×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Ipsec tunnel pix - vpn3005 not working

Unanswered Question
Apr 3rd, 2003
User Badges:

Attempting to set up a LAN 2 LAN Ipsec tunnel between PIX and VPN 3005 concentrator. I have followed the instructions as in http://www.cisco.com/warp/public/471/ALTIGA_pix.html.


The tunnel can be initiated from the VPN concentrator, but cannot be initiated from the PIX end. I am recieving the following error messages. Ip addresses replaced.... I have tried both 3des and des encryption (PIX does have a licence for 3des) and I get the same anomolies. All Help appreciated.


Mike


From PIX


pix# debug crypto ipsec

pix# IPSEC(ipsec_encap): crypto map check deny


IPSEC(ipsec_encap): crypto map check deny


IPSEC(ipsec_encap): crypto map check deny


IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xc4ab8e0d(3299577357) for SA

from <pix public address> to <vpn public address> for prot 3

IPSEC(ipsec_encap): crypto map check deny


IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with <VPN Public address>

IPSEC(ipsec_encap): crypto map check deny


IPSEC(ipsec_encap): crypto map check deny


IPSEC(ipsec_encap): crypto map check deny


IPSEC(ipsec_encap): crypto map check deny


IPSEC(ipsec_encap): crypto map check deny


IPSEC(ipsec_encap): crypto map check deny


IPSEC(ipsec_encap): crypto map check deny




and from the vpn log



12 04/01/2003 10:15:57.580 SEV=5 IKE/35 RPT=821 <Pix public address>

Group [<Pix public address>]

Received remote IP Proxy Subnet data in ID Payload:

Address 192.168.102.0, Mask 255.255.255.0, Protocol 0, Port 0


15 04/01/2003 10:15:57.580 SEV=5 IKE/34 RPT=1133 <Pix public address>

Group [<Pix public address>]

Received local IP Proxy Subnet data in ID Payload:

Address 10.31.131.0, Mask 255.255.255.0, Protocol 0, Port 0


18 04/01/2003 10:15:57.580 SEV=5 IKE/66 RPT=1278 <Pix public address>

Group [<Pix public address>]

IKE Remote Peer configured for SA: L2L: To_Pix


19 04/01/2003 10:15:57.580 SEV=4 IKE/0 RPT=2276 <Pix public address>

Group [<Pix public address>]

All IPSec SA proposals found unacceptable!


20 04/01/2003 10:15:57.580 SEV=4 IKEDBG/0 RPT=1648

QM FSM error (P2 struct &0x1c7aaac, mess id 0x321b5f40)!


21 04/01/2003 10:15:57.580 SEV=4 IKEDBG/0 RPT=1649

QM FSM history (P2 struct &0x1c7aaac):

[13, 52], [3, 32], [3, 44], [3, 31]


22 04/01/2003 10:15:57.580 SEV=6 IKE/0 RPT=2277 <Pix public address>

Group [<Pix public address>]

Removing peer from correlator table failed, no match!


23 04/01/2003 10:15:57.580 SEV=4 AUTH/23 RPT=627 <Pix public address>

User <Pix public address> disconnected: duration: 0:00:28



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Thu, 04/03/2003 - 18:45
User Badges:
  • Cisco Employee,

This is your problem:


19 04/01/2003 10:15:57.580 SEV=4 IKE/0 RPT=2276

Group []

All IPSec SA proposals found unacceptable!


On the 3000, go under Config - Policy Mgmt - Traffic Mgmt - SAs and modify the L2L SA for this PIX connection. Check that the parameters match what you've got on the PIX, you'll possibly find that PFS is on at one end and not the other. Check what IKE Proposal it's using also and verify that that matches up with what's in the PIX.

m.ware Wed, 04/23/2003 - 07:02
User Badges:

Thanks to gfullage


The pix needed a PFS line in the config to solve the problem


Rgds


Mike

Actions

This Discussion