506e Site to Site VPN :(

jchristie · ‎12-11-2006

Apologies in advance from noobie!

I have 2 506e (version 6.3(5)) at a main site and remote site.

Configured according to the cisco site-to-site VPN configuration example.

The link seems to establish but i cannot ping clients/servers at the remote site from clients/servers at the main site (and vice versa)

Output to the commands follow:

Show crypto isakmp sa

show crypto ipsec sa

Main:

Total : 1

Embryonic : 0

dst src state pending created

193.x.x.100 62.30.168.76 QM_IDLE 0 1

interface: outside

Crypto map tag: toMayfield, local addr. 193.x.x.100

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

current_peer: 62.30.168.76:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 7, #pkts encrypt: 7, #pkts digest 7

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 193.x.x.100, remote crypto endpt.: 62.30.168.76

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: ff02489c

inbound esp sas:

spi: 0xa7c7dc80(2814893184)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: toMayfield

sa timing: remaining key lifetime (k/sec): (4608000/28364)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xff02489c(4278339740)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: toMayfield

sa timing: remaining key lifetime (k/sec): (4607999/28361)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Remote:

Total : 1

Embryonic : 0

dst src state pending created

193.x.x.100 62.30.168.76 QM_IDLE 0 1

interface: outside

Crypto map tag: toSchool, local addr. 62.30.168.76

local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer: 193.60.161.100:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 184, #pkts encrypt: 184, #pkts digest 184

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 62.30.168.76, remote crypto endpt.: 193.60.161.100

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: a7c7dc80

inbound esp sas:

spi: 0xff02489c(4278339740)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: toSchool

sa timing: remaining key lifetime (k/sec): (4607999/28293)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xa7c7dc80(2814893184)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: toSchool

sa timing: remaining key lifetime (k/sec): (4607992/28293)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Any help/advice much appreciated!

ajagadee · ‎12-11-2006

Jonathan,

Can you do a "clear xlate" and then ping across the tunnel. When you do a clear xlate, the existing translations will be cleared.

Also, what is the source IP and Destination IP Address that you are trying to ping. Does your internal routing behind the Main Pix and Remote Pix know how to reach the destinations.

Regards,

Arul

** Please rate all helpful posts **

jchristie · ‎12-11-2006

Hi Arul

I'm trying to ping from a device on the 192.168.3.0 subnet (gateway set to the pix) to a 172.16.1.10 device (gateway set to the remote pix)

I've cleared xlate on both devices - no difference.

General internet access is fine - outgoing and traffic coming in.

I've also tried with

isakmp nat-traversal 20

on both devices with no luck.

jchristie · ‎12-12-2006

through further debugging, i can see the packets leave the main (inside) interface, arrive at the remote (inside) interface and return from the remote (inside) interface.

They never re-appear at the main site

(debug pack inside src 172.16.1.10)

is it because I'm filtering by port on my access-lists?

I need a holiday!

ggilbert · ‎12-12-2006

If the packets are leaving the remote site and you aren't getting them on the headend, can you check if there is anything in front of this PIX that would block ESP packets (protocol 50) coming in.

- Gilbert

Note: The ACL filtering on the outside should not affect the traffic coming in.

ajagadee · ‎12-12-2006

Jonathan,

Check with your ISP if they are blocking Protocol 50 (ESP). Since you have configured "Sysopt Connection Permit IPSEC", the outside access-list should not block any IPSEC Traffic.

Regards,

Arul

** Please rate all helpful posts **

sourabhagarwal · ‎12-13-2006

Hi Jonathan,

VPN Tunnel is UP and you are noy able to ping PCs/servers from one end to another.

looking at your configuration, what i feel is that routing for your inside networks is not configured on your both PIX.

Try adding these routes on your main and remote PIX and see if it fix the issue.

main PIX

--------

route inside 192.168.3.0 255.255.255.0

remote PIX

----------

route inside 172.16.1.0 255.255.255.0

hope it helps .... rate if it does ....

ggilbert · ‎12-13-2006

Please do not implement the routing scenario on the PIX en.

You have direcly connected network and this route insertion is not needed.

Just like Arul and I, suggested - please check with your ISP to see if they are blocking protocol 50 which is ESP.

Thanks

Gilbert

jchristie · ‎12-14-2006

Thanks guys.

Its a Blueyonder business connection (Telewest).

I've dropped them an email (I'm off on holiday at the moment) in the hope they'll answer by the time I return!