12-26-2002 10:23 AM - edited 02-21-2020 12:15 PM
Is it just me or is the PDM setup of VPN's more confusing than CLI? I gave up and am trying to set it up on CLI
Anyway, just need an expert or two (that would be some of you guys :) ) to look at this and see if I am missing anything
PIX1 (515e):
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
PIX2: (501e)
access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer MainOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address MainOffice netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
Am I missing anything I need here? I am just trying to setup a VPN between two DSL line supplied offices via the two new firewalls I am placing this week. All comments and thoughts welcome. Thanks guys.
Dave
Solved! Go to Solution.
12-28-2002 01:29 PM
Hi Dave,
From the error messages: reserved not zero on payload 5!
The above message means that the " pre-shared keys" are not matching on both the pixes. Do re-enter the pre-shared key on both the pixes and bring up your tunnel.
Regards,
Arul
12-26-2002 11:39 AM
Hi Dave,
Your VPN Config on the Pix for this particular Lan to Lan IPSec tunnel looks good. In case if you run into any issues, capture the ISAKmp and IPSec debugs and post it and we will assist you with the issue.
You can also use the below link for troubleshooting purposes:
http://te.cisco.com/SRVS/CGI-BIN/WEBCGI.EXE?New,KB=PIX
Regards,
Arul
12-27-2002 01:43 PM
Ok, here's the debug info I'm getting:
(71.7 is the dest, 71.8 is the src IP, 71.8 is a 501, 71.7 is a 515, their vpn CLI settings are in my first post)
ISAKMP (0): retransmitting phase 1 ...IPSEC(key_engine): request timer fired: count = 1,
(identity) local = x.x.71.8, remote = x.x.71.7,
local_proxy = 192.168.51.0/255.255.255.0/0/0 (type=4)
remote_proxy = 192.168.50.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src x.x.71.8, dst x.x.71.7
ISADB: reaper checking SA 0x80a7c330, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:x.x.71.7 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:x.x.71.7 Total VPN peers:0IPSEC(key_engine): request timer fired: count = 2,
(identity) local = x.x.71.8, remote = x.x.71.7,
local_proxy = 192.168.51.0/255.255.255.0/0/0 (type=4)
remote_proxy = 192.168.50.0/255.255.255.0/0/0 (type=4)
VPN Peer: ISAKMP: Added new peer: ip: x.x.71.7 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:x.x.71.7 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP(0): beginning Main Mode exchange
crypto_isakmp_process_block: src x.x.71.7, dest x.x.71.8
OAK_MM exchange
ISAKMP(0): processing SA payload. message ID =0
ISAKMP(0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP(0): atts are acceptable. Next payload is 0
ISAKMP(0): SA is doing preshared key authentication using id type ID_PQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src x.x.71.7, dest x.x.71.8
OAK_MM exchange
ISAKMP(0): processing KE payload. message ID = 0
ISAKMP(0): processing NONCE payload. message ID = 0
ISAKMP(0): processing vendor id payload
ISAKMP(0): processing vendor id payload
ISAKMP(0): remote peer supports dead peer detection
ISAKMP(0): processing vendor id payload
ISAKMP(0): speaking to another IOS box!
ISAKMP(0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 27
ISAKMP(0): Total payload length: 31
return status is IKMP_NO_ERROR
Thanks for any help you can give.
Dave
12-27-2002 09:48 PM
By chance, are either of the PIX box's sitting behind a DSL device doing PAT or NAT?
12-28-2002 07:58 AM
no, they are both connected directly to DSL modems. Those DSL modems supply the outside interfaces with the x.x.71.7 and 71.8 IP addresses.
This is a shot in the dark, but I'm down to that :), could there potentially be a problem with the fact that I am using the same policy number for both of my end points of the attempted VPN here? ...
thx again,
Dave
12-28-2002 11:50 AM
Hi Dave,
Add the command " isakmp identity address " on both the pixes and then try to bring up the tunnel.
Regards,
Arul
12-28-2002 12:56 PM
Im sorry, it doesnt seemed to have changed anything...
The new output is as follows:
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src MainOffice, dst ConstOffice
ISADB: reaper checking SA 0x813ce480, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:ConstOffice Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:ConstOffice Total VPN peers:0
crypto_isakmp_process_block: src ConstOffice, dest MainOffice
VPN Peer: ISAKMP: Added new peer: ip:ConstOffice Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:ConstOffice Ref cnt incremented to:1 Total VPN Peers:1
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src ConstOffice, dest MainOffice
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src ConstOffice, dest MainOffice
ISAKMP: reserved not zero on payload 5!IPSEC(key_engine): request timer fired: c
ount = 2,
(identity) local= 64.53.71.7, remote= ConstOffice,
local_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.51.0/255.255.255.0/0/0 (type=4)
crypto_isakmp_process_block: src ConstOffice, dest MainOffice
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_block: src ConstOffice, dest MainOffice
ISAKMP: reserved not zero on payload 5!
ISAKMP (0): deleting SA: src ConstOffice, dst MainOffice
ISADB: reaper checking SA 0x813ce480, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:ConstOffice Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:ConstOffice Total VPN peers:0
I do appreciate your help. If you feel any other information might be helpful please feel free to ask. Arul, if it would help you to have the full configs of both firewalls I wouldnt mind emailing them to you sir.
Thank you for your time.
Dave
12-28-2002 01:29 PM
Hi Dave,
From the error messages: reserved not zero on payload 5!
The above message means that the " pre-shared keys" are not matching on both the pixes. Do re-enter the pre-shared key on both the pixes and bring up your tunnel.
Regards,
Arul
12-29-2002 10:50 AM
You! are the Man! :)
I may just have to name my firstborn after you....sure hope its a boy....
Thank you very much sir!
12-29-2002 11:22 AM
oh durn it... I spoke too soon, its only half way working.
From the main office I can ping the construction office, but from the construction office i cant ping anything in the main office.
Now all I get when I run debug is :
ISADB:Reaper checking SA 0x80a7c278, conn_id=0
Sorry to keep dragging this issue out, I do appreciate your help
12-31-2002 02:08 PM
Hi Dave,
You are welcome anytime. Regarding the above issue, can you explain to me in detail the issue that you are running into and also the ip addresses that you are trying to access(source and destination).
Regards,
Arul
01-02-2003 03:47 AM
oh, sorry, I got this working now, thanks though :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide