Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
2
Replies

PIX VPN connection to SAP

admin_2
Level 3
Level 3

‎03-26-2004 05:34 AM

Hello,

I'm trying to configure a Cisco PIX to connect with SAP in Germany. I received some information from SAP (VPN Public IP adres, subnets on their side, encryption methode and pre-shared key).

I configured the PIX according these settings, but it doesn't work. This is the output from the debug crypto:

1.2.3.4 = SAP VPN IP adress

2.3.4.5 = Our internet address

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:1.2.3.4, dest:2.3.4.5 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 7200

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:1.2.3.4, dest:2.3.4.5 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:1.2.3.4, dest:2.3.4.5 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 232105854:dd5a77eIPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x83a88cce(2208861390) for SA

from 1.2.3.4 to 2.3.4.5 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:1.2.3.4/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:1.2.3.4/500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:1.2.3.4, dest:2.3.4.5 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 2208861390, message ID = 1582637077

ISAKMP (0): deleting spi 3465324675 message ID = 232105854

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:1.x.x.4, dest:2.3.4.5 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 2050053745, message ID = 4294618543

ISAKMP (0): deleting spi 1901474170 message ID = 1990441194

return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 2,

(identity) local= 2.3.4.5, remote= 1.2.3.4,

local_proxy= 2.x5.x/x.x.255.0/0/0 (type=4),

remote_proxy= 1.2.x.x/x.x.x.252/0/0 (type=4)

The output of show crypto sa (here I see only send errors):

interface: outside

Crypto map tag: sap_vpn, local addr. x.x.x.5

local ident (addr/mask/prot/port): (2.x.x.0/255.x.255.0/0/0)

remote ident (addr/mask/prot/port): (1.x.x.x/255.x.255.252/0/0)

current_peer: 194.x.x.x:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 16, #recv errors 0

local crypto endpt.: 2.x.4.5, remote crypto endpt.: 1.x.x.x

path mtu 1500, ipsec overhead 0, media mtu 1500

Is there anybody who can tell me what's going wrong here or is there maybe someone who had to setup a VPN connection with SAP who can share some information with me ?

Best regards,

Mark Derckx

Labels:
0 Helpful
2 Replies 2

p.dimitrije
Level 1
Level 1

‎03-30-2004 11:25 PM

It Looks as if sa is astablished, but there may be a problem with access lists related to encryption, ie. they may not be in sync. If you or your peer encrypts traffic and your access list says the traffic should not be encrypted, that may be a problem here.

0 Helpful

augeiss
Level 1
Level 1

‎04-14-2004 11:33 PM

Hello Mark,

I am also trying to set up a VPN with SAP and i can say it's a real struggle for me as well, so 1st thing to help you : "you are not alone !".

My VPN with SAP somehow works ok despite it's hard to know and get some good feedback from SAP...

One information that might be helpful for you is that SAP has a policy of never mounting VPN to customer's network themselves, they say VPN tunnel can be initiated from customer network only, if you have a VPN with SAP you must tune up your network devices to keep the tunnel up... One thing i have done to achieve that is that i have set a script on my (bloody) saprouter box that pings to SAP every hour.

Also, when I received the doc with IKE/IPSec parameters from SAP, it said "rekey timeout 2hours"... Don't know if it's the same for you but indeed I have chased up SAP to make sure and it turned out the IKE SA lifetime to be 86400 secs and the IPsec SA lifetime 7200 secs...

hope this helps, will keep you posted (let me know your email if you want) if i get some more helpful tips.

Aurelien

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents