03-26-2004 05:34 AM
Hello,
I'm trying to configure a Cisco PIX to connect with SAP in Germany. I received some information from SAP (VPN Public IP adres, subnets on their side, encryption methode and pre-shared key).
I configured the PIX according these settings, but it doesn't work. This is the output from the debug crypto:
1.2.3.4 = SAP VPN IP adress
2.3.4.5 = Our internet address
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:1.2.3.4, dest:2.3.4.5 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 7200
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:1.2.3.4, dest:2.3.4.5 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:1.2.3.4, dest:2.3.4.5 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 232105854:dd5a77eIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x83a88cce(2208861390) for SA
from 1.2.3.4 to 2.3.4.5 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:1.2.3.4/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:1.2.3.4/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:1.2.3.4, dest:2.3.4.5 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 2208861390, message ID = 1582637077
ISAKMP (0): deleting spi 3465324675 message ID = 232105854
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:1.x.x.4, dest:2.3.4.5 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 2050053745, message ID = 4294618543
ISAKMP (0): deleting spi 1901474170 message ID = 1990441194
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 2,
(identity) local= 2.3.4.5, remote= 1.2.3.4,
local_proxy= 2.x5.x/x.x.255.0/0/0 (type=4),
remote_proxy= 1.2.x.x/x.x.x.252/0/0 (type=4)
The output of show crypto sa (here I see only send errors):
interface: outside
Crypto map tag: sap_vpn, local addr. x.x.x.5
local ident (addr/mask/prot/port): (2.x.x.0/255.x.255.0/0/0)
remote ident (addr/mask/prot/port): (1.x.x.x/255.x.255.252/0/0)
current_peer: 194.x.x.x:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 16, #recv errors 0
local crypto endpt.: 2.x.4.5, remote crypto endpt.: 1.x.x.x
path mtu 1500, ipsec overhead 0, media mtu 1500
Is there anybody who can tell me what's going wrong here or is there maybe someone who had to setup a VPN connection with SAP who can share some information with me ?
Best regards,
Mark Derckx
03-30-2004 11:25 PM
It Looks as if sa is astablished, but there may be a problem with access lists related to encryption, ie. they may not be in sync. If you or your peer encrypts traffic and your access list says the traffic should not be encrypted, that may be a problem here.
04-14-2004 11:33 PM
Hello Mark,
I am also trying to set up a VPN with SAP and i can say it's a real struggle for me as well, so 1st thing to help you : "you are not alone !".
My VPN with SAP somehow works ok despite it's hard to know and get some good feedback from SAP...
One information that might be helpful for you is that SAP has a policy of never mounting VPN to customer's network themselves, they say VPN tunnel can be initiated from customer network only, if you have a VPN with SAP you must tune up your network devices to keep the tunnel up... One thing i have done to achieve that is that i have set a script on my (bloody) saprouter box that pings to SAP every hour.
Also, when I received the doc with IKE/IPSec parameters from SAP, it said "rekey timeout 2hours"... Don't know if it's the same for you but indeed I have chased up SAP to make sure and it turned out the IKE SA lifetime to be 86400 secs and the IPsec SA lifetime 7200 secs...
hope this helps, will keep you posted (let me know your email if you want) if i get some more helpful tips.
Aurelien
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: