Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
0
Helpful
2
Replies

Ipsec tunnel pix - vpn3005 not working

m.ware
Level 1
Level 1

‎04-03-2003 03:04 AM - edited ‎02-21-2020 12:27 PM

Attempting to set up a LAN 2 LAN Ipsec tunnel between PIX and VPN 3005 concentrator. I have followed the instructions as in http://www.cisco.com/warp/public/471/ALTIGA_pix.html.

The tunnel can be initiated from the VPN concentrator, but cannot be initiated from the PIX end. I am recieving the following error messages. Ip addresses replaced.... I have tried both 3des and des encryption (PIX does have a licence for 3des) and I get the same anomolies. All Help appreciated.

Mike

From PIX

pix# debug crypto ipsec

pix# IPSEC(ipsec_encap): crypto map check deny

IPSEC(ipsec_encap): crypto map check deny

IPSEC(ipsec_encap): crypto map check deny

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xc4ab8e0d(3299577357) for SA

from <pix public address> to <vpn public address> for prot 3

IPSEC(ipsec_encap): crypto map check deny

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with <VPN Public address>

IPSEC(ipsec_encap): crypto map check deny

IPSEC(ipsec_encap): crypto map check deny

IPSEC(ipsec_encap): crypto map check deny

IPSEC(ipsec_encap): crypto map check deny

IPSEC(ipsec_encap): crypto map check deny

IPSEC(ipsec_encap): crypto map check deny

IPSEC(ipsec_encap): crypto map check deny

and from the vpn log

12 04/01/2003 10:15:57.580 SEV=5 IKE/35 RPT=821 <Pix public address>

Group [<Pix public address>]

Received remote IP Proxy Subnet data in ID Payload:

Address 192.168.102.0, Mask 255.255.255.0, Protocol 0, Port 0

15 04/01/2003 10:15:57.580 SEV=5 IKE/34 RPT=1133 <Pix public address>

Group [<Pix public address>]

Received local IP Proxy Subnet data in ID Payload:

Address 10.31.131.0, Mask 255.255.255.0, Protocol 0, Port 0

18 04/01/2003 10:15:57.580 SEV=5 IKE/66 RPT=1278 <Pix public address>

Group [<Pix public address>]

IKE Remote Peer configured for SA: L2L: To_Pix

19 04/01/2003 10:15:57.580 SEV=4 IKE/0 RPT=2276 <Pix public address>

Group [<Pix public address>]

All IPSec SA proposals found unacceptable!

20 04/01/2003 10:15:57.580 SEV=4 IKEDBG/0 RPT=1648

QM FSM error (P2 struct &0x1c7aaac, mess id 0x321b5f40)!

21 04/01/2003 10:15:57.580 SEV=4 IKEDBG/0 RPT=1649

QM FSM history (P2 struct &0x1c7aaac):

[13, 52], [3, 32], [3, 44], [3, 31]

22 04/01/2003 10:15:57.580 SEV=6 IKE/0 RPT=2277 <Pix public address>

Group [<Pix public address>]

Removing peer from correlator table failed, no match!

23 04/01/2003 10:15:57.580 SEV=4 AUTH/23 RPT=627 <Pix public address>

User <Pix public address> disconnected: duration: 0:00:28

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎04-03-2003 06:45 PM

This is your problem:

19 04/01/2003 10:15:57.580 SEV=4 IKE/0 RPT=2276

Group []

All IPSec SA proposals found unacceptable!

On the 3000, go under Config - Policy Mgmt - Traffic Mgmt - SAs and modify the L2L SA for this PIX connection. Check that the parameters match what you've got on the PIX, you'll possibly find that PFS is on at one end and not the other. Check what IKE Proposal it's using also and verify that that matches up with what's in the PIX.

0 Helpful

m.ware
Level 1
Level 1
In response to gfullage

‎04-23-2003 07:02 AM

Thanks to gfullage

The pix needed a PFS line in the config to solve the problem

Rgds

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents