Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
1
Replies

PIX to IBM os/390 VPN Problems

Karthik.Krishnamurthy
Level 1
Level 1

‎10-15-2003 10:23 AM - edited ‎02-21-2020 12:49 PM

I setup a site-site VPN between PIX on my end and a IBM OS/390 on the other end. I also have a dynamic VPN setup for remote users. The dynamic VPN is working fine . I have a problem with the site-site VPN in that when I initiate the tunnel , it works but when the other end tries it , it does not work. However , the thing I find interesting is that I have included the address of the outside interface on the PIX as part of the interesting traffic , and when the other end initiates a tunnel to the outside interface that works but not to the inside host.I tried a lot of things like changing lifetime, removing NAT eeven thouhgh I'm using NAT 0 . I had the inside and outside addresses translated to be the same. I have no clue now on how to make this work. I have attached a sample config which is similar to the one I use.

Any help would be appreciated.

x.x.12.3 is the OUTSIDE interface and the other end is y.y.4.9.The host to which y.y.4.9 needs to connect is x.x.84.9

Thanks ,

Karthik.

access-list WRAIR permit ip host x.x.49.100 x.x.110.0 255.255.255.0

access-list WRAIR permit ip host x.x.68.218 x.x.110.0 255.255.255.0

access-list WRAIR permit ip host x.x.84.9 host y.y.4.9

access-list MEPCOM permit ip host x.x.12.3 host y.y.4.9

access-list MEPCOM permit ip host x.x.84.9 host y.y.4.9

nat 0 access-list WRAIR

ip local pool WRAIRPOOL x.x.110.2-x.x.110.20

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth (dmz) host x.x.101.6 ******* timeout 5

aaa-server authinbound protocol radius

aaa-server authinbound (dmz) host x.x.101.6 ******* timeout 5

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set WRAIRSET esp-3des esp-sha-hmac

crypto dynamic-map WRAIRDYN 1000 set transform-set WRAIRSET

crypto map WRAIRMAP 20 ipsec-isakmp

crypto map WRAIRMAP 20 match address MEPCOM

crypto map WRAIRMAP 20 set peer y.y.4.9

crypto map WRAIRMAP 20 set transform-set WRAIRSET

crypto map WRAIRMAP 1000 ipsec-isakmp dynamic WRAIRDYN

crypto map WRAIRMAP client authentication partnerauth

crypto map WRAIRMAP interface outside

isakmp enable outside

isakmp key ******** address y.y.4.9 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

vpngroup WRAIR address-pool WRAIRPOOL

vpngroup WRAIR idle-time 1800

vpngroup WRAIR password ********

Labels:
0 Helpful
1 Reply 1

umedryk
Level 5
Level 5

‎10-20-2003 11:13 AM

Just try if it works when you increase xauth timer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents