01-15-2010 07:50 AM
I must be missing something in the config, but what I am not sure.
Trying to get a PIX 506e (6.3) to a ASA 5505 (7.2). The PIX is Dynamic IP and the ASA is Static IP. This is a second Site-2 site VPN That is from the PIX to another PIX that has a staitic IP.
I have tryed everything that I can think of. I believe it is on the ASA side, but not sure. I have reset the pre-shared-key several times. I have tryed the sysopt connection permit-vpn on the ASA. It took the command, but it didn't show up in the runn-config. Put in both ipsec-ra and ipsec-l2l tunnels as well as other things. Anyway I have attached my config's.
Almost forgot, I used this link as a guide. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Thanks for your help --- Keith
Solved! Go to Solution.
01-20-2010 09:20 AM
Keith,
I think you Should compare your ASA to the static-IP and the PIX to the Dynamic-IP configs - see what's different (apart from the names of things)
The pre-shared key I used was test1234 at both ends.
01-18-2010 03:37 AM
You are missing config - see the below config example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
HTH>
01-19-2010 06:21 AM
Hi Andrew,
I have been following that example, but for some reason the link is not working in my post. I did update my post by adding a debug output. I check my debug with Tigers on the link and only post where it was different. It seems the isakmp attributes were OK and the pre-shared-key, but after that something is wrong.
If you have any idea let me know please.
Keith
01-19-2010 06:53 AM
Hi Keith
Ensure your "Head End" the end with the static IP has some of the below config:-
crypto ipsec transform-set <
crypto dynamic-map <
crypto map <
crypto map <
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
01-19-2010 07:38 AM
Hi Andrew,
Yes it has the crypto map and isakmp policy 20 that matches my dynamic PIX, but I don't have 65536 policy (will add). The tunnel-group general attributes command is not an option in 7.2 version. The ipsec pre-shared I used the pre-shared-key that matches isakmp key on the dynamic PIX. Should I have used isakmp key ******** address 0.0.0.0 netmask 0.0.0.0?
Thanks --- Keith
01-19-2010 07:55 AM
keith,,
Changes should be made to the ASA
The url I posted is for config rev's 7.x and later - so everything should work.
Your posted ASA config - which has the static IP address is missing
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
before any config changes are being made - let me be clear.
The PIX with the dynamic IP only needs basic config to create the VPN.
The ASA with the static IP needs this config, and you need to tell it to accept ANY L2L VPN requests.
I really suggest you read the URL I sent again, in the example Lion is your ASA and Tiger is your PIX.
HTH>
01-19-2010 10:45 AM
Andrew,
The tunnel-group DefaultL2LGroup would not take, but would take DefaultL2Lgroup. Why I don't know. Also there is no option for tunnel_ ... general-attributes authentication-server-group. Only accounting-server-group or default-group-policy. Let me ask should the pre-shared-key in the DefaultL2Lgroup match the isakmp key on the dynamic PIX or should I add isakmp key **** address 0.0.0.0 netmask 0.0.0.0 that matches the PIX key?
Keith
01-19-2010 12:11 PM
Andrew,
authen-server-group none has been deprecated and replaced with isakmp ikev1-user-authentication none under ipsec-attributes.
Keith
01-20-2010 08:12 AM
Andrew,
I got a fresh start this morning. Let me start by telling you that I am useing a ASA5505 with 7.2(4) version. I tried to enter the config you have suggested and it won't take it.
On the tunnel-group DefaultL2LGroup type ipsec-l2l, it gives me error at type. If I change the name to DefaultL2Lgroup type ipsec-l2l, it will take it. Under the general-attributes, thier is no authentication-server-group option. It gives me an error to use isakmp ikev1-user-authentication none. It will take this command, but not show up in the running config. Under tunnel-group DefaultRAGroup genneral-attribrutes, it did take isakmp ikev1 command and it did show up in the runng-config. I used a default psk for this group. The l2l group matches my dynamic PIX. All this to say that I am getting a tunnel to come up,but it is connecting to the defaultRAGroup (see error message).
[IKEv1]: Group = DefaultRAGroup, IP = 71.29.x.x, R
eceived encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
This tunnel doesn't stay up or am I able to ping to the other LAN. I did use the ASDM to configure the DefaultL2LGroup tunnel if that helps any.
any thoughts?
Thanks for your help --- Keith
01-20-2010 08:27 AM
Keith,
OK - if a command does not show up in the config = it's a default command.
I suggest you post your current ASA config - remove any sensitive information, I will try and get some lab time to test your config.
01-20-2010 08:43 AM
01-20-2010 09:06 AM
01-20-2010 09:17 AM
Andrew,
Wow that was fast. Should I get rid of the tunnel-group configurations in the ASA then and what about the psk?
Keith
01-20-2010 09:20 AM
Keith,
I think you Should compare your ASA to the static-IP and the PIX to the Dynamic-IP configs - see what's different (apart from the names of things)
The pre-shared key I used was test1234 at both ends.
01-20-2010 11:04 AM
Andrew,
The tunnel came up after I deleted the DefaultRAGroup tunnel. The problem now is no traffic is going accross. I double check my ACL's and they are fine. Recheck your config's you send me and mine are the same. I have attached my show crypto ipsec and isakmp sa. I have study for the last hour your config's and mine to see what I mybe missing, but no luck. Sorry I kept asking you question, but its been 4 years since my firewall class and I wam the only IT person here at a small non-profit.
again tanks for your help --- Keith
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: