Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
930
Views
4
Helpful
3
Replies

Pix 515e VPN

johnnymac
Level 1
Level 1

‎11-28-2006 04:23 AM - edited ‎03-11-2019 02:01 AM

Hi,

We are in the process of migrating from 506e verion 6.3 to a 515e Version 7.0(5). We have everything up and running now except for one remote site which is on a 172.16.0.0 network and connects via ADSL to an ISP then to an IT company who say they running a site to site VPN to us. Convoluted I know (we inherrited it). Here is the old part of the VPN config.

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set myset

crypto map dyn-map 20 ipsec-i

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 43200

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server x.x.x.x

vpngroup vpn3000 wins-server x.x.x.x

vpngroup vpn3000 default-domain xxxxxx.net

vpngroup vpn3000 split-tunnel nonat

vpngroup vpn3000 idle-time 7200

vpngroup vpn3000 password ********

And heres what I currently have on the new PIX for our client to site vpn which is working.

group-policy vpn3000 internal

group-policy vpn3000 attributes

wins-server value x.x.x.x x.x.x.x

dns-server value x.x.x.x x.x.x.x

split-tunnel-policy tunnelall

split-tunnel-network-list value vpn3000_splitTunnelAcl

default-domain value parkside.net

split-dns value parkside.net

username ********* password ************* encrypted privilege 15

http server enable

http x.x.x.x x.x.x.x inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool ippool

authentication-server-group Radius_Auth

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key *

The Guy at the IT company says i need to use this line

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

and the policies, but i'm not sure which policies relate to what? This also feels far to simple for a site to site?

He also advised me i'd need to use this nonat access

access-list nonat permit ip host 1.x.x.x.16.0.0 255.255.0.0

nat (inside) 0 access-list nonat

Can anyone shed any light on this.

Many thanks

J Mack

Labels:
0 Helpful
3 Replies 3

m.sir
Level 7
Level 7

‎11-28-2006 05:05 AM

ISAKMP policy is not related to specific VPN

Process of ISAKMP policy negotation is following

The initiator will offer the highest priority proposal (in ISAKMP policy highest priority means lowest number fe. isakmp policy 10 has higher priority than isakmp policy 20) and the responder will search its locally configured ISAKMP policies for a match. If there are none, the initiator will propose the next highest ISAKMP policy. This process will continue until the initiator has no proposals left to offer the responder.

So you can have as many policies you want but at least one policy must match

NAT issues

Yes you need remove IPSec traffic from NAT process (because IPSEC doesnt cooperate with NAT well)

M.

hope that helps rate if it does

johnnymac
Level 1
Level 1
In response to m.sir

‎11-28-2006 05:39 AM

Hi Thanks,

I still can't get this site to connect, i've put in this command.

isakmp key xxxxxxxx address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

this seems to be the errors i'm getting.

3|Nov 28 2006 14:55:48|713902: Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from peer table failed, no match!

3|Nov 28 2006 14:55:48|713127: Group = DefaultRAGroup, IP = x.x.x.x,, Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list

does the remote peer use

Group = DefaultRAGroup

As part of the authentication process? As the guy from the IT company says there are not using a group name only a pre shared key?

Thanks.

J mack

0 Helpful

a.kiprawih
Level 7
Level 7
In response to johnnymac

‎11-28-2006 07:45 AM

The error tells you IKE Phase 1 failure - mismatched config in pr. Check with your partner to ensure both side has identical policies (isakmp policy 10)

HTH

AK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card