11-28-2006 04:23 AM - edited 03-11-2019 02:01 AM
Hi,
We are in the process of migrating from 506e verion 6.3 to a 515e Version 7.0(5). We have everything up and running now except for one remote site which is on a 172.16.0.0 network and connects via ADSL to an ISP then to an IT company who say they running a site to site VPN to us. Convoluted I know (we inherrited it). Here is the old part of the VPN config.
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set myset
crypto map dyn-map 20 ipsec-i
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 43200
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server x.x.x.x
vpngroup vpn3000 wins-server x.x.x.x
vpngroup vpn3000 default-domain xxxxxx.net
vpngroup vpn3000 split-tunnel nonat
vpngroup vpn3000 idle-time 7200
vpngroup vpn3000 password ********
And heres what I currently have on the new PIX for our client to site vpn which is working.
group-policy vpn3000 internal
group-policy vpn3000 attributes
wins-server value x.x.x.x x.x.x.x
dns-server value x.x.x.x x.x.x.x
split-tunnel-policy tunnelall
split-tunnel-network-list value vpn3000_splitTunnelAcl
default-domain value parkside.net
split-dns value parkside.net
username ********* password ************* encrypted privilege 15
http server enable
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool ippool
authentication-server-group Radius_Auth
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
The Guy at the IT company says i need to use this line
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
and the policies, but i'm not sure which policies relate to what? This also feels far to simple for a site to site?
He also advised me i'd need to use this nonat access
access-list nonat permit ip host 1.x.x.x.16.0.0 255.255.0.0
nat (inside) 0 access-list nonat
Can anyone shed any light on this.
Many thanks
J Mack
11-28-2006 05:05 AM
ISAKMP policy is not related to specific VPN
Process of ISAKMP policy negotation is following
The initiator will offer the highest priority proposal (in ISAKMP policy highest priority means lowest number fe. isakmp policy 10 has higher priority than isakmp policy 20) and the responder will search its locally configured ISAKMP policies for a match. If there are none, the initiator will propose the next highest ISAKMP policy. This process will continue until the initiator has no proposals left to offer the responder.
So you can have as many policies you want but at least one policy must match
NAT issues
Yes you need remove IPSec traffic from NAT process (because IPSEC doesnt cooperate with NAT well)
M.
hope that helps rate if it does
11-28-2006 05:39 AM
Hi Thanks,
I still can't get this site to connect, i've put in this command.
isakmp key xxxxxxxx address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
this seems to be the errors i'm getting.
3|Nov 28 2006 14:55:48|713902: Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from peer table failed, no match!
3|Nov 28 2006 14:55:48|713127: Group = DefaultRAGroup, IP = x.x.x.x,, Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list
does the remote peer use
Group = DefaultRAGroup
As part of the authentication process? As the guy from the IT company says there are not using a group name only a pre shared key?
Thanks.
J mack
11-28-2006 07:45 AM
The error tells you IKE Phase 1 failure - mismatched config in pr. Check with your partner to ensure both side has identical policies (isakmp policy 10)
HTH
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide