are up but we only see packet being decrypted but no encryption.

This VPN is between a PIX on our end and a Cisco Router.


The config and "sh ver" are shown below:


static (webNT,outside) 203.20.238.115 203.20.238.115 netmask 255.255.255.255 0 0

route outside 10.45.206.0 255.255.255.0 203.20.238.1 1


TFSDC001-RYF01# sh cryp isa sa


Total : 1


Embryonic : 0


dst src state pending created


124.6.200.4 203.20.238.2 QM_IDLE 0 0


TFSDC001-RYF01# sh cryp ipsec sa | begin 114


TFSDC001-RYF01# sh cryp ipsec sa | begin 124


current_peer: 124.6.200.4:0


PERMIT, flags={origin_is_acl,}


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0


#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0


#pkts compressed: 0, #pkts decompressed: 0


#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0


#send errors 203, #recv errors 0



local crypto endpt.: 203.20.238.2, remote crypto endpt.: 124.6.200.4


path mtu 1500, ipsec overhead 0, media mtu 1500


current outbound spi: 0



inbound esp sas:




inbound ah sas:




inbound pcp sas:




outbound esp sas:




outbound ah sas:




outbound pcp sas:



---




Here is the config that I have on pix.



isakmp policy 1 authentication pre-share


isakmp policy 1 encryption 3des


isakmp policy 1 hash md5


isakmp policy 1 group 2


isakmp policy 1 lifetime 86400




access-list xfire-vodafone permit ip host 203.20.238.115 10.45.206.0 255.255.255.0




crypto IPSec transform-set xfire-vodafone esp-3des esp-md5-hmac



crypto map tyco-3rdparty 10 IPSec-isakmp


crypto map tyco-3rdparty 10 match address xfire-vodafone


crypto map tyco-3rdparty 10 set peer 124.6.200.4


crypto map tyco-3rdparty 10 set transform-set xfire





sh ver

======


Cisco PIX Firewall Version 6.3(5)


Cisco PIX Device Manager Version 3.0(2)



Compiled on Thu 04-Aug-05 21:40 by morlee



TFSDC001-RYF01 up 2 days 20 hours



Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz


Flash E28F128J3 @ 0x300, 16MB


BIOS Flash AM29F400B @ 0xfffd8000, 32KB



Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)


0: ethernet0: address is 0009.43a4.df0c, irq 10


1: ethernet1: address is 0009.43a4.df0d, irq 11


2: ethernet2: address is 00e0.b605.2f17, irq 11


3: ethernet3: address is 00e0.b605.2f16, irq 10


4: ethernet4: address is 00e0.b605.2f15, irq 9


5: ethernet5: address is 00e0.b605.2f14, irq 5


Licensed Features:


Failover: Enabled


VPN-DES: Enabled


VPN-3DES-AES: Enabled


Maximum Physical Interfaces: 6


Maximum Interfaces: 10


Cut-through Proxy: Enabled


Guards: Enabled


URL-filtering: Enabled


Inside Hosts: Unlimited


Throughput: Unlimited


IKE peers: Unlimited



This PIX has an Unrestricted (UR) license.



Serial Number: xxx


Running Activation Key: xxx


Configuration last modified by pixuser at 17:26:59.676 AEDT Mon Nov 17 2008


Debug output were not very helpful. Hope someone can shed some light as what would be the cause of this issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 11/17/2008 - 14:37
User Badges:
  • Purple, 4500 points or more

Can you post your router side? The crypto map and the isakmp policy. Also your transform set. Can you also do a sh crypt session and post the results?


Thanks,


--John

k.ramalingam Mon, 11/17/2008 - 18:33
User Badges:

router#sh crypto ipsec sa vrf xfire.tyco.co.nz



interface: GigabitEthernet0/3


Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4



protected vrf: xfire.tyco.co.nz


local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)


remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)


current_peer 203.20.238.2 port 500


PERMIT, flags={origin_is_acl,}


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0


#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0


#pkts compressed: 0, #pkts decompressed: 0


#pkts not compressed: 0, #pkts compr. failed: 0


#pkts not decompressed: 0, #pkts decompress failed: 0


#send errors 50, #recv errors 0



local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2


path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3


current outbound spi: 0x0(0)



inbound esp sas:



inbound ah sas:



inbound pcp sas:



outbound esp sas:



outbound ah sas:



outbound pcp sas:


show crypto session


Interface: GigabitEthernet0/3


Session status: DOWN


Peer: 203.20.238.2 port 500


IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115


Active SAs: 0, origin: crypto map



Show crypto isakmp sa detail


dv#show crypto isakmp sa vrf xfire.tyco.co.nz


dst src state conn-id slot status


203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)



Config



!


crypto keying cc-customers


pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!




!


crypto isakmp profile xfire.tyco.co.nz


vrf xfire.tyco.co.nz


keyring cc-customers


match identity address 203.20.238.2 255.255.255.255



!


crypto map cm-iavp02-g0-2 93 ipsec-isakmp


description Tyco New Zealand Ltd IPsec


set peer 203.20.238.2


set transform-set tranf-set-esp-3des-md5-hmac


set isakmp-profile xfire.tyco.co.nz


match address xfire.tyco.co.nz



!


ip access-list extended xfire.tyco.co.nz


permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115




ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global




k.ramalingam Mon, 11/17/2008 - 19:02
User Badges:

router#sh crypto ipsec sa vrf xfire.tyco.co.nz



interface: GigabitEthernet0/3


Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4



protected vrf: xfire.tyco.co.nz


local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)


remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)


current_peer 203.20.238.2 port 500


PERMIT, flags={origin_is_acl,}


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0


#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0


#pkts compressed: 0, #pkts decompressed: 0


#pkts not compressed: 0, #pkts compr. failed: 0


#pkts not decompressed: 0, #pkts decompress failed: 0


#send errors 50, #recv errors 0



local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2


path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3


current outbound spi: 0x0(0)



inbound esp sas:



inbound ah sas:



inbound pcp sas:



outbound esp sas:



outbound ah sas:



outbound pcp sas:


show crypto session


Interface: GigabitEthernet0/3


Session status: DOWN


Peer: 203.20.238.2 port 500


IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115


Active SAs: 0, origin: crypto map



Show crypto isakmp sa detail


dv#show crypto isakmp sa vrf xfire.tyco.co.nz


dst src state conn-id slot status


203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)



Config



!


crypto keying cc-customers


pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!




!


crypto isakmp profile xfire.tyco.co.nz


vrf xfire.tyco.co.nz


keyring cc-customers


match identity address 203.20.238.2 255.255.255.255



!


crypto map cm-iavp02-g0-2 93 ipsec-isakmp


description Tyco New Zealand Ltd IPsec


set peer 203.20.238.2


set transform-set tranf-set-esp-3des-md5-hmac


set isakmp-profile xfire.tyco.co.nz


match address xfire.tyco.co.nz



!


ip access-list extended xfire.tyco.co.nz


permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115




ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global




sdoremus33 Mon, 11/17/2008 - 20:48
User Badges:
  • Bronze, 100 points or more

I believe your problem is that on the router side under isakmp config you have isakmp policy 1 group 2, but no matching on the Pix causing SA's to malform.you can slod try to set a PFS group for both router and Pix


sdoremus33 Tue, 11/18/2008 - 10:26
User Badges:
  • Bronze, 100 points or more

If its no trouble to verify my assesment, coule you pleaser provide the configs for both Pix devive and Router, specifically the ISAKMP (Management connection profile) , and all crypto maps. Thanks

Actions

This Discussion