Pix 501 VPN:s againe

jilahbg · ‎05-23-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Hi gurus! :-)

I have a problem connecting VPN-tunnels. Can you see if I am missing something in the configs?

The main site Pix 501 xxxxxxxxxxxx is configured with static outside IP and should be able to handle incoming VPN Client connections as well as Dynamic LAN-2-LAN sessions from another Pix 501 on remote office.

The Remote Office Pix 501 PIX (right now configured with static IP but that IP will change) should be able to connect to the xxxxxxxxxxxx pix.

xxxxxxxxxxxx local lan: 192.168.1.0/24

PIX local lan: 192.168.10.0/24

When trying to connect from PIX (local PC pinging 192.168.1.2) I just get this debug output:

PIX(config)#

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= nnn.nnn.nn.253, remote= xxx.xx.xx.193,

local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src nnn.nnn.nn.253, dst xxx.xx.xx.193

ISADB: reaper checking SA 0x9e721c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for xxx.xx.xx.193/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= nnn.nnn.nn.253, remote= xxx.xx.xx.193,

local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

PIX(config)#

The xxxxxxxxxxxxx Pix gets this Debug output:

crypto_isakmp_process_block:src:nnn.nnn.nn.253, dest:xxx.xx.xx.193 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:nnn.nnn.nn.253, dest:xxx.xx.xx.193 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for nnn.nnn.nn.253/500 not found - peers:0

ISAKMP (0): retransmitting phase 1...

crypto_isakmp_process_block:src:nnn.nnn.nn.253, dest:xxx.xx.xx.193 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for nnn.nnn.nn.253/500 not found - peers:0

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src nnn.nnn.nn.253, dst xxx.xx.xx.193

ISADB: reaper checking SA 0xa94434, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for nnn.nnn.nn.253/500 not found - peers:0

When trying to connect to xxxxxxxxxxxx with a VPN Client on internet I am getting this messages from the Ipsec Log Viewer:

6 10:05:50.283 05/23/03 Sev=Warning/3 DIALER/0xE3300008

GI VPNStart callback failed "CM_IKE_ESTABLISH_FAIL" (3h).

7 10:09:12.504 05/23/03 Sev=Warning/3 DIALER/0xE3300008

GI VPNStart callback failed "CM_IKE_ESTABLISH_FAIL" (3h).

Here is the config for xxxxxxxxxxxx:

: Saved

: Written by enable_15 at 10:23:06.563 UTC Fri May 23 2003

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname xxxxxxxxxxxxxxx

domain-name xxxxxxxxxxxxxxxxxxxx

names

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host 192.168.1.51 eq www

access-list outside_access_in permit tcp any host 192.168.1.51 eq smtp

pager lines 24

logging console notifications

logging buffered notifications

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool clientpool 192.168.2.1-192.168.2.10

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.2.0 255.255.255.0 inside

pdm location 192.168.10.0 255.255.255.0 inside

pdm location 192.168.1.51 255.255.255.255 inside

pdm location 192.168.2.0 255.255.255.0 outside

pdm location 192.168.10.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.1.51 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.51 www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map ciscomap 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic ciscomap

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup unityclient address-pool clientpool

vpngroup unityclient dns-server 192.168.1.51

vpngroup unityclient wins-server 192.168.1.51

vpngroup unityclient default-domain spigerverket.no

vpngroup unityclient idle-time 1800

vpngroup unityclient password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname cspi@online.no

vpdn group pppoex ppp authentication chap

vpdn username xxxxxxxxxxxxx password ********

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here is the config for PIX:

PIX# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxxxxx encrypted

hostname PIX

names

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpntunnel permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside nnn.nnn.nn.253 255.255.255.240

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 nnn.nnn.nn.254 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.10 255.255.255.255 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address vpntunnel

crypto map mymap 10 set peer xxx.xx.xx.193

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address xxx.xx.xx.193 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 192.168.10.100-192.168.10.110 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

[OK]

PIX#

What am I not seeing in this?

Thanks for your help!

Regards

Jimmy

mostiguy · ‎05-23-2003

NOR doesn't have an outside static IP - it gets it from DHCP via PPPOE. Are you saying that that IP will remain static though?

Try reinitializing everything on NOR - that is the one complaining about not knowing about the other side. We aren't getting to IPSec - the problem is with isakmp.

clear crypto isakmp sa

no isakmp enable outside

isakmp enable inside

Should smack it upside the head. I don't see any problems with your config, but perhaps you entered the commands out of order, and something is just askew. This will force isakmp to re read everything when it restarts via the "isakmp enable inside" command. Then try initializing the tunnel from the HBG side.

jilahbg · ‎05-26-2003

Hi

Yes, the IP is somewhat semi-static. That is: The pix gets its outside IP address from PPPoE but the ISP has assigned it to the customer, so the Nor-pix will always get the same IP from pppoe.

I will try to do the commands above, even though I have rebooted the pix several times already.

So you mean you cant see anything wrong in my config? Is it possible that the ISP is blocking some traffic maybe?

Thanks for your help!

pdentico · ‎05-27-2003

The error you're getting in the debugs is stating that it expects to see peer information for the remote pix in its local config. In order to connect without the peer information you have to setup the remote pix as an "Easy VPN Remote Device" There are a few commands that would have to be put in the remote device to authenticate properly.

vpnclient vpngroup {groupname} password {preshared_key}

vpnclient username {xauth_username} password {xauth_password}

vpnclient server {ip_primary} [ip_secondary_n]

vpnclient mode {client-mode | network-extension-mode}

vpnclient enable

You should look at the documentation for this stuff as far as determining the mode you want to use and so forth. Also I believe the remote end has to initiate the connection, so if it times out you will have to wait for someone on the remote end to send packets your way.

Good luck