oh my goodness... thank you, I had overlooked that line I dont know how many times now and didnt even notice that.

SSH, this is my first time setting up PIX's, how do I setup the SSH on them.

thanks,

Dave

Dave,

Here's a link on how to set it up on the pix.....

http://www.cisco.com/warp/public/110/authtopix.shtml#localSSH

Your going to have to use an ssh client like putty or teraterm pro... here's a link to teraterm....

http://www.zip.com.au/~roca/ttssh.html

hope that helps....

ahh, durn it, that didnt fix the problem.

Im still getting

ISAKMP (0): beginning Quick Mode exchange, M-ID of 801661563:2fc8627b

crypto_isakmp_process_block: src BftOffice, dest MainOffice

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 801661563

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-SHA

ISAKMP: group is 2

ISAKMP (0): atts are acceptable.

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

Is it possible its checking against the isakmp key for the first VPN thats still running? or the line that says IPSec policy invalidated proposal, what does that mean? I have the same IPSec line for both VPN's.

Also, for some reason I cant seem to ping the x.x.81.11 firewall from this location, but I can ping everything else. I can also ping the x.x.81.11 firewall from other locations, so I know its up and I know they are hittng the web from that location as well.

Dave,

Try changing the DH group from 1 to 2 on the 501. Looks like your PFS on your 515 want to use group 2....

isakmp policy 9 group 2

The reason you probably cannot ping is because your no nating the traffic from behind the 515 to the outside interface of the 501. If you remove the line "access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11" you probably will be able to ping. The tunnel is not up so I think that line is causing problems. It's hard to believe you can ping that from other locations seeing as though you have no access list permiting icmp or icmp echo replys....

Also make sure your access lists on both side mirror each other...

I would agree with the last post. Look into your acls. It seems that there might be some differences.

Here is a link that might get you on your way:

http://www.cisco.com/en/US/customer/tech/tk648/tk367/technologies_tech_note09186a00800949c5.shtml

Hope this helps!

Hi Dave

You may want to try rebooting your pix if you havent already. I can't count the number of times I have sat in front of a perfectly useful config that just won't work after I have tweaked it by, say, changing a target IP address. Before you change these things you have to turn of stuff like sysopt permit-ipsec, isakmp enable outside, and crypto map enable outside statements, or it just wont happen. I'd be sat there staring at it and getting cross, then after a reboot it would be like hey-presto (TM), instant vpnage! Anyway, worth a mention :)

Regards

Kev

PS Nice one on the x-over cable!

Dave-

I was concentrating on your question that you asked "or the line that says IPSec policy invalidated proposal, what does that mean?". I searched on that and that is when I came up with the troubleshooting url I posted earlier. I believe that your SAs are not matching up. It seems that a possiblity for this error could be that your acls that you are using are not 100% matching from both ends, and it did seem that there were some differences.

The next thing I might suggest, if rebooting, and looking at the acls don't work is delete everything to do with this tunnel and start a fresh. Since you have been making a bunch of changes over and over you might want to start clean....just a thought :)

Good luck.

Not sure if you have seen something like this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml#diag

However, it is the same premise as what you are doing. Maybe this will help clear the acl situation up??!!!

Really hope this helps!

Hello again

Just to throw something else in the mix (as if you didnt need anything else!), whilst you are taking the fine adjustment spanner/lump hammer to your config it may be a good idea to seperate your acls on the hub pix a bit more, to allow a more granular control i.e.

- acl1 for connections to site a (for site a crypto map)

- acl2 for connections to site b (for site b crypto map)

- acl3 for no NAT

acl4 for outbound connections

acl3 would at least have to include all statements in acl1 and acl2

acl4 would at least have to include all statements in acl3

More typing I know, but it makes it a hell of a lot easier to drive it.

Rgdzzz [time 4 bed:-)]

Kev

wow, thanks guys, that was some serious response...

I was sick for a couple days and came back to see all of them just now.

I will be banging on this problem and let ya'll know what happens, I greatly appreciate all the suggestions, it helps a lot.

Dave

Well, I tried some things and still have no luck, but I do have some more info.

1. I reentered the vpn info for the second vpn store on both firewalls.

2. My acl's are matched now, no differences between the existing vpn remote store and the new one's acl's.

3. I played with the isakmp policy, changed group numbers, changed policy numbers, and even took down the existing vpn to see if pointing the 'match address' to the same acl would even work.

4. I ran debug on both PIX's and on the 515e that has an existing vpn already, I was getting the same output, "SA not acceptable!" along with a bunch of other stuff. And on the 515e when running 'sho crypto ipsec sa' I get the following:

interface: outside

Crypto map tag: vpn1, local addr. MainOffice

local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.51.0/255.255.255.0/0/0)

current_peer: ConstOffice

PERMIT, flags={origin_is_acl,}

#pkts encaps: 55367, #pkts encrypt: 55367, #pkts digest 55367

#pkts decaps: 59927, #pkts decrypt: 59927, #pkts verify 59927

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: MainOffice, remote crypto endpt.: ConstOffice

path mtu 1492, ipsec overhead 56, media mtu 1492

current outbound spi: 34e2c28d

inbound esp sas:

spi: 0x9686469a(2525382298)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: vpn1

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.52.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

current_peer: ConstOffice

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: MainOffice, remote crypto endpt.: ConstOffice

path mtu 1492, ipsec overhead 0, media mtu 1492

current outbound spi: 0

outbound pcp sas:

local crypto endpt.: MainOffice, remote crypto endpt.: BftOffice (x.x.81.11)

path mtu 1492, ipsec overhead 0, media mtu 1492

current outbound spi: 0

Office 50.0 is the 515e, 51.0 is the existing vpn, 52.0 is the new one that wont work.

on the new one running a 501e, (52.0) I get this:

interface: outside

Crypto map tag: vpn1, local addr. x.x.81.11

local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.52.0/255.255.255.0/0/0)

current_peer: 64.53.71.7

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: x.x.81.11, remote crypto endpt.: x.x.71.7 (MainOffice)

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

On this remote site's 501e, when running debug crypto isakmp i get (I may not spell this right, its from memory) ISAK_NO_ERR_NO_TRANS

When checking hitcnt's on the acl's, the remote 501e shows that its sending data to the 515e via the vpn tunnel that its trying to establish. The 515e doesnt seem to want to accept that data.

So it seems that the 501 is setup right, but that here on the 515e, it doesnt want to allow more than one vpn, it wont accept the 52.0 network. At the bottom here I will attach my current 515e config. Thanks for all your help guys, sorry to keep beating this horse, but I cant seem to get this problem resolved.

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51

.0 255.255.255.0

access-list inside_nat0_outbound permit ip host MainOffice 192.168.51.0 255.255.

255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host Const

Office

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host BftOf

fice

access-list inside_nat0_outbound permit ip host MainOffice 192.168.52.0 255.255.

255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 101 permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

Thanks,

Dave

Alright, lets see if this helps out a little more....don't worry, we will get this working!!!

Also, your statement "2. My acl's are matched now, no differences between the existing vpn remote store and the new one's acl's. " make sure that there ARE NOT truly the same, however, just the concept of them. You will need to change IPs and such.

*************************************************************************************

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any

****Seems that you just want all IP to access both remote locations....therefore, just put IP****

****BftOffice ACL should be different than ConstOffice ACL****

****These Crypto ACLs are your "interesting traffic" that defines when to engage the use of the IPSec tunnel****

****BftOffice ACL****

access-list permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

****ConstOffice ACL****

access-list permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

****The ACL needed for NO NATing to both BftOffice and ConstOffice****

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

global (outside) 2 interface

nat (inside) 0 access-list 101

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

****ConstOffice IPSec Phase 2 SA****

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

****BftOffice IPSec Phase 2 SA****

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

*************************************************************************************

I tried to separate each piece so you can see it a little easier. I believe I got all your addressing and everything correct???...Hopefully. That url I posted a couple back is truly a very good helper.

Hope this helps! I will keep checking back. Good luck...

your statement "2. My acl's are matched now, no differences between the existing vpn

remote store and the new one's acl's. " make sure that there ARE NOT truly the same, however,

just the concept of them. You will need to change IPs and such.

*************************************************************************************

>>>Um, I know, I'm not that dense. :)

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any

****Seems that you just want all IP to access both remote locations....therefore, just put IP****

>>> just put IP what? Im sorry, I dont get what you are saying.

****BftOffice ACL should be different than ConstOffice ACL****

****These Crypto ACLs are your "interesting traffic" that defines when to engage the use of the IPSec tunnel****

>>> I have a separate ACL for Bft and Const as it is, now what I do have that may be a problem , I am not sure

is that my Const ACL is also the one that is pointed directly to NAT 0.

My Bft ACL is ACL named 101, my Const ACL is named inside_nat0_outbound and it also includes the same entries that

the Bft ACL has. Is this gonna cause problems? I could setup a 101 ACL for Const, and make say a 100 ACL as the one

that includes all the VPN ACL commands and is connected to NAT 0.

****ConstOffice IPSec Phase 2 SA****

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

****BftOffice IPSec Phase 2 SA****

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

>>> So the only thing I see different here from my existing config is possibly the match

address ACL list names, which at the moment are pointing :

crypto map vpn1 10 match address inside_nat0_outbound (const and bft access lines included)

crypto map vpn1 20 match address 101 (bft access lines only)

so instead you're saying I should have:

crypto map vpn1 10 match address 101 (const access lines only)

crypto map vpn1 20 match address 102 (bft access lines only)

and further up have:

nat (inside) 0 access-list 100 (ACL including both const and bft access entries)

Is this correct or am I missing what you're saying I need to try?

Thanks,

Dave