Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Troubles with PIX to PIX ipsec tunnel after existing tunnel

Hi all you learned VPN/tunnel junkies,

Here's the scenario I've been losing sleep over lately:

From my main PIX (SE440BX2, 128 MB RAM, CPU Pentium II 350 MHz, running 6.2(2)) in the office, I already have an IPSEC vpn tunnel up ans working with a vendor of ours. This weekend I started to add another tunnel to another off-site host using a PIX 501 (running 6.3.2). It seems the ISAKMP part will hook up just fine, but I can't get the phase 2 part of IPSEC to work. Following are configs for both PIX(ies?) with the first octet of any IP address changed to protect the ignorant. Here's a key:

dmz = refers to office, internal dmz address

in = refers to office, internal network address

out = refers to office, internet network address

oldin = refers to office, working vendor VPN inside address

oldout = refers to office, working vendor VPN internet address

newin = refers to new remote site, new VPN inside address

newold = refers to new remote site, new VPN external address

PIX Config for office (non-relevant parts removed):

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

access-list acl_out permit tcp any host out.66.77.150 eq www

access-list acl_out permit tcp any host out.66.77.151 eq https

access-list acl_out permit tcp any host out.66.77.253 eq domain

access-list acl_out permit udp any host out.66.77.253 eq domain

access-list acl_out permit gre any host out.66.77.253

access-list acl_out permit esp any host out.66.77.253

access-list acl_out permit tcp any host out.66.77.253 eq 1723

access-list acl_out deny icmp any any

access-list 101 permit ip in.165.54.0 255.255.255.0 oldin.15.0.0 255.255.0.0

access-list 101 permit ip in.165.54.0 255.255.254.0 newin.168.222.0 255.255.255.0

access-list 101 permit ip in.165.54.0 255.255.255.0 newin.168.222.0 255.255.255.0

access-list 102 permit ip in.165.54.0 255.255.255.0 newin.168.222.0 255.255.255.0

icmp deny any outside

global (outside) 1 out.66.77.150-out.66.77.229

global (outside) 1 out.66.77.251 netmask 255.255.255.128

global (DMZ) 1 dmz.168.111.240-dmz.168.111.250

nat (inside) 0 access-list 101

nat (inside) 1 in.165.0.0 255.255.0.0 0 0

nat (DMZ) 1 dmz.168.111.0 255.255.255.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 out.66.77.254 1

route inside in.165.0.0 255.255.0.0 in.165.55.254 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer oldout.56.8.8

crypto map newmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 102

crypto map newmap 20 set peer newout.112.66.214

crypto map newmap 20 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address oldout.56.8.8 netmask 255.255.255.255

isakmp key ******** address newout.112.66.214 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

PIX Config for remote site:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list 102 permit ip newin.168.222.0 255.255.255.0 in.165.54.0 255.255.255.0

access-list acl_out permit tcp out.66.77.128 255.255.255.128 host newout.112.66.214 eq ssh access-list acl_out deny icmp any any

access-list 101 permit ip newin.168.222.0 255.255.255.0 in.165.54.0 255.255.255.0

ip address outside pppoe setroute

ip address inside newin.168.222.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 newin.168.222.0 255.255.255.0 0 0

access-group acl_out in interface outside

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto map toSBD 20 ipsec-isakmp

crypto map toSBD 20 match address 102

crypto map toSBD 20 set peer out.66.77.129

crypto map toSBD 20 set transform-set strong

crypto map toSBD interface outside

isakmp enable outside

isakmp key ******** address out.66.77.129 netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

And here's the interesting "debug crypto ipsec" messages from the office PIX:

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x77bca3ae(2008851374) for SA

from 66.112.66.214 to 65.66.77.129 for prot 3

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,

dest_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),

src_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address newout.112.66.214 not found

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,

dest_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),

src_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address out.66.77.129 not found

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= out.66.77.129, remote= newout.112.66.214,

local_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),

remote_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4)

And finally the interesting "debug crypto ipsec" messages from the remote PIX:

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,

dest_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),

src_proxy= in.165.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,

dest_proxy= in.165.0.0/255.255.0.0/0/0 (type=4),

src_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,

dest_proxy= oldin.15.0.0/255.255.0.0/0/0 (type=4),

src_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,

dest_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),

src_proxy= oldin.15.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= newout.112.66.214, src= out.66.77.129,

dest_proxy= newin.168.222.0/255.255.255.0/0/0 (type=4),

src_proxy= in.165.54.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

So why is the new remote PIX processing an address list for the old VPN (working) on the new VPN (not-working)?

Also, notice that it's using a 16-bit mask instead of the 24-bit mask SPECIFIED EVERYWHERE ELSE! Any suggestions or comments would be appreciated as I'm nearing the point where I'm ready to quit my job and join a cult.

-(Mr.) Kelly Adams

Yet another software developer roped into learning PIX security...

2 REPLIES
Cisco Employee

Re: Troubles with PIX to PIX ipsec tunnel after existing tunnel

OK, on the existing PIX you have the following:

access-list 101 permit ip in.165.54.0 255.255.255.0 oldin.15.0.0 255.255.0.0

access-list 101 permit ip in.165.54.0 255.255.254.0 newin.168.222.0 255.255.255.0

access-list 101 permit ip in.165.54.0 255.255.255.0 newin.168.222.0 255.255.255.0

access-list 102 permit ip in.165.54.0 255.255.255.0 newin.168.222.0 255.255.255.0

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer oldout.56.8.8

crypto map newmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 102

crypto map newmap 20 set peer newout.112.66.214

crypto map newmap 20 set transform-set myset

crypto map newmap interface outside

Crypto maps are read from top down, so crypto map 10 will be read before crypto map 20, therefore access-list 101 will be checked before access-list 102. Note that access-list 102 is the same as one of th lines in ACL 101, therefore ACL 102 and crypto map 20 will NEVER be used, because ACL 101 and crypto map 10 will always match first. This why you're getting the "proxy identities not supported" error, cause you the old PIX is trying to build a tunnel to the other old PIX, rather than to the new 501.

You need to make ACL 102 different to ACL 101, and make sure you make both of them more specific to exactly match the traffic that you want to go over each tunnel. Then change the other ends of the tunnel (the 501 and the other PIX) so that there ACL's are the exact opposite of what you've defined on this old PIX.

New Member

Re: Troubles with PIX to PIX ipsec tunnel after existing tunnel

Woohoo! It took a little bit of caffeine to get my head around having three separate ACLs, but it's up and working with the following changes:

Office PIX:

access-list 101 permit ip in.165.0.0 255.255.0.0 oldin.15.0.0 255.255.0.0

access-list 101 permit ip in.165.0.0 255.255.0.0 newin.168.222.0 255.255.255.0

access-list 102 permit ip in.165.0.0 255.255.0.0 newin.168.222.0 255.255.255.0

access-list 103 permit ip in.165.0.0 255.255.0.0 oldin.15.0.0 255.255.0.0

nat (inside) 0 access-list 101

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 103

crypto map newmap 10 set peer oldout.56.8.8

crypto map newmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 102

crypto map newmap 20 set peer newout.112.66.214

crypto map newmap 20 set transform-set myset

crypto map newmap interface outside

And on the new remote PIX:

access-list 102 permit ip newin.168.222.0 255.255.255.0 in.165.0.0 255.255.0.0

access-list 101 permit ip newin.168.222.0 255.255.255.0 in.165.0.0 255.255.0.0

No changes were needed on the existing remote IPSEC connection. Thanks for your help Glenn!

-Kelly

153
Views
0
Helpful
2
Replies
CreatePlease to create content