10-25-2003 11:03 PM - edited 02-21-2020 12:50 PM
hi ; i have created atunnel between two site ,the tunnel is up the two phase(isakmp,ipsec) is ok put i cant ping the other host from my peer the echo reply is not coming back . but from the other beer he can ping my host . the debug crypto ipsec sa show that the packts is encaps and encrpted but no decaps decrypt.
here is the debug
Aawpix(config)#
VPN Peer: ISAKMP: Added new peer: ip:192.44.158.68 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:192.44.158.68 Ref cnt incremented to:1 Total VPN Peers
:1
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src 192.44.158.68, dest 195.xx.xx.79
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 192.44.158.68, dest 195.xx.xx.79
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 192.44.158.68, dest 195.xx.xx.79
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -711630991:d5955f71IPSEC(key_
engine): got a queue event...
IPSEC(spi_response): getting spi 0x3cde9262(1021219426) for SA
from 192.44.158.68 to 195.xx.xx.79 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src 192.44.158.68, dest 195.xx.xx.79
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3583336305
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
(key eng. msg.) dest= 192.44.158.68, src= 195.xx.xx.79,
dest_proxy= 155.128.147.1/255.255.255.255/0/0 (type=1),
src_proxy= 192.0.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (0): processing NONCE payload. message ID = 3583336305
ISAKMP (0): processing ID payload. message ID = 3583336305
ISAKMP (0): processing ID payload. message ID = 3583336305
ISAKMP (0): Creating IPSec SAs
inbound SA from 192.44.158.68 to 195.xx.xx.79 (proxy 155.128.147.
1 to 192.0.2.0)
has spi 1021219426 and conn_id 5 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
outbound SA from 195.xx.xx.79 to 192.44.158.68 (proxy 192.0.2
.0 to 155.128.147.1)
has spi 1515122 and conn_id 6 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 195.xx.xx.79, src= 192.44.158.68,
dest_proxy= 192.0.2.0/255.255.255.0/0/0 (type=4),
src_proxy= 155.128.147.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x3cde9262(1021219426), conn_id= 5, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= 195.xx.xx.79, dest= 192.44.158.68,
src_proxy= 192.0.2.0/255.255.255.0/0/0 (type=4),
dest_proxy= 155.128.147.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x171e72(1515122), conn_id= 6, keysize= 0, flags= 0x4
VPN Peer: IPSEC: Peer ip:192.44.158.68 Ref cnt incremented to:2 Total VPN Peers:
1
VPN Peer: IPSEC: Peer ip:192.44.158.68 Ref cnt incremented to:3 Total VPN Peers:
1
return status is IKMP_NO_ERROR
10-26-2003 05:39 AM
You should post configuration too (without real addrresses and passwords). It looks like a NAT problem: did you set the "nat 0" command at both sides?
10-27-2003 12:13 AM
User Access Verification
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Aawpix
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_outbound_nat0_acl permit ip any 192.168.x.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip any 192.168.x.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.128.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.18.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.38.0.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.5.5.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.118.56.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.119.85.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.128.147.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.229.19.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.44.122.x
access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.0 255.255.255.128
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.128.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.18.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.38.0.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.5.5.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.118.56.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.119.85.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.128.147.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.229.19.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.44.122.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x
pager lines 24logging on
logging monitor debugging
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 195x.x.x 255.x.x.224
ip address inside 192.0.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool aawpool 192.168.x.1-192.168.x.100
ip local pool aawpooll2p 192.168.x2.1-192.168.x2.50
arp timeout 14400
global (outside) 1 195.x.x.82-195.x.x.94
global (outside) 1 195.x.x.81 netmask 255.255.255.255
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.0.2.0 255.255.255.0 0 0
static (inside,outside) 195.x.x.x 192.0.x.x netmask 255.255.255.255 0 0
static (inside,outside) 195.x.x.x 192.x.x.x netmask 255.255.255.255 0 0
conduit permit tcp host 195x.x.x eq www any
conduit permit tcp host 195.x.x.x eq pop3 any
conduit permit tcp host 195.x.x.x eq smtp any
conduit permit tcp host 195.x.x.x eq domain any
conduit permit tcp host 195.x.x.x eq imap4 any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 195.226.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.44.158.x
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxx address 192.44.158.68 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
vpngroup aawremote address-pool aawpool
vpngroup aawremote idle-time 1800
vpngroup aawremote password xxxxxxx
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local aawpooll2p
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
terminal width 80
Cryptochecksum:xxxx
: end
Aawpix#
10-26-2003 10:17 AM
"the debug crypto ipsec sa show that the packts is encaps and encrpted but no decaps decrypt"
it would appear your pix is properly sending out the packets but filtering them on the way back in. make sure you have allowed the ESP traffic back in within you ACL statements. also as the previous poster noted, make sure your nat is set up correctly.
2 main things to check
---Make sure ACL's are set to allow the proper traffic
(the src-dst LAN2LAN network ACL to apply to the Crypto Map and the ACL that defines who and what protocols are allowed to come into the Outside PIX interfaces UDP 500-IKE and IP 50-ESP)
---Make sure NAT is set up right
(don't NAT traffic between those 2 LANs)
also, i may be off course but if this is a LAN2LAN VPN, i noticed that you are only protecting 1 host on one side of your configuration (in the split tunnel ACLs) (?).
inbound SA from 192.44.158.68 to 195.xx.xx.79 (proxy 155.128.147.1 to 192.0.2.0)
outbound SA from 195.xx.xx.79 to 192.44.158.68 (proxy 192.0.2.0 to 155.128.147.1)
dest_proxy= 192.0.2.0/255.255.255.0/0/0 (type=4),
src_proxy= 155.128.147.1/255.255.255.255/0/0 (type=1),
also, when that one side is successful in pinging the other, are you sure that those icmp packets are being encrypted and decrypted (on both ends)?
10-27-2003 10:01 AM
thanks for the reply ,here is my setup can you have alook at it
User Access Verification
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Aawpix
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_outbound_nat0_acl permit ip any 192.168.x.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip any 192.168.x.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip x.x.x.0 255.255.255.0 host 143.26.128.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.18.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.38.0.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.5.5.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.118.56.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.119.85.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.128.147.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.229.19.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x
access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.44.122.x
access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.0 255.255.255.128
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.128.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.18.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.38.0.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.5.5.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.118.56.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.119.85.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.128.147.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.229.19.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.44.122.x
access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x
pager lines 24logging on
logging monitor debugging
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 195x.x.x 255.x.x.224
ip address inside 192.0.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool aawpool 192.168.x.1-192.168.x.100
ip local pool aawpooll2p 192.168.x2.1-192.168.x2.50
arp timeout 14400
global (outside) 1 195.x.x.82-195.x.x.94
global (outside) 1 195.x.x.81 netmask 255.255.255.255
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.0.2.0 255.255.255.0 0 0
static (inside,outside) 195.x.x.x 192.0.x.x netmask 255.255.255.255 0 0
static (inside,outside) 195.x.x.x 192.x.x.x netmask 255.255.255.255 0 0
conduit permit tcp host 195x.x.x eq www any
conduit permit tcp host 195.x.x.x eq pop3 any
conduit permit tcp host 195.x.x.x eq smtp any
conduit permit tcp host 195.x.x.x eq domain any
conduit permit tcp host 195.x.x.x eq imap4 any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 195.226.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.44.158.x
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxx address 192.44.158.68 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
vpngroup aawremote address-pool aawpool
vpngroup aawremote idle-time 1800
vpngroup aawremote password xxxxxxx
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local aawpooll2p
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
terminal width 80
Cryptochecksum:xxxxxx
: end
Aawpix#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide