Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

PIX to PIX VPN won't establish

See the attached debug and configurations. Any advice is appreciated. Thanks.

=========================================================================================

*** REMOTE PIX ISAKMP/IPSEC DEBUG ***

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERRORIPSEC(key_engine): request timer fired: count = 2,

(identity) local= 65.x.x.138, remote= 208.x.x.130,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1...

crypto_isakmp_process_block: src 208.x.x.130, dest 65.x.x.138

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src 65.x.x.138, dst 208.x.x.130

ISADB: reaper checking SA 0x80c5b028, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x80c58330, conn_id = 0

ISADB: reaper checking SA 0x80c62290, conn_id = 0

crypto_isakmp_process_block: src 208.x.x.130, dest 65.x.x.138

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 65.x.x.138, remote= 208.x.x.130,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 208.x.x.130, dst 65.x.x.138

ISAKMP (0): retransmitting phase 1...

ISADB: reaper checking SA 0x80c58330, conn_id = 0 DELETE IT!

ISADB: reaper checking SA 0x80c62290, conn_id = 0

ISAKMP (0): deleting SA: src 208.x.x.130, dst 65.x.x.138

ISADB: reaper checking SA 0x80c62290, conn_id = 0 DELETE IT!

=========================================================================================

*** LOCAL PIX ISAKMP/IPSEC DEBUG ***

VPN Peer: ISAKMP: Added new peer: ip:65.x.x.138 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:65.x.x.138 Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 208.x.x.130, remote= 65.x.x.138,

local_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src 208.x.x.130, dst 65.x.x.138

ISADB: reaper checking SA 0x8132f588, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:65.x.x.138 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:65.x.x.138 Total VPN peers:0IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 208.x.x.130, remote= 65.x.x.138,

local_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

VPN Peer: ISAKMP: Added new peer: ip:65.x.x.138 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:65.x.x.138 Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 208.x.x.130, remote= 65.x.x.138,

local_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src 208.x.x.130, dst 65.x.x.138

ISADB: reaper checking SA 0x8132f588, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:65.x.x.138 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:65.x.x.138 Total VPN peers:0IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 208.x.x.130, remote= 65.x.x.138,

local_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

============================================================================================

*** REMOTE PIX CONFIGURATION ***

access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.72.0 255.255.248.0

...

crypto ipsec transform-set abcset esp-des esp-md5-hmac

crypto map corpmap 10 ipsec-isakmp

crypto map corpmap 10 match address 100

crypto map corpmap 10 set peer 208.x.x.130

crypto map corpmap 10 set transform-set abcset

crypto map corpmap interface outside

isakmp enable outside

isakmp key ******** address 208.x.x.130 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 1000

============================================================================================

*** LOCAL PIX CONFIGURATION ***

access-list 100 permit ip 172.16.72.0 255.255.248.0 192.168.1.0 255.255.255.0

...

crypto ipsec transform-set abcset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set osiset

crypto dynamic-map dynmap 30 set transform-set osiset

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 100

crypto map newmap 10 set peer 65.x.x.138

crypto map newmap 10 set transform-set abcset

crypto map newmap client configuration address initiate

crypto map newmap client configuration address respond

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 65.x.x.138 netmask 255.255.255.0

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

2 REPLIES
New Member

Re: PIX to PIX VPN won't establish

Your local pix key is wrong. You have:

isakmp key ******** address 65.x.x.138 netmask 255.255.255.0

which you .138 isnt a valid class C subnet, if you changed the address to 65.x.x.0 netmask 255.255.255.0 the it would work that way. Otherwise just looks like a typo and should read:

isakmp key ******** address 65.x.x.138 netmask 255.255.255.255

Also make sure you are denying nat from your inside network to the remote network with NAT 0.

Kurtis Durrett

Cisco Employee

Re: PIX to PIX VPN won't establish

Not sure if the previous email resolved this or not, but it doesn't look like a pre-shared key problem. Going by the debug I can see local PIX send out an ISAKMP packet, remote PIX receives it, verifies that it has a matching transform set, and replies to it. Local PIX never receives this reply, and finally retransmits it's original packet again. Remote PIX also never recives a reply back from it's 2nd packet, and so retransmits it again. The tunnel fails.

You want to check that UDP port 500 is open in BOTH directions between these two PIX's. Also make sure you have "sysopt connection permit-ipsec" in both PIX's, or else make sure you're outside ACL allows UDP port 500 in.

This looks like ISAKMP packets from Remote to Local are not getting through.

150
Views
0
Helpful
2
Replies
CreatePlease to create content