Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ipsec configuration problems

Hello,

I'm trying to connect a Watchguard Firewall with a router Cisco 827 via ipsec.

I'll call the network behind the firewall Network 1 and the network behind the router Network 2.

After configuring both devices, network 1 and network 2 can access each other.

It seems that ipsec tunnel is ok.

Well, there is another firewall with one ethernet in Network 2 and another ethernet in another Network called Network 3.

Here is the schema:

Network1--[Firewall]--[Internet]--[Cisco 827]--Network2--[Firewall2]--Network3

My problem is that Network 1 can't access to Network3 and Network 3 can't access to Network1.

Network 2 can access to Network 3.

Debugging crypto ipsec, there is the following error each ping I send from Network 1 to Network 3:

IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Here is the router configuration:

version 12.2

no service pad

no service timestamps debug uptime

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname UOCTECADSL

!

logging queue-limit 100

enable secret xxxxxxx

!

username xxxxxxpassword xxxxxx

username xxxxx password xxxxxx

aaa new-model

!

!

aaa authentication login uoc local

aaa session-id common

ip subnet-zero

no ip source-route

ip telnet source-interface Ethernet0

no ip domain lookup

!

no ip bootp server

!

!

!

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key arcan5us2389 address [Firewall External Address]

!

crypto ipsec security-association lifetime kilobytes 32000

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set esp_des_sha esp-des esp-sha-hmac

!

crypto map tecsidel_uoc local-address ATM0.1

crypto map tecsidel_uoc 1 ipsec-isakmp

set peer [Firewall External Address]

set transform-set esp_des_sha

match address 101

!

!

!

!

interface Ethernet0

description Conexion UOC

ip address 192.168.128.86 255.255.255.248

no ip proxy-arp

no ip route-cache

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

ip access-group 11 in

no ip route-cache

no ip mroute-cache

no atm auto-configuration

no atm ilmi-keepalive

no atm address-registration

no atm ilmi-enable

bundle-enable

dsl operating-mode auto

hold-queue 208 in

!

interface ATM0.1 point-to-point

ip address [Router External Address]255.255.255.192

ip access-group 11 in

no ip route-cache

no ip mroute-cache

pvc 8/32

encapsulation aal5snap

!

crypto map tecsidel_uoc

!

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip route 213.73.32.0 255.255.254.0 192.168.128.81

no ip http server

no ip http secure-server

!

!

access-list 10 permit 172.18.75.254

access-list 10 permit 172.18.136.22

access-list 10 permit 172.18.128.15

access-list 10 permit 192.168.128.78

access-list 10 permit 172.18.66.21

access-list 10 permit 213.73.33.0 0.0.0.255

access-list 10 permit 213.73.32.0 0.0.0.255

access-list 11 permit [Firewall External Address]

access-list 11 deny any

access-list 101 permit ip 192.168.128.80 0.0.0.7 172.18.128.0 0.0.63.255

access-list 101 permit ip 213.73.33.0 0.0.0.255 172.18.128.0 0.0.63.255

no cdp run

!

radius-server authorization permit missing Service-Type

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

access-class 10 in

exec-timeout 0 0

login authentication uoc

length 0

!

no scheduler max-task-time

end

Can anybody help me?

Thank you

1 REPLY
New Member

Re: Ipsec configuration problems

Hello.

It seems that IP packets for IKE phase 1 are undergoing NAT traversal, so there is identity mismatch. Did you try configuration line:

sysopt connection permit-ipsec

This only works with 6.3 version of PIX Firewall Software.

210
Views
0
Helpful
1
Replies
CreatePlease login to create content