Linksys to pix 506e vpn

wmaruya · ‎12-19-2002

I have a linksys vpn router trying to connect to a cisco 506e pix firewall. The linksys vpn router is behind a believe a nokia 330 firewall. There is a public address assigned to forward all traffic to the NATed address on the Linksys vpn router. I think I have the 506e configured correctly but I am not sure. The situation is complicated but, any suggestions on how to make this work?

Thanks

ajagadee · ‎12-19-2002

Hi Wayne,

Since the pix sees the Linksys router as another VPN Device, the ipsec lan to lan tunnel should work. If your pix is configured correctly, what are the information that you see on the debugs. You can also use the below URL for troubleshooting purposes:

http://te.cisco.com/SRVS/CGI-BIN/WEBCGI.EXE?New,KB=PIX

Regards,

Arul

wmaruya · ‎12-19-2002

I am new to the pix so I dont know what the debug means.

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 27

ISAKMP (0): Total payload length: 31

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

OAK_QM exchange

ISAKMP (0:0): Need config/address

ISAKMP (0:0): initiating peer config to 4.23.196.174. ID = 519007007 (0x1eef6b1f

)

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

ISAKMP (0): retransmitting phase 2...

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

ISAKMP (0): retransmitting phase 2...

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

ISAKMP (0): retransmitting phase 2...

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

ISAKMP (0): retransmitting phase 2...

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

ISAKMP (0): retransmitting phase 2...

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

ISAKMP (0): retransmitting phase 2...

ISADB: reaper checking SA 0x80c75af0, conn_id = 0

ISADB: reaper checking SA 0x80d601e8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:4.23.196.174 Ref cnt decremented to:1 Total VPN Peers:

1

ISADB: reaper checking SA 0x80c75af0, conn_id = 0

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

ISADB: reaper checking SA 0x80c75af0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:4.23.196.174 Ref cnt decremented to:0 Total VPN Peers:

1

VPN Peer: ISAKMP: Deleted peer: ip:4.23.196.174 Total VPN peers:0

crypto_isakmp_process_block: src 4.23.196.174, dest 66.91.147.58

I was wondering if you could give me a sample config of a pix to accept dynamic ipsec connections and how to route traffic between the source and destination networks.

thanks.

ajagadee · ‎12-20-2002

Hi,

Here is the link that explains dynamic to static Pix IPSec Tunnel.

http://www.cisco.com/warp/public/110/dynamicpix.html

The above config was tested with configured to accept dynamic connecdtions and the remote VPN Devices being Cisco devices and Cisco Secure VPN Client 1.1.

Regards,

Arul

wmaruya · ‎12-20-2002

Thanks Arul..... I found that same config this morning and tried it and i do connect. But now traffice does not route through. Do i need to put a static route for the vpn connection? and if, does it go on the outside interface?

Thanks for your help,

Wayne

ajagadee · ‎12-20-2002

Hi Wayne,

Good, that you were able to connect fine.

1. Once the Linksys router is connected, try to ping an ip address on the internal network other than the inside ip address of the Pix. If you see encrypts on the Linksys , do a sh crypto ipsec sa and look for decrypts on the Pix.

2. If you see decryts and no encrypts, then looks like the Pix is not sending the packets back to the Client.

3. Make sure that you have NAT 0 command to bypass NAT for the ipsec traffic.

4. And make sure that the ip address that you are trying to ping knows that it has to send the traffic back to the Pix for the network behing linksys.

Will wait for your updates.

Regards,

Arul

wmaruya · ‎12-20-2002

Arul,

The pix is the default gateway for the host. Will it still work? I tried to ping a device on the other side and it does not go. I don't need to put a route in the pix for it to route the data through the ipsec tunnel?

The sh crypto ipsec sa:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 4.23.196.174

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 693, #pkts decrypt: 693, #pkts verify 743

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 100

local crypto endpt.: 66.91.147.58, remote crypto endpt.: 4.23.196.174

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 1d9306ab

inbound esp sas:

spi: 0x82b1d55e(2192692574)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: dyn-map

sa timing: remaining key lifetime (k/sec): (4607998/27310)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x1d9306ab(496174763)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: dyn-map

sa timing: remaining key lifetime (k/sec): (4608000/27265)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Debug comes out with this, is this a problem?

return status is IKMP_NO_ERRORIPSEC(ipsec_cipher_handler): ERR: bad pkt 192.168.2.102->192.168.1.255

IPSEC(ipsec_cipher_handler): ERR: bad pkt 192.168.2.102->192.168.1.255

VPN Peer: IPSEC: Peer ip:4.23.196.174 Decrementing Ref cnt to:4 Total VPN Peers:

1

VPN Peer: IPSEC: Peer ip:4.23.196.174 Decrementing Ref cnt to:3 Total VPN Peers:

1

Much thanks for your help

Wayne

ajagadee · ‎12-23-2002

Hi Wayne,

Looks like we are decrypting the packet but not encrypting it. If the default gateway is pointing to the Pix, then does the pix have NAT 0 Command to bypass NAT for IPSec tunnel.

If the config looks good, then we need to see if its a code issue.

Regards,

Arul

wmaruya · ‎12-23-2002

Arul,

Can I get your email address? If you dont mind, I dont want to show the config on the forum.

Wayne

ajagadee · ‎12-23-2002

Hi Wayne,

Here we go: ajagadee@cisco.com

Regards,

Arul

menglish · ‎01-09-2003

I'm having similiar issues with a linksys vpn router connecting to a pix 515 and was wondering if you were able to get it to work.

Thanks,

Mark English

wmaruya · ‎01-09-2003

I got it to work but not through the nokia 330. I connected the linksys router on another internet connection and it worked automatically.