Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't establish tunnel between Pix 515 (6.3(1)) and Netscreen

Hi,

It seems that from the Netscreen point of view, phase 1 is correct but keeps rebooting, and for the pix, I get debug messages I don't fully understand (like what means PEER_REAPER_TIMER). But it seems to me that even phase 1 fails.

Here is the logs

KEYENG_IKMP_SA_SPEC

isadb_create_sa:

crypto_isakmp_init_phase1_fields: initiator

is_auth_policy_configured: auth 4

gen_cookie:

ipsec_db_add_sa_req:

ipsec_db_get_ipsec_sa_list:

ipsec_db_add_ipsec_sa_list:

ipsec_db_get_ipsec_sa_list:

is_auth_policy_configured: auth 4

construct_header: message_id 0x0

construct_isakmp_sa: auth 1

set_proposal: protocol 0x1, proposal_num 1, extra_info 0x1

init_set_oakley_atts:

begin phase one

sa->state 0x0

ISAKMP (0): beginning Main Mode exchange

throw: mess_id 0x0

send_response:

isakmp_send: ip Gateway_FRA, port 500

PEER_REAPER_TIMER

P1RETRANS_TIMER

ISAKMP (0): retransmitting phase 1...

send_response:

isakmp_send: ip Gateway_FRA, port 500

PEER_REAPER_TIMER

P1RETRANS_TIMER

ISAKMP (0): retransmitting phase 1...

send_response:

isakmp_send: ip Gateway_FRA, port 500

PEER_REAPER_TIMERIPSEC(key_engine): request timer fired: count = 1,

(identity) local= 213.56.186.33, remote= Gateway_FRA,

local_proxy= 10.157.222.137/255.255.255.255/0/0 (type=1),

remote_proxy= 10.123.2.102/255.255.255.255/0/0 (type=1)

IPSEC(key_engine_sa_req): setting timer running retry <2>

crypto_ke_process_block:

KEYENG_IKMP_SA_SPEC

gen_cookie:

ipsec_db_get_ipsec_sa_list:

ipsec_db_get_ipsec_sa_list:

P1RETRANS_TIMER

ISAKMP (0): retransmitting phase 1...

send_response:

isakmp_send: ip Gateway_FRA, port 500

PEER_REAPER_TIMER

PEER_REAPER_TIMER

KEYENG_IKMP_SA_SPEC

gen_cookie:

ipsec_db_get_ipsec_sa_list:

ipsec_db_get_ipsec_sa_list:

P1RETRANS_TIMER

ISAKMP (0): retransmitting phase 1...

send_response:

isakmp_send: ip Gateway_FRA, port 500

PEER_REAPER_TIMER

QM_TIMER

ISAKMP (0): deleting SA: src 213.56.186.33, dst Gateway_FRA

REAPER_TIMER

ISADB: reaper checking SA 0x10dc7bc, conn_id = 0 DELETE IT!

crypto_gen_isakmp_delete:

isadb_free_isakmp_sa:

VPN Peer:ISAKMP: Peer Info for Gateway_FRA/500 not found - peers:0

ipsec_db_delete_sa_list_entry:

ipsec_db_free_ipsec_sa_list:

PEER_REAPER_TIMER

ISAKMP (0): retransmitting phase 1...

send_response:

isakmp_send: ip Gateway_FRA, port 500

PEER_REAPER_TIMER

QM_TIMER

ISAKMP (0): deleting SA: src 213.56.186.33, dst Gateway_FRA

REAPER_TIMER

ISADB: reaper checking SA 0x10dc7bc, conn_id = 0 DELETE IT!

crypto_gen_isakmp_delete:

isadb_free_isakmp_sa:

VPN Peer:ISAKMP: Peer Info for Gateway_FRA/500 not found - peers:0

ipsec_db_delete_sa_list_entry:

ipsec_db_free_ipsec_sa_list:

PEER_REAPER_TIMERIPSEC(key_engine): request timer fired: count = 2,

(identity) local= 213.56.186.33, remote= Gateway_FRA,

local_proxy= 10.157.222.137/255.255.255.255/0/0 (type=1),

remote_proxy= 10.123.2.102/255.255.255.255/0/0 (type=1)

crypto_ke_process_block:

crypto_gen_ipsec_isakmp_delete:

PEER_REAPER_TIMER

And here is the pix configuration:

: Saved

: Written by enable_15 at 11:01:34.182 UTC Mon Jun 30 2003

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password zzzzzzzzz encrypted

passwd zzzzzzzz encrypted

hostname tgifirewall

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 194.206.224.141 Gateway_FRA

access-list Ping_Tous permit icmp any any

access-list VpnTgiToDti permit ip host xx.xx.xx.xx host yy.yy.yy.yy

access-list VpnTgiToDti permit ip host yy.yy.yy.yy host xx.xx.xx.xx

pager lines 24

logging console debugging

logging buffered debugging

icmp permit xx.xx.xx.pp 255.255.255.0 echo-reply outside

icmp permit any unreachable outside

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside zz.Zz.zz.zz 255.255.255.224

ip address inside xx.xx.xx.xx 255.255.255.0

ip address dmz pp.pp.pp.pp 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm history enable

arp timeout 14400

global (outside) 1 yy.yy.yy.yy-yy.yy.yy.yy

global (dmz) 1 yy.yy.yy.yy-yy.yy.yy.yy netmask 255.255.255.0

nat (inside) 0 access-list VpnTgiToDti

nat (inside) 1 yy.yy.yy.yy 255.255.255.0 0 0

nat (dmz) 1 yy.yy.yy.yy 255.255.255.0 0 0

static (inside,dmz) yy.yy.yy.yy 10.157.222.0 netmask 255.255.255.0 0 0

access-group Ping_Tous in interface outside

route outside 0.0.0.0 0.0.0.0 213.56.186.35 1

route dmz yy.yy.yy.yy 255.255.255.0 192.168.137.2 1

route dmz yy.yy.yy.yy 255.255.255.252 192.168.137.2 1

route dmz yy.yy.yy.yy 255.255.255.0 192.168.137.2 1

route dmz yy.yy.yy.yy 255.255.255.0 192.168.137.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set SetDTI esp-3des esp-sha-hmac

crypto map VpnDTI 10 ipsec-isakmp

crypto map VpnDTI 10 match address VpnTgiToDti

crypto map VpnDTI 10 set pfs group2

crypto map VpnDTI 10 set peer Gateway_FRA

crypto map VpnDTI 10 set transform-set SetDTI

crypto map VpnDTI 10 set security-association lifetime seconds 3600 kilobytes 2000000

crypto map VpnDTI interface outside

isakmp enable outside

isakmp key xxxxxxxxxxxxx address xxxxxxxxxxx netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

telnet yy.yy.yy.yy 255.255.255.0 inside

telnet timeout 15

Could the problem come from an ADSL router situated after the firewall ?

If someone could help me solve my problem or even help me understand those debug logs that would be wonderful.

Thank you.

Thomas

5 REPLIES
New Member

Re: Can't establish tunnel between Pix 515 (6.3(1)) and Netscree

Is the ADSL router performing PAT ?

New Member

Re: Can't establish tunnel between Pix 515 (6.3(1)) and Netscree

Thank you for your answer.

Yes actually, it does. What type of problem does it make? Cause nowhere in faqs, docs or forums have I seen that a router could do such things. But since that is my first vpn, it may have been a trivial matter that only I didn't know.

Thomas

New Member

Re: Can't establish tunnel between Pix 515 (6.3(1)) and Netscree

YEEEHAAAA

It works know thanks to you. You where right it was a PAT issue. The way we found to make it work is the isakmp nat-traversal [seconds] command.

After two weeks of combat, man won over the machine.

Thank you again.

Thomas

New Member

Re: Can't establish tunnel between Pix 515 (6.3(1)) and Netscree

Thomas,

I found that phase 1 will come up if you add the no-config-mode to your isakmp key statement. Try changing your statemet to this

isakmp key bonjour address Gateway_FRA netmask 255.255.255.255 no-config-mode

That should fix phase 1. If that works and you get through phase could you let me know.

Derek

New Member

Re: Can't establish tunnel between Pix 515 (6.3(1)) and Netscree

Indeed it could have been that but as written above the main problem came from the NAT.

Furthermore, I don't think I used IKE mode configuration in this particular configuration.

But thanks for thinking of my problem ;-)

Thomas

472
Views
0
Helpful
5
Replies
CreatePlease login to create content