11-16-2008 10:56 PM - edited 03-11-2019 07:13 AM
We have an issue with bringing up an IPSec connection. IKE phase 1 and 2 are up but we only see packet being decrypted but no encryption.
This VPN is between a PIX on our end and a Cisco Router.
The config and "sh ver" are shown below:
static (webNT,outside) 203.20.238.115 203.20.238.115 netmask 255.255.255.255 0 0
route outside 10.45.206.0 255.255.255.0 203.20.238.1 1
TFSDC001-RYF01# sh cryp isa sa
Total : 1
Embryonic : 0
dst src state pending created
124.6.200.4 203.20.238.2 QM_IDLE 0 0
TFSDC001-RYF01# sh cryp ipsec sa | begin 114
TFSDC001-RYF01# sh cryp ipsec sa | begin 124
current_peer: 124.6.200.4:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 203, #recv errors 0
local crypto endpt.: 203.20.238.2, remote crypto endpt.: 124.6.200.4
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
---
Here is the config that I have on pix.
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
access-list xfire-vodafone permit ip host 203.20.238.115 10.45.206.0 255.255.255.0
crypto IPSec transform-set xfire-vodafone esp-3des esp-md5-hmac
crypto map tyco-3rdparty 10 IPSec-isakmp
crypto map tyco-3rdparty 10 match address xfire-vodafone
crypto map tyco-3rdparty 10 set peer 124.6.200.4
crypto map tyco-3rdparty 10 set transform-set xfire
sh ver
======
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Thu 04-Aug-05 21:40 by morlee
TFSDC001-RYF01 up 2 days 20 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: ethernet0: address is 0009.43a4.df0c, irq 10
1: ethernet1: address is 0009.43a4.df0d, irq 11
2: ethernet2: address is 00e0.b605.2f17, irq 11
3: ethernet3: address is 00e0.b605.2f16, irq 10
4: ethernet4: address is 00e0.b605.2f15, irq 9
5: ethernet5: address is 00e0.b605.2f14, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.
Serial Number: xxx
Running Activation Key: xxx
Configuration last modified by pixuser at 17:26:59.676 AEDT Mon Nov 17 2008
Debug output were not very helpful. Hope someone can shed some light as what would be the cause of this issue.
11-17-2008 02:37 PM
Can you post your router side? The crypto map and the isakmp policy. Also your transform set. Can you also do a sh crypt session and post the results?
Thanks,
--John
11-17-2008 06:33 PM
router#sh crypto ipsec sa vrf xfire.tyco.co.nz
interface: GigabitEthernet0/3
Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4
protected vrf: xfire.tyco.co.nz
local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)
current_peer 203.20.238.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 50, #recv errors 0
local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
show crypto session
Interface: GigabitEthernet0/3
Session status: DOWN
Peer: 203.20.238.2 port 500
IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115
Active SAs: 0, origin: crypto map
Show crypto isakmp sa detail
dv#show crypto isakmp sa vrf xfire.tyco.co.nz
dst src state conn-id slot status
203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)
Config
!
crypto keying cc-customers
pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!
!
crypto isakmp profile xfire.tyco.co.nz
vrf xfire.tyco.co.nz
keyring cc-customers
match identity address 203.20.238.2 255.255.255.255
!
crypto map cm-iavp02-g0-2 93 ipsec-isakmp
description Tyco New Zealand Ltd IPsec
set peer 203.20.238.2
set transform-set tranf-set-esp-3des-md5-hmac
set isakmp-profile xfire.tyco.co.nz
match address xfire.tyco.co.nz
!
ip access-list extended xfire.tyco.co.nz
permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115
ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global
11-17-2008 07:02 PM
router#sh crypto ipsec sa vrf xfire.tyco.co.nz
interface: GigabitEthernet0/3
Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4
protected vrf: xfire.tyco.co.nz
local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)
current_peer 203.20.238.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 50, #recv errors 0
local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
show crypto session
Interface: GigabitEthernet0/3
Session status: DOWN
Peer: 203.20.238.2 port 500
IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115
Active SAs: 0, origin: crypto map
Show crypto isakmp sa detail
dv#show crypto isakmp sa vrf xfire.tyco.co.nz
dst src state conn-id slot status
203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)
Config
!
crypto keying cc-customers
pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!
!
crypto isakmp profile xfire.tyco.co.nz
vrf xfire.tyco.co.nz
keyring cc-customers
match identity address 203.20.238.2 255.255.255.255
!
crypto map cm-iavp02-g0-2 93 ipsec-isakmp
description Tyco New Zealand Ltd IPsec
set peer 203.20.238.2
set transform-set tranf-set-esp-3des-md5-hmac
set isakmp-profile xfire.tyco.co.nz
match address xfire.tyco.co.nz
!
ip access-list extended xfire.tyco.co.nz
permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115
ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global
11-17-2008 08:48 PM
I believe your problem is that on the router side under isakmp config you have isakmp policy 1 group 2, but no matching on the Pix causing SA's to malform.you can slod try to set a PFS group for both router and Pix
11-18-2008 10:26 AM
If its no trouble to verify my assesment, coule you pleaser provide the configs for both Pix devive and Router, specifically the ISAKMP (Management connection profile) , and all crypto maps. Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: