cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
307
Views
5
Helpful
3
Replies

PIX 501 to PIX 501 IPSEC VPN Help!

andyhsu
Level 1
Level 1

I apologize before hand for what may be a very long post. What I'm trying to do right now, is create a IPSEC VPN at home to test the functionality of the PIX site-to-site VPN. The problem is, whenever I send interesting traffic through the PIX to establish the VPN, I get the following messages via debug isakmp:

VPN Peer: ISAKMP: Added new peer: ip:10.21.21.2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:10.21.21.2 Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.20.20.2, remote= 10.21.21.2,

local_proxy= 10.20.20.2/255.255.255.255/1/0 (type=1),

remote_proxy= 10.21.21.2/255.255.255.255/1/0 (type=1)

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src 10.20.20.2, dst 10.21.21.2

ISADB: reaper checking SA 0x809f94d0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:10.21.21.2 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:10.21.21.2 Total VPN peers:0IPSEC(key_engine)

: request timer fired: count = 2,

(identity) local= 10.20.20.2, remote= 10.21.21.2,

local_proxy= 10.20.20.2/255.255.255.255/1/0 (type=1),

remote_proxy= 10.21.21.2/255.255.255.255/1/0 (type=1)

The net result is that I get no connectivity between the two locations. Any help in troubleshooting this would be appreciated. The configs I have setup on the PIXes are below.

My physical set up is as follows:

Host #1 (192.168.1.2) --> (192.168.1.1) PIX #1(10.20.20.2) --> (10.20.20.1) Router (10.21.21.1) --> (10.21.21.2) PIX #2 (10.22.22.1) --> (10.22.22.100) Host #2

Configs:

PIX #1

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

...

access-list 101 permit icmp host 10.20.20.2 host 10.21.21.2

access-list 101 permit tcp host 10.20.20.2 eq telnet host 10.21.21.2

...

ip address outside 10.20.20.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

...

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.20.20.2 192.168.1.2 netmask 255.255.255.255 0 0

conduit permit icmp any 10.21.21.0 255.255.255.0

conduit permit icmp any 10.20.20.0 255.255.255.0

conduit permit tcp any eq telnet 10.21.21.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.20.20.1 1

...

crypto ipsec transform-set cisco esp-3des esp-md5-hmac

crypto map delta 10 ipsec-isakmp

crypto map delta 10 match address 101

crypto map delta 10 set pfs group2

crypto map delta 10 set peer 10.21.21.2

crypto map delta 10 set transform-set cisco

crypto map delta interface outside

isakmp enable outside

isakmp key ******** address 10.21.21.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

PIX #2

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

...

access-list 100 permit icmp host 10.21.21.2 host 10.20.20.2

access-list 100 permit tcp host 10.21.21.2 host 10.20.20.2 eq telnet

...

ip address outside 10.21.21.2 255.255.255.0

ip address inside 10.22.22.1 255.255.255.0

...

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.21.21.2 10.22.22.100 netmask 255.255.255.255 0 0

conduit permit icmp any 10.20.20.0 255.255.255.0

conduit permit icmp any 10.21.21.0 255.255.255.0

conduit permit tcp host 10.21.21.2 eq 8000 any

route outside 0.0.0.0 0.0.0.0 10.21.21.1 1

...

crypto ipsec transform-set cisco esp-3des esp-md5-hmac

crypto map disco 10 ipsec-isakmp

crypto map disco 10 match address 102

crypto map disco 10 set pfs group2

crypto map disco 10 set peer 10.20.20.2

crypto map disco 10 set transform-set cisco

crypto map disco interface outside

isakmp enable outside

isakmp key ******** address 10.20.20.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Thanks in advance for any help!

-- Andy

3 Replies 3

steve.barlow
Level 7
Level 7

Your connection is failing on Phase 1. I would add "sysopt connection permit-ipsec" to each config. That should dix it. If it doesn't, I would look at this config example: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml .

If that doesn't help let us know and we can do other the debugs.

Steve

Thanks Steve. I'll give that a try tonight.

--Andy

I'm happy to say the issue has been resolved. While adding the extra command to my config didn't fix the problem, clearing my settings and starting from scratch based on the config example worked beautifully. Thanks again Steve!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: