12-03-2002 07:45 AM - edited 02-21-2020 12:12 PM
See the attached debug and configurations. Any advice is appreciated. Thanks.
=========================================================================================
*** REMOTE PIX ISAKMP/IPSEC DEBUG ***
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERRORIPSEC(key_engine): request timer fired: count = 2,
(identity) local= 65.x.x.138, remote= 208.x.x.130,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1...
crypto_isakmp_process_block: src 208.x.x.130, dest 65.x.x.138
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src 65.x.x.138, dst 208.x.x.130
ISADB: reaper checking SA 0x80c5b028, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x80c58330, conn_id = 0
ISADB: reaper checking SA 0x80c62290, conn_id = 0
crypto_isakmp_process_block: src 208.x.x.130, dest 65.x.x.138
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 65.x.x.138, remote= 208.x.x.130,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4)
ISAKMP (0): deleting SA: src 208.x.x.130, dst 65.x.x.138
ISAKMP (0): retransmitting phase 1...
ISADB: reaper checking SA 0x80c58330, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x80c62290, conn_id = 0
ISAKMP (0): deleting SA: src 208.x.x.130, dst 65.x.x.138
ISADB: reaper checking SA 0x80c62290, conn_id = 0 DELETE IT!
=========================================================================================
*** LOCAL PIX ISAKMP/IPSEC DEBUG ***
VPN Peer: ISAKMP: Added new peer: ip:65.x.x.138 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:65.x.x.138 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 208.x.x.130, remote= 65.x.x.138,
local_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src 208.x.x.130, dst 65.x.x.138
ISADB: reaper checking SA 0x8132f588, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:65.x.x.138 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:65.x.x.138 Total VPN peers:0IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 208.x.x.130, remote= 65.x.x.138,
local_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
VPN Peer: ISAKMP: Added new peer: ip:65.x.x.138 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:65.x.x.138 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 208.x.x.130, remote= 65.x.x.138,
local_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src 208.x.x.130, dst 65.x.x.138
ISADB: reaper checking SA 0x8132f588, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:65.x.x.138 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:65.x.x.138 Total VPN peers:0IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 208.x.x.130, remote= 65.x.x.138,
local_proxy= 172.16.72.0/255.255.248.0/0/0 (type=4),
remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
============================================================================================
*** REMOTE PIX CONFIGURATION ***
access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.72.0 255.255.248.0
...
crypto ipsec transform-set abcset esp-des esp-md5-hmac
crypto map corpmap 10 ipsec-isakmp
crypto map corpmap 10 match address 100
crypto map corpmap 10 set peer 208.x.x.130
crypto map corpmap 10 set transform-set abcset
crypto map corpmap interface outside
isakmp enable outside
isakmp key ******** address 208.x.x.130 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
============================================================================================
*** LOCAL PIX CONFIGURATION ***
access-list 100 permit ip 172.16.72.0 255.255.248.0 192.168.1.0 255.255.255.0
...
crypto ipsec transform-set abcset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set osiset
crypto dynamic-map dynmap 30 set transform-set osiset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 100
crypto map newmap 10 set peer 65.x.x.138
crypto map newmap 10 set transform-set abcset
crypto map newmap client configuration address initiate
crypto map newmap client configuration address respond
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 65.x.x.138 netmask 255.255.255.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
12-03-2002 08:13 AM
Your local pix key is wrong. You have:
isakmp key ******** address 65.x.x.138 netmask 255.255.255.0
which you .138 isnt a valid class C subnet, if you changed the address to 65.x.x.0 netmask 255.255.255.0 the it would work that way. Otherwise just looks like a typo and should read:
isakmp key ******** address 65.x.x.138 netmask 255.255.255.255
Also make sure you are denying nat from your inside network to the remote network with NAT 0.
Kurtis Durrett
12-04-2002 05:43 PM
Not sure if the previous email resolved this or not, but it doesn't look like a pre-shared key problem. Going by the debug I can see local PIX send out an ISAKMP packet, remote PIX receives it, verifies that it has a matching transform set, and replies to it. Local PIX never receives this reply, and finally retransmits it's original packet again. Remote PIX also never recives a reply back from it's 2nd packet, and so retransmits it again. The tunnel fails.
You want to check that UDP port 500 is open in BOTH directions between these two PIX's. Also make sure you have "sysopt connection permit-ipsec" in both PIX's, or else make sure you're outside ACL allows UDP port 500 in.
This looks like ISAKMP packets from Remote to Local are not getting through.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide