Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 to PIX 501 IPSEC VPN Help!

I apologize before hand for what may be a very long post. What I'm trying to do right now, is create a IPSEC VPN at home to test the functionality of the PIX site-to-site VPN. The problem is, whenever I send interesting traffic through the PIX to establish the VPN, I get the following messages via debug isakmp:

VPN Peer: ISAKMP: Added new peer: ip:10.21.21.2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:10.21.21.2 Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.20.20.2, remote= 10.21.21.2,

local_proxy= 10.20.20.2/255.255.255.255/1/0 (type=1),

remote_proxy= 10.21.21.2/255.255.255.255/1/0 (type=1)

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src 10.20.20.2, dst 10.21.21.2

ISADB: reaper checking SA 0x809f94d0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:10.21.21.2 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:10.21.21.2 Total VPN peers:0IPSEC(key_engine)

: request timer fired: count = 2,

(identity) local= 10.20.20.2, remote= 10.21.21.2,

local_proxy= 10.20.20.2/255.255.255.255/1/0 (type=1),

remote_proxy= 10.21.21.2/255.255.255.255/1/0 (type=1)

The net result is that I get no connectivity between the two locations. Any help in troubleshooting this would be appreciated. The configs I have setup on the PIXes are below.

My physical set up is as follows:

Host #1 (192.168.1.2) --> (192.168.1.1) PIX #1(10.20.20.2) --> (10.20.20.1) Router (10.21.21.1) --> (10.21.21.2) PIX #2 (10.22.22.1) --> (10.22.22.100) Host #2

Configs:

PIX #1

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

...

access-list 101 permit icmp host 10.20.20.2 host 10.21.21.2

access-list 101 permit tcp host 10.20.20.2 eq telnet host 10.21.21.2

...

ip address outside 10.20.20.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

...

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.20.20.2 192.168.1.2 netmask 255.255.255.255 0 0

conduit permit icmp any 10.21.21.0 255.255.255.0

conduit permit icmp any 10.20.20.0 255.255.255.0

conduit permit tcp any eq telnet 10.21.21.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.20.20.1 1

...

crypto ipsec transform-set cisco esp-3des esp-md5-hmac

crypto map delta 10 ipsec-isakmp

crypto map delta 10 match address 101

crypto map delta 10 set pfs group2

crypto map delta 10 set peer 10.21.21.2

crypto map delta 10 set transform-set cisco

crypto map delta interface outside

isakmp enable outside

isakmp key ******** address 10.21.21.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

PIX #2

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

...

access-list 100 permit icmp host 10.21.21.2 host 10.20.20.2

access-list 100 permit tcp host 10.21.21.2 host 10.20.20.2 eq telnet

...

ip address outside 10.21.21.2 255.255.255.0

ip address inside 10.22.22.1 255.255.255.0

...

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.21.21.2 10.22.22.100 netmask 255.255.255.255 0 0

conduit permit icmp any 10.20.20.0 255.255.255.0

conduit permit icmp any 10.21.21.0 255.255.255.0

conduit permit tcp host 10.21.21.2 eq 8000 any

route outside 0.0.0.0 0.0.0.0 10.21.21.1 1

...

crypto ipsec transform-set cisco esp-3des esp-md5-hmac

crypto map disco 10 ipsec-isakmp

crypto map disco 10 match address 102

crypto map disco 10 set pfs group2

crypto map disco 10 set peer 10.20.20.2

crypto map disco 10 set transform-set cisco

crypto map disco interface outside

isakmp enable outside

isakmp key ******** address 10.20.20.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Thanks in advance for any help!

-- Andy

3 REPLIES

Re: PIX 501 to PIX 501 IPSEC VPN Help!

Your connection is failing on Phase 1. I would add "sysopt connection permit-ipsec" to each config. That should dix it. If it doesn't, I would look at this config example: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml .

If that doesn't help let us know and we can do other the debugs.

Steve

New Member

Re: PIX 501 to PIX 501 IPSEC VPN Help!

Thanks Steve. I'll give that a try tonight.

--Andy

New Member

Re: PIX 501 to PIX 501 IPSEC VPN Help!

I'm happy to say the issue has been resolved. While adding the extra command to my config didn't fix the problem, clearing my settings and starting from scratch based on the config example worked beautifully. Thanks again Steve!

91
Views
5
Helpful
3
Replies