PIX 515 VPN

emily · ‎03-24-2003

I had question to perplex longer time,i don't still resolve the question , pls anyone give me advice

i had Site1 and Site2 used PIX to establish vpn tunnel, I think configure no problem and i can saw SA , but i still ping Site2 when i on Site1, I only found symptom is packet have been encryption , but no decryption on each Site

========================================================

Site1(config)# sh crypto isakmp sa

Total : 2

Embryonic : 0

dst src state pending created

Site2 Site1 QM_IDLE 0 1

Site1(config)# sh crypto ipsec sa

interface: VPN

Crypto map tag: mymap, local addr. Site1

local ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: Site2

PERMIT, flags={origin_is_acl,}

#pkts encaps: 320, #pkts encrypt: 320, #pkts digest 320

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: Site1, remote crypto endpt.: Site2

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 55436f91

inbound esp sas:

spi: 0x7d9bc2b1(2107359921)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607999/27441)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x55436f91(1430482833)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4607963/26901)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

============================================================

Site2(config)# sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

Site1 Site2 QM_IDLE 0 1

Site2(config)#sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, local addr. Site2

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)

current_peer: Site1

PERMIT, flags={origin_is_acl,}

#pkts encaps: 28, #pkts encrypt: 28, #pkts digest 28

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: Site2, remote crypto endpt.: Site1

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 7d9bc2b1

inbound esp sas:

spi: 0x55436f91(1430482833)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4608000/27417)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x7d9bc2b1(2107359921)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607999/27381)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

=============================================================

Thanks in advance for your effort

afakhan · ‎03-24-2003

Hi,

packets are not coming back from Site1 (sent from Site2), reason could be :

only three decaps on site1, packets are getting lost somewhere in the middle or by any ISP, or blocked

Best check would be to do packet leve debugging (debug ip packet ACL) on the gw router on Site1 side, to see if all the packes come into PIX-Site1 or not, that would tell you who is the culprit!

Thx

Afaq