12-14-2005 10:38 PM - edited 03-10-2019 01:33 PM
Hi all,
I am really having problems when trying to stablish a site to site vpn between a PIX 6.3(5) and a VPN 3000.
IKE Phase 1 finishs Ok but when begining IKE Phase 2 QM it sudenly fails without begining to negotiate the IPSECs SAs, please check logs below:
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1233180032:b67f2a80IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xc83f0a84(3359574660) for SA
from 193.149.246.8 to 217.130.212.207 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:193.149.246.8/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:193.149.246.8/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:193.149.246.8, dest:217.130.212.207 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3949233630, spi size = 16
ISAKMP (0): deleting SA: src 217.130.212.207, dst 193.149.246.8
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x1024c24, conn_id = 0 DELETE IT!
The relevant configuration for the PIX is posted below, just notify that it is working also as a VPN Remote Server.
At all the tests, the traffic was originated at the pix side, destinated to the VPN side.
crypto ipsec transform-set nuevo esp-3des esp-md5-hmac
crypto ipsec transform-set nuevo2 esp-3des esp-sha-hmac
crypto dynamic-map pick_dynmap 11 set transform-set pick_ts
crypto map rpick 10 ipsec-isakmp dynamic pick_dynmap
crypto map rpick client authentication LOCAL
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address VPN3
crypto map VPN 10 set peer 193.149.246.8
crypto map VPN 10 set transform-set nuevo
crypto map VPN 20 ipsec-isakmp dynamic pick_dynmap
crypto map VPN client authentication LOCAL
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 193.149.246.8 netmask 255.255.255.255 no-xauth
isakmp peer ip 193.149.246.8 no-xauth
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup default-domain idle-time 1800
vpngroup ppack address-pool poolPick
vpngroup ppack split-tunnel splitPick3
vpngroup ppack idle-time 1800
vpngroup ppack password ********
Any tip for fixing this or about what is failing?
Thanks a lot in advance.
Sam.
IP Addresses have been altered to save the innocencts.
12-20-2005 02:05 PM
This document gives an overview of the configuration required to allow a Cisco Secure PIX Firewall and a Cisco VPN 500x Concentrator to open an IPSec LAN-to-LAN tunnel. For information about how to establish basic connectivity, or for reference on configuration syntax, consult the VPN 5000 Concentrator documentation and the PIX documentation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide