Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-IOS router VPN - not starting?

I am setting up a new branch office with a 1720 for site-to-site VPN to our PIX. I copied the 1720's config from another 1720 I set up a couple of years ago which works fine. I added the necessary lines to the PIX by copying them from the sections for the old 1720. All seems to be running except the VPN link is not starting. What have I missed?

The only difference between the new 1720 and the old 1720 is that the old 1720 is behind the DSL router while the new 1720 connects to DSL on one side and the internal branch network on the other.

TIA,

Dean

6 REPLIES
New Member

Re: PIX-IOS router VPN - not starting?

If you could provide the crypto configs and the debugs on the PIX and IOS router, it would be of much help.

New Member

Re: PIX-IOS router VPN - not starting?

PIX config:

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 private security10

enable password ******** encrypted

passwd ******** encrypted

hostname nj-pix1a

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp 20-21

no names

access-list 101 permit ip 199.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 192.100.101.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.254.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.253.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.252.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 10.0.251.0 255.255.255.0

access-list 101 permit ip 199.0.0.0 255.255.0.0 192.168.3.0 255.255.255.0

access-list 201 permit ip 199.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list 301 permit ip 199.0.0.0 255.255.0.0 192.100.101.0 255.255.255.0

access-list TUMI-FR permit ip 199.0.0.0 255.255.0.0 10.0.252.0 255.255.255.0

access-list TEST permit ip 199.0.0.0 255.255.0.0 10.0.251.0 255.255.255.0

access-list 202 permit ip 199.0.0.0 255.255.0.0 192.168.3.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging monitor emergencies

logging trap notifications

logging history notifications

logging host inside 199.0.8.41

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

interface ethernet3 100full

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu private 1500

ip address outside 63.174.66.3 255.255.255.0

ip address inside 199.0.0.30 255.255.255.0

ip address dmz 199.0.1.1 255.255.255.0

ip address private 199.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptppool 10.0.253.1-10.0.253.254

ip local pool ipsecpool 10.0.254.1-10.0.254.254

ip local pool TEST 10.0.251.1-10.0.251.254

ip local pool VPN3 10.0.252.1-10.0.252.254

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 63.174.66.4

failover ip address inside 199.0.0.31

failover ip address dmz 199.0.1.2

failover ip address private 199.1.1.2

failover link private

pdm history enable

arp timeout 14400

global (outside) 1 63.174.66.5 netmask 255.255.255.0

global (dmz) 1 199.0.1.5 netmask 255.255.255.255

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 199.0.1.0 255.255.255.0 0 0

Statics & conduits

route outside 0.0.0.0 0.0.0.0 63.174.66.128 1

route outside 192.168.2.0 255.255.255.0 65.101.39.169 1

route outside 192.168.3.0 255.255.255.0 68.157.165.200 1

route inside 199.0.0.0 255.255.0.0 199.0.0.40 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

snmp-server host inside 199.0.8.6

snmp-server location 1001 Durham Ave, South Plainfield, NJ

snmp-server contact Dean Adams x8130

snmp-server community ********

snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 10 ipsec-isakmp

crypto map dyn-map 10 match address 201

crypto map dyn-map 10 set peer 65.101.39.169

crypto map dyn-map 10 set transform-set myset

crypto map dyn-map 11 ipsec-isakmp

crypto map dyn-map 11 match address 301

crypto map dyn-map 11 set peer 139.4.21.81

crypto map dyn-map 11 set peer 213.70.86.129

crypto map dyn-map 11 set peer 139.4.242.238

crypto map dyn-map 11 set transform-set myset

crypto map dyn-map 12 ipsec-isakmp

crypto map dyn-map 12 match address 202

crypto map dyn-map 12 set peer 68.157.165.200

crypto map dyn-map 12 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map client configuration address initiate

crypto map dyn-map client configuration address respond

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 65.101.39.169 netmask 255.255.255.255

isakmp key ******** address 139.4.21.81 netmask 255.255.255.255

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address 139.4.242.238 netmask 255.255.255.255

isakmp key ******** address 213.70.86.129 netmask 255.255.255.255

isakmp key ******** address 68.157.165.200 netmask 255.255.255.255

isakmp identity address

isakmp client configuration address-pool local ipsecpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroups

telnet 199.0.0.127 255.255.255.255 inside

telnet 199.0.8.6 255.255.255.255 inside

telnet 199.0.8.41 255.255.255.255 inside

telnet 199.0.0.40 255.255.255.255 inside

telnet 199.0.0.127 255.255.255.255 dmz

telnet 199.0.8.6 255.255.255.255 dmz

telnet 199.0.8.41 255.255.255.255 dmz

telnet 199.0.0.40 255.255.255.255 dmz

telnet 199.0.0.40 255.255.255.255 private

telnet timeout 5

ssh timeout 5

vpdn groups

terminal width 150

Cryptochecksum:455e5b1ee61d66d0b3f1ad1f5e185c3b

: end

--------------------------------

Router config:

FS-VID-RTR1#sh conf

Using 2154 out of 29688 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname FS-VID-RTR1

!

logging rate-limit console 10 except errors

enable password ********

!

username ******** password 0 ********

memory-size iomem 20

ip subnet-zero

!

!

no ip finger

!

ip audit notify log

ip audit po max-events 100

no ip dhcp-client network-discovery

vpdn enable

no vpdn logging

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

!

crypto isakmp policy 11

hash md5

authentication pre-share

crypto isakmp key ******** address 63.174.66.3

!

!

crypto ipsec transform-set fs-vid-xform esp-des esp-md5-hmac

!

crypto map store-vid-map 11 ipsec-isakmp

set peer 63.174.66.3

set transform-set fs-vid-xform

match address 120

!

!

!

!

interface ATM0

no ip address

atm vc-per-vp 256

no atm ilmi-keepalive

dsl operating-mode auto

no fair-queue

!

interface ATM0.1 point-to-point

pvc 8/35

encapsulation aal5snap

protocol pppoe

pppoe-client dial-pool-number 1

!

!

interface Ethernet0

ip address 10.0.128.1 255.255.255.0 secondary

ip address 192.168.3.1 255.255.255.0

ip nat inside

half-duplex

!

interface FastEthernet0

no ip address

shutdown

speed auto

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

ppp chap hostname ********

ppp chap password 7 ********

crypto map store-vid-map

!

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

!

access-list 120 permit ip 192.168.3.0 0.0.0.255 199.0.0.0 0.0.255.255

access-list 130 deny ip 192.168.3.0 0.0.0.255 199.0.0.0 0.0.255.255

access-list 130 permit ip 192.168.3.0 0.0.0.255 any

access-list 190 permit ip host 63.174.66.3 any

access-list 190 permit ip any host 63.174.66.3

!

!

route-map nonat permit 10

match ip address 130

!

snmp-server community ******** RO

snmp-server trap-source Ethernet0

snmp-server location 2611 E 1st ST, Vidalia, GA

!

line con 0

transport input none

line aux 0

line vty 0 4

password ********

login local

!

no scheduler allocate

end

-----------------------------------

I don't kno what debugs to run to show what's going on. I just know that "sh crypto isakmp sa" on the router shows no SAs. Likewise, "sh isakmp sa" on the PIX doesn't show anything for the new router, but does show the connections for the other 2 VPN sites (one is the old router I copied the config from).

HTH,

Dean

New Member

Re: PIX-IOS router VPN - not starting?

I had this problem on PIX, where after adding a new Crypto Map OR making some changes, I have to Re-apply the crypto map on the outside interface.

However this will disconnect your existing Tunnels for the duration between

"no crypto map xxx interface outside" AND "crypto map xxx inteface outside" commands.

To turn on debugging

debug crypto engine, debug crypto isakmp, debug crypto ipsec

However you might want to initially Turn on the debugging only on the IOS Router as on the PIX side, it will give you a lot of irrelevant info due to your already existing tunnels.

New Member

Re: PIX-IOS router VPN - not starting?

Thanks. I seem to remember having to re-apply the crypto map to the outside interface for the other site2site vpns.

Before, the two were not even creating a tunnel. I changed the ip address on the dialer interface to use the static address we've been assigned and that seems to have gotten the tunnel created. Now, when I send pings back and forth, the router is encapsulating and decapsulating but the PIX is not decapsulating (it is encapsulating). Could that be another symptom of needing to re-apply the crypto map?

I looked up "adsl vpn" on Cisco's web site. They had a 2600 config only they applied the crypto map to the dialer and the atm sub-interface - does that sound right?

Anyway, thanks for confirming some thing I thought I might have to do.

New Member

Re: PIX-IOS router VPN - not starting?

Well, I re-applied the crypto map to the outside interface, reloaded the router and initiated a ping from the inside interface on the router to re-establish the tunnel. But I still cannot ping through the tunnel.

I can see where packets are being encap'd and decap'd on the router. On the PIX however, packets are being encap'd but not decap'd. When I turn on "debug icmp trace" ("debug ip icmp" on the router) and run a ping either way, I see the PIX sending out the packets using the actual internal ip address of the workstation, but replies from the router are coming in through the PAT address on the PIX.

On the router, when I ping to a workstation behind the pix, it sends the packet to the PAT addrsss of the PIX.

Help!

New Member

Re: PIX-IOS router VPN - not starting?

Finally resolved this problem with the help of CDW tech support. It turned out that I needed to upgrade the IOS to a recently released version of 12.2 - that solved the problem completely!

170
Views
0
Helpful
6
Replies