Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
217
Views
0
Helpful
1
Replies

Lan to Lan (Pix-VPN3000) Fails at IKE QM

samuel.satec
Level 1
Level 1

‎12-14-2005 10:38 PM - edited ‎03-10-2019 01:33 PM

Hi all,

I am really having problems when trying to stablish a site to site vpn between a PIX 6.3(5) and a VPN 3000.

IKE Phase 1 finishs Ok but when begining IKE Phase 2 QM it sudenly fails without begining to negotiate the IPSECs SAs, please check logs below:

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1233180032:b67f2a80IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xc83f0a84(3359574660) for SA

from 193.149.246.8 to 217.130.212.207 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:193.149.246.8/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:193.149.246.8/500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:193.149.246.8, dest:217.130.212.207 spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3949233630, spi size = 16

ISAKMP (0): deleting SA: src 217.130.212.207, dst 193.149.246.8

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x1024c24, conn_id = 0 DELETE IT!

The relevant configuration for the PIX is posted below, just notify that it is working also as a VPN Remote Server.

At all the tests, the traffic was originated at the pix side, destinated to the VPN side.

crypto ipsec transform-set nuevo esp-3des esp-md5-hmac

crypto ipsec transform-set nuevo2 esp-3des esp-sha-hmac

crypto dynamic-map pick_dynmap 11 set transform-set pick_ts

crypto map rpick 10 ipsec-isakmp dynamic pick_dynmap

crypto map rpick client authentication LOCAL

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address VPN3

crypto map VPN 10 set peer 193.149.246.8

crypto map VPN 10 set transform-set nuevo

crypto map VPN 20 ipsec-isakmp dynamic pick_dynmap

crypto map VPN client authentication LOCAL

crypto map VPN interface outside

isakmp enable outside

isakmp key ******** address 193.149.246.8 netmask 255.255.255.255 no-xauth

isakmp peer ip 193.149.246.8 no-xauth

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup default-domain idle-time 1800

vpngroup ppack address-pool poolPick

vpngroup ppack split-tunnel splitPick3

vpngroup ppack idle-time 1800

vpngroup ppack password ********

Any tip for fixing this or about what is failing?

Thanks a lot in advance.

Sam.

IP Addresses have been altered to save the innocencts.

Labels:
0 Helpful
1 Reply 1

a-vazquez
Level 6
Level 6

‎12-20-2005 02:05 PM

This document gives an overview of the configuration required to allow a Cisco Secure PIX Firewall and a Cisco VPN 500x Concentrator to open an IPSec LAN-to-LAN tunnel. For information about how to establish basic connectivity, or for reference on configuration syntax, consult the VPN 5000 Concentrator documentation and the PIX documentation.

http://www.cisco.com/warp/public/110/pixto5000.html

0 Helpful
Customers Also Viewed These Support Documents