cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
574
Views
0
Helpful
5
Replies

IPSec VPN between PIX and Cisco Router

k.ramalingam
Level 1
Level 1

We have an issue with bringing up an IPSec connection. IKE phase 1 and 2 are up but we only see packet being decrypted but no encryption.

This VPN is between a PIX on our end and a Cisco Router.

The config and "sh ver" are shown below:

static (webNT,outside) 203.20.238.115 203.20.238.115 netmask 255.255.255.255 0 0

route outside 10.45.206.0 255.255.255.0 203.20.238.1 1

TFSDC001-RYF01# sh cryp isa sa

Total : 1

Embryonic : 0

dst src state pending created

124.6.200.4 203.20.238.2 QM_IDLE 0 0

TFSDC001-RYF01# sh cryp ipsec sa | begin 114

TFSDC001-RYF01# sh cryp ipsec sa | begin 124

current_peer: 124.6.200.4:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 203, #recv errors 0

local crypto endpt.: 203.20.238.2, remote crypto endpt.: 124.6.200.4

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

---

Here is the config that I have on pix.

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

access-list xfire-vodafone permit ip host 203.20.238.115 10.45.206.0 255.255.255.0

crypto IPSec transform-set xfire-vodafone esp-3des esp-md5-hmac

crypto map tyco-3rdparty 10 IPSec-isakmp

crypto map tyco-3rdparty 10 match address xfire-vodafone

crypto map tyco-3rdparty 10 set peer 124.6.200.4

crypto map tyco-3rdparty 10 set transform-set xfire

sh ver

======

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(2)

Compiled on Thu 04-Aug-05 21:40 by morlee

TFSDC001-RYF01 up 2 days 20 hours

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)

0: ethernet0: address is 0009.43a4.df0c, irq 10

1: ethernet1: address is 0009.43a4.df0d, irq 11

2: ethernet2: address is 00e0.b605.2f17, irq 11

3: ethernet3: address is 00e0.b605.2f16, irq 10

4: ethernet4: address is 00e0.b605.2f15, irq 9

5: ethernet5: address is 00e0.b605.2f14, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: xxx

Running Activation Key: xxx

Configuration last modified by pixuser at 17:26:59.676 AEDT Mon Nov 17 2008

Debug output were not very helpful. Hope someone can shed some light as what would be the cause of this issue.

5 Replies 5

John Blakley
VIP Alumni
VIP Alumni

Can you post your router side? The crypto map and the isakmp policy. Also your transform set. Can you also do a sh crypt session and post the results?

Thanks,

--John

HTH, John *** Please rate all useful posts ***

router#sh crypto ipsec sa vrf xfire.tyco.co.nz

interface: GigabitEthernet0/3

Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4

protected vrf: xfire.tyco.co.nz

local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)

current_peer 203.20.238.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 50, #recv errors 0

local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

show crypto session

Interface: GigabitEthernet0/3

Session status: DOWN

Peer: 203.20.238.2 port 500

IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115

Active SAs: 0, origin: crypto map

Show crypto isakmp sa detail

dv#show crypto isakmp sa vrf xfire.tyco.co.nz

dst src state conn-id slot status

203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)

Config

!

crypto keying cc-customers

pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!

!

crypto isakmp profile xfire.tyco.co.nz

vrf xfire.tyco.co.nz

keyring cc-customers

match identity address 203.20.238.2 255.255.255.255

!

crypto map cm-iavp02-g0-2 93 ipsec-isakmp

description Tyco New Zealand Ltd IPsec

set peer 203.20.238.2

set transform-set tranf-set-esp-3des-md5-hmac

set isakmp-profile xfire.tyco.co.nz

match address xfire.tyco.co.nz

!

ip access-list extended xfire.tyco.co.nz

permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115

ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global

router#sh crypto ipsec sa vrf xfire.tyco.co.nz

interface: GigabitEthernet0/3

Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4

protected vrf: xfire.tyco.co.nz

local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)

current_peer 203.20.238.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 50, #recv errors 0

local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

show crypto session

Interface: GigabitEthernet0/3

Session status: DOWN

Peer: 203.20.238.2 port 500

IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115

Active SAs: 0, origin: crypto map

Show crypto isakmp sa detail

dv#show crypto isakmp sa vrf xfire.tyco.co.nz

dst src state conn-id slot status

203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)

Config

!

crypto keying cc-customers

pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!

!

crypto isakmp profile xfire.tyco.co.nz

vrf xfire.tyco.co.nz

keyring cc-customers

match identity address 203.20.238.2 255.255.255.255

!

crypto map cm-iavp02-g0-2 93 ipsec-isakmp

description Tyco New Zealand Ltd IPsec

set peer 203.20.238.2

set transform-set tranf-set-esp-3des-md5-hmac

set isakmp-profile xfire.tyco.co.nz

match address xfire.tyco.co.nz

!

ip access-list extended xfire.tyco.co.nz

permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115

ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global

I believe your problem is that on the router side under isakmp config you have isakmp policy 1 group 2, but no matching on the Pix causing SA's to malform.you can slod try to set a PFS group for both router and Pix

If its no trouble to verify my assesment, coule you pleaser provide the configs for both Pix devive and Router, specifically the ISAKMP (Management connection profile) , and all crypto maps. Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: