11-16-2008 10:56 PM - edited 03-11-2019 07:13 AM
We have an issue with bringing up an IPSec connection. IKE phase 1 and 2 are up but we only see packet being decrypted but no encryption.
This VPN is between a PIX on our end and a Cisco Router.
The config and "sh ver" are shown below:
static (webNT,outside) 203.20.238.115 203.20.238.115 netmask 255.255.255.255 0 0
route outside 10.45.206.0 255.255.255.0 203.20.238.1 1
TFSDC001-RYF01# sh cryp isa sa
Total : 1
Embryonic : 0
dst src state pending created
124.6.200.4 203.20.238.2 QM_IDLE 0 0
TFSDC001-RYF01# sh cryp ipsec sa | begin 114
TFSDC001-RYF01# sh cryp ipsec sa | begin 124
current_peer: 124.6.200.4:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 203, #recv errors 0
local crypto endpt.: 203.20.238.2, remote crypto endpt.: 124.6.200.4
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
---
Here is the config that I have on pix.
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
access-list xfire-vodafone permit ip host 203.20.238.115 10.45.206.0 255.255.255.0
crypto IPSec transform-set xfire-vodafone esp-3des esp-md5-hmac
crypto map tyco-3rdparty 10 IPSec-isakmp
crypto map tyco-3rdparty 10 match address xfire-vodafone
crypto map tyco-3rdparty 10 set peer 124.6.200.4
crypto map tyco-3rdparty 10 set transform-set xfire
sh ver
======
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Thu 04-Aug-05 21:40 by morlee
TFSDC001-RYF01 up 2 days 20 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: ethernet0: address is 0009.43a4.df0c, irq 10
1: ethernet1: address is 0009.43a4.df0d, irq 11
2: ethernet2: address is 00e0.b605.2f17, irq 11
3: ethernet3: address is 00e0.b605.2f16, irq 10
4: ethernet4: address is 00e0.b605.2f15, irq 9
5: ethernet5: address is 00e0.b605.2f14, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.
Serial Number: xxx
Running Activation Key: xxx
Configuration last modified by pixuser at 17:26:59.676 AEDT Mon Nov 17 2008
Debug output were not very helpful. Hope someone can shed some light as what would be the cause of this issue.
11-17-2008 02:37 PM
Can you post your router side? The crypto map and the isakmp policy. Also your transform set. Can you also do a sh crypt session and post the results?
Thanks,
--John
11-17-2008 06:33 PM
router#sh crypto ipsec sa vrf xfire.tyco.co.nz
interface: GigabitEthernet0/3
Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4
protected vrf: xfire.tyco.co.nz
local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)
current_peer 203.20.238.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 50, #recv errors 0
local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
show crypto session
Interface: GigabitEthernet0/3
Session status: DOWN
Peer: 203.20.238.2 port 500
IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115
Active SAs: 0, origin: crypto map
Show crypto isakmp sa detail
dv#show crypto isakmp sa vrf xfire.tyco.co.nz
dst src state conn-id slot status
203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)
Config
!
crypto keying cc-customers
pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!
!
crypto isakmp profile xfire.tyco.co.nz
vrf xfire.tyco.co.nz
keyring cc-customers
match identity address 203.20.238.2 255.255.255.255
!
crypto map cm-iavp02-g0-2 93 ipsec-isakmp
description Tyco New Zealand Ltd IPsec
set peer 203.20.238.2
set transform-set tranf-set-esp-3des-md5-hmac
set isakmp-profile xfire.tyco.co.nz
match address xfire.tyco.co.nz
!
ip access-list extended xfire.tyco.co.nz
permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115
ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global
11-17-2008 07:02 PM
router#sh crypto ipsec sa vrf xfire.tyco.co.nz
interface: GigabitEthernet0/3
Crypto map tag: cm-iavp02-g0-2, local addr 124.6.200.4
protected vrf: xfire.tyco.co.nz
local ident (addr/mask/prot/port): (10.45.206.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (203.20.238.115/255.255.255.255/0/0)
current_peer 203.20.238.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 50, #recv errors 0
local crypto endpt.: 124.6.200.4, remote crypto endpt.: 203.20.238.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
show crypto session
Interface: GigabitEthernet0/3
Session status: DOWN
Peer: 203.20.238.2 port 500
IPSEC FLOW: permit ip 10.45.206.0/255.255.255.0 host 203.20.238.115
Active SAs: 0, origin: crypto map
Show crypto isakmp sa detail
dv#show crypto isakmp sa vrf xfire.tyco.co.nz
dst src state conn-id slot status
203.20.238.2 124.6.200.4 MM_NO_STATE 1290 0 ACTIVE (deleted)
Config
!
crypto keying cc-customers
pre-shared-key address 203.20.238.4 key xf1r3tyc0vfn3!
!
crypto isakmp profile xfire.tyco.co.nz
vrf xfire.tyco.co.nz
keyring cc-customers
match identity address 203.20.238.2 255.255.255.255
!
crypto map cm-iavp02-g0-2 93 ipsec-isakmp
description Tyco New Zealand Ltd IPsec
set peer 203.20.238.2
set transform-set tranf-set-esp-3des-md5-hmac
set isakmp-profile xfire.tyco.co.nz
match address xfire.tyco.co.nz
!
ip access-list extended xfire.tyco.co.nz
permit ip 10.45.206.0 0.0.0.255 host 203.20.238.115
ip route vrf xfire.tyco.co.nz 0.0.0.0 0.0.0.0 124.6.200.1 global
11-17-2008 08:48 PM
I believe your problem is that on the router side under isakmp config you have isakmp policy 1 group 2, but no matching on the Pix causing SA's to malform.you can slod try to set a PFS group for both router and Pix
11-18-2008 10:26 AM
If its no trouble to verify my assesment, coule you pleaser provide the configs for both Pix devive and Router, specifically the ISAKMP (Management connection profile) , and all crypto maps. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide