04-03-2003 03:04 AM - edited 02-21-2020 12:27 PM
Attempting to set up a LAN 2 LAN Ipsec tunnel between PIX and VPN 3005 concentrator. I have followed the instructions as in http://www.cisco.com/warp/public/471/ALTIGA_pix.html.
The tunnel can be initiated from the VPN concentrator, but cannot be initiated from the PIX end. I am recieving the following error messages. Ip addresses replaced.... I have tried both 3des and des encryption (PIX does have a licence for 3des) and I get the same anomolies. All Help appreciated.
Mike
From PIX
pix# debug crypto ipsec
pix# IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xc4ab8e0d(3299577357) for SA
from <pix public address> to <vpn public address> for prot 3
IPSEC(ipsec_encap): crypto map check deny
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with <VPN Public address>
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
and from the vpn log
12 04/01/2003 10:15:57.580 SEV=5 IKE/35 RPT=821 <Pix public address>
Group [<Pix public address>]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.168.102.0, Mask 255.255.255.0, Protocol 0, Port 0
15 04/01/2003 10:15:57.580 SEV=5 IKE/34 RPT=1133 <Pix public address>
Group [<Pix public address>]
Received local IP Proxy Subnet data in ID Payload:
Address 10.31.131.0, Mask 255.255.255.0, Protocol 0, Port 0
18 04/01/2003 10:15:57.580 SEV=5 IKE/66 RPT=1278 <Pix public address>
Group [<Pix public address>]
IKE Remote Peer configured for SA: L2L: To_Pix
19 04/01/2003 10:15:57.580 SEV=4 IKE/0 RPT=2276 <Pix public address>
Group [<Pix public address>]
All IPSec SA proposals found unacceptable!
20 04/01/2003 10:15:57.580 SEV=4 IKEDBG/0 RPT=1648
QM FSM error (P2 struct &0x1c7aaac, mess id 0x321b5f40)!
21 04/01/2003 10:15:57.580 SEV=4 IKEDBG/0 RPT=1649
QM FSM history (P2 struct &0x1c7aaac):
[13, 52], [3, 32], [3, 44], [3, 31]
22 04/01/2003 10:15:57.580 SEV=6 IKE/0 RPT=2277 <Pix public address>
Group [<Pix public address>]
Removing peer from correlator table failed, no match!
23 04/01/2003 10:15:57.580 SEV=4 AUTH/23 RPT=627 <Pix public address>
User <Pix public address> disconnected: duration: 0:00:28
04-03-2003 06:45 PM
This is your problem:
19 04/01/2003 10:15:57.580 SEV=4 IKE/0 RPT=2276
Group [
All IPSec SA proposals found unacceptable!
On the 3000, go under Config - Policy Mgmt - Traffic Mgmt - SAs and modify the L2L SA for this PIX connection. Check that the parameters match what you've got on the PIX, you'll possibly find that PFS is on at one end and not the other. Check what IKE Proposal it's using also and verify that that matches up with what's in the PIX.
04-23-2003 07:02 AM
Thanks to gfullage
The pix needed a PFS line in the config to solve the problem
Rgds
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: