Lan to Lan (Pix-VPN3000) Fails at IKE QM

Unanswered Question
Dec 14th, 2005
User Badges:

Hi all,


I am really having problems when trying to stablish a site to site vpn between a PIX 6.3(5) and a VPN 3000.


IKE Phase 1 finishs Ok but when begining IKE Phase 2 QM it sudenly fails without begining to negotiate the IPSECs SAs, please check logs below:


ISAKMP (0): SA has been authenticated


ISAKMP (0): beginning Quick Mode exchange, M-ID of -1233180032:b67f2a80IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xc83f0a84(3359574660) for SA

from 193.149.246.8 to 217.130.212.207 for prot 3



return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:193.149.246.8/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:193.149.246.8/500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:193.149.246.8, dest:217.130.212.207 spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3949233630, spi size = 16

ISAKMP (0): deleting SA: src 217.130.212.207, dst 193.149.246.8

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x1024c24, conn_id = 0 DELETE IT!



The relevant configuration for the PIX is posted below, just notify that it is working also as a VPN Remote Server.


At all the tests, the traffic was originated at the pix side, destinated to the VPN side.


crypto ipsec transform-set nuevo esp-3des esp-md5-hmac

crypto ipsec transform-set nuevo2 esp-3des esp-sha-hmac

crypto dynamic-map pick_dynmap 11 set transform-set pick_ts

crypto map rpick 10 ipsec-isakmp dynamic pick_dynmap

crypto map rpick client authentication LOCAL

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address VPN3

crypto map VPN 10 set peer 193.149.246.8

crypto map VPN 10 set transform-set nuevo

crypto map VPN 20 ipsec-isakmp dynamic pick_dynmap

crypto map VPN client authentication LOCAL

crypto map VPN interface outside

isakmp enable outside

isakmp key ******** address 193.149.246.8 netmask 255.255.255.255 no-xauth

isakmp peer ip 193.149.246.8 no-xauth

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup default-domain idle-time 1800

vpngroup ppack address-pool poolPick

vpngroup ppack split-tunnel splitPick3

vpngroup ppack idle-time 1800

vpngroup ppack password ********



Any tip for fixing this or about what is failing?


Thanks a lot in advance.

Sam.


IP Addresses have been altered to save the innocencts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a-vazquez Tue, 12/20/2005 - 14:05
User Badges:
  • Silver, 250 points or more

This document gives an overview of the configuration required to allow a Cisco Secure PIX Firewall and a Cisco VPN 500x Concentrator to open an IPSec LAN-to-LAN tunnel. For information about how to establish basic connectivity, or for reference on configuration syntax, consult the VPN 5000 Concentrator documentation and the PIX documentation.


http://www.cisco.com/warp/public/110/pixto5000.html

Actions

This Discussion