Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client to PIX515E with two site to site VPN

I have a PIX515E v6.22 that is configured for two site to site VPNs(Crypto map 10 and 20 and Isakmp policy 10). I'm trying to add a configuration for a VPN client connection. With the following configuration, the VPN client 3.6 will establish the connection, but I can't ping the outside interface or anything in the 10.0.0.0 subnet or the 192.168.254.0 subnet. The pix adds the access lists when a connection is made, but they do not show any hits when I attempt to make connections. Does anyone see what I'm doing wrong?

Thanks

Josh

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password lui78Uo/LBYLTriJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname sepix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit ip 10.0.0.0 255.255.255.0 k.l.m.0 255.255.255.0

access-list 100 permit ip 10.0.0.0 255.255.255.0 host n.o.p.129

access-list 100 permit ip 10.0.0.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list 101 permit ip 10.0.0.0 255.255.255.0 k.l.m.0 255.255.255.0

access-list 102 permit ip 10.0.0.0 255.255.255.0 host n.o.p.129

pager lines 24

logging console debugging

logging monitor debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside h.i.j.5 255.255.255.0

ip address inside 192.168.254.198 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool 192.168.200.1-192.168.200.254

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 100

route outside 0.0.0.0 0.0.0.0 h.i.j.1 1

route inside 10.0.0.0 255.255.255.0 192.168.254.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set noAH esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set noAH

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer a.b.c.133

crypto map newmap 10 set transform-set noAH

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 102

crypto map newmap 20 set peer d.e.f.140

crypto map newmap 20 set transform-set noAH

crypto map newmap 30 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

isakmp enable outside

isakmp key ******** address a.b.c.133 netmask 255.255.255.255

isakmp key ******** address d.e.f.140 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup sevpn address-pool bigpool

vpngroup sevpn dns-server 10.0.0.253 10.0.0.252

vpngroup sevpn default-domain stoneeagle.net

vpngroup sevpn idle-time 1800

vpngroup sevpn password ********

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:b628547b3ef71a02b5b7b6f12f44aca6

: end

[OK]

  • Other Security Subjects
3 REPLIES
New Member

Re: VPN Client to PIX515E with two site to site VPN

Here is the output for Debug crypto isakmp. It looks like it never gets to my priority 20 policy. Anybody know what I'm doing wrong?

crypto_isakmp_process_block: src h.i.j.50, dest h.i.j.5

VPN Peer: ISAKMP: Added new peer: ip:h.i.j.50 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:h.i.j.50 Ref cnt incremented to:1 Total VPN Peers:

2

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

crypto_isakmp_process_block: src h.i.j.50, dest h.i.j.5

crypto_isakmp_process_block: src h.i.j.50, dest h.i.j.5

crypto_isakmp_process_block: src h.i.j.50, dest h.i.j.5

crypto_isakmp_process_block: src h.i.j.50, dest h.i.j.5

OAK_QM exchange

New Member

Re: VPN Client to PIX515E with two site to site VPN

Here is the debug crypto ipsec output.

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with h.i.j.50

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not s

upported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= h.i.j.5, src= h.i.j.50,

dest_proxy= h.i.j.5/255.255.255.255/0/0 (type=1),

src_proxy= 192.168.200.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x10e6f31f(283570975) for SA

from h.i.j.50 to h.i.j.5 for prot 3

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not

supported

IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not s

upported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= h.i.j.5, src= h.i.j.50,

dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

src_proxy= 192.168.200.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x310ed195(823054741) for SA

from h.i.j.50 to h.i.j.5 for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= h.i.j.5, src= h.i.j.50,

dest_proxy= h.i.j.5/0.0.0.0/0/0 (type=1),

src_proxy= 192.168.200.1/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 2147483s and 0kb,

spi= 0x10e6f31f(283570975), conn_id= 5, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= h.i.j.5, dest= h.i.j.50,

src_proxy= h.i.j.5/0.0.0.0/0/0 (type=1),

dest_proxy= 192.168.200.1/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 2147483s and 0kb,

spi= 0x9e86e24e(2659639886), conn_id= 6, keysize= 0, flags= 0x4

IPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= h.i.j.5, src= h.i.j.50,

dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

src_proxy= 192.168.200.1/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 2147483s and 0kb,

spi= 0x310ed195(823054741), conn_id= 3, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= h.i.j.5, dest= h.i.j.50,

src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

dest_proxy= 192.168.200.1/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 2147483s and 0kb,

spi= 0xa1a04441(2711635009), conn_id= 4, keysize= 0, flags= 0x4

Cisco Employee

Re: VPN Client to PIX515E with two site to site VPN

Your tunnel is being built properly. Don't worry about the ISAKMP debug, the PIX has a bug where it only shows the first 10 or 15 (or some number) policy attempts, so it will be getting to your policy 20 it's just the debug isn't showing it. This is verified by the fact that your tunnel is being built, as shown in teh IPSec debug.

Anyway, can't see anything wrong with your config. Sounds sort of like the ESP packets are getting blocked somewhere. Keep in mind that the tunnel is built on ISAKMP (UDP 500) packets, then all the data is sent with ESP packets.

When you ping, does the Encrypted Packets counter go up on the client? Does the Pkts Decaps counter go up on the PIX in a "sho cry ipsec sa" output? Does the Pkts Encaps go up (indicating the PIX has received the response from the inside client and has sent it on to your VPN client)? Does the Decrypted Packets counter go up on teh VPn client? check all of these counters and it should give you a good indication of where the problem lies.

Are you going thru a PAT device between the PIX and client? If so, upgrade the PIX to 6.3 and add the command:

> isakmp nat-traversal

to the PIX.

103
Views
0
Helpful
3
Replies
This widget could not be displayed.