Re: vpn tunnel is up but i cant ping the remote host

amn · ‎10-25-2003

hi ; i have created atunnel between two site ,the tunnel is up the two phase(isakmp,ipsec) is ok put i cant ping the other host from my peer the echo reply is not coming back . but from the other beer he can ping my host . the debug crypto ipsec sa show that the packts is encaps and encrpted but no decaps decrypt.

here is the debug

Aawpix(config)#

VPN Peer: ISAKMP: Added new peer: ip:192.44.158.68 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:192.44.158.68 Ref cnt incremented to:1 Total VPN Peers

:1

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src 192.44.158.68, dest 195.xx.xx.79

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 192.44.158.68, dest 195.xx.xx.79

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 192.44.158.68, dest 195.xx.xx.79

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -711630991:d5955f71IPSEC(key_

engine): got a queue event...

IPSEC(spi_response): getting spi 0x3cde9262(1021219426) for SA

from 192.44.158.68 to 195.xx.xx.79 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending INITIAL_CONTACT notify

crypto_isakmp_process_block: src 192.44.158.68, dest 195.xx.xx.79

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3583336305

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-SHA

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part

#1,

(key eng. msg.) dest= 192.44.158.68, src= 195.xx.xx.79,

dest_proxy= 155.128.147.1/255.255.255.255/0/0 (type=1),

src_proxy= 192.0.2.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 3583336305

ISAKMP (0): processing ID payload. message ID = 3583336305

ISAKMP (0): Creating IPSec SAs

inbound SA from 192.44.158.68 to 195.xx.xx.79 (proxy 155.128.147.

1 to 192.0.2.0)

has spi 1021219426 and conn_id 5 and flags 4

lifetime of 28800 seconds

lifetime of 4608000 kilobytes

outbound SA from 195.xx.xx.79 to 192.44.158.68 (proxy 192.0.2

.0 to 155.128.147.1)

has spi 1515122 and conn_id 6 and flags 4

lifetime of 28800 seconds

lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 195.xx.xx.79, src= 192.44.158.68,

dest_proxy= 192.0.2.0/255.255.255.0/0/0 (type=4),

src_proxy= 155.128.147.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 28800s and 4608000kb,

spi= 0x3cde9262(1021219426), conn_id= 5, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= 195.xx.xx.79, dest= 192.44.158.68,

src_proxy= 192.0.2.0/255.255.255.0/0/0 (type=4),

dest_proxy= 155.128.147.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 28800s and 4608000kb,

spi= 0x171e72(1515122), conn_id= 6, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:192.44.158.68 Ref cnt incremented to:2 Total VPN Peers:

1

VPN Peer: IPSEC: Peer ip:192.44.158.68 Ref cnt incremented to:3 Total VPN Peers:

1

return status is IKMP_NO_ERROR

l.cabral · ‎10-26-2003

You should post configuration too (without real addrresses and passwords). It looks like a NAT problem: did you set the "nat 0" command at both sides?

amn · ‎10-27-2003

User Access Verification

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname Aawpix

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_outbound_nat0_acl permit ip any 192.168.x.0 255.255.255.128

access-list inside_outbound_nat0_acl permit ip any 192.168.x.0 255.255.255.192

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.128.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.26.18.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.38.0.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 143.5.5.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.118.56.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.119.85.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 155.128.147.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.229.19.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x

access-list inside_outbound_nat0_acl permit ip 192.0.2.0 255.255.255.0 host 192.44.122.x

access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.0 255.255.255.128

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.128.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.18.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.38.0.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.5.5.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.118.56.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.119.85.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.125.115.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 155.128.147.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.229.19.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.44.100.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 192.44.122.x

access-list outside_cryptomap_20 permit ip 192.0.2.0 255.255.255.0 host 143.26.130.x

pager lines 24logging on

logging monitor debugging

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full shutdown

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 195x.x.x 255.x.x.224

ip address inside 192.0.x.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool aawpool 192.168.x.1-192.168.x.100

ip local pool aawpooll2p 192.168.x2.1-192.168.x2.50

arp timeout 14400

global (outside) 1 195.x.x.82-195.x.x.94

global (outside) 1 195.x.x.81 netmask 255.255.255.255

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.0.2.0 255.255.255.0 0 0

static (inside,outside) 195.x.x.x 192.0.x.x netmask 255.255.255.255 0 0

static (inside,outside) 195.x.x.x 192.x.x.x netmask 255.255.255.255 0 0

conduit permit tcp host 195x.x.x eq www any

conduit permit tcp host 195.x.x.x eq pop3 any

conduit permit tcp host 195.x.x.x eq smtp any

conduit permit tcp host 195.x.x.x eq domain any

conduit permit tcp host 195.x.x.x eq imap4 any

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 195.226.x.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 192.44.158.x

crypto map outside_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key xxxxxxxx address 192.44.158.68 netmask 255.255.255.255 no-xauth no-co

nfig-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash sha

isakmp policy 40 group 1

isakmp policy 40 lifetime 86400

vpngroup aawremote address-pool aawpool

vpngroup aawremote idle-time 1800

vpngroup aawremote password xxxxxxx

telnet timeout 5

ssh timeout 5

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40

vpdn group PPTP-VPDN-GROUP client configuration address local aawpooll2p

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn enable outside

terminal width 80

Cryptochecksum:xxxx

: end

Aawpix#

d-garnett · ‎10-26-2003

"the debug crypto ipsec sa show that the packts is encaps and encrpted but no decaps decrypt"

it would appear your pix is properly sending out the packets but filtering them on the way back in. make sure you have allowed the ESP traffic back in within you ACL statements. also as the previous poster noted, make sure your nat is set up correctly.

2 main things to check

---Make sure ACL's are set to allow the proper traffic

(the src-dst LAN2LAN network ACL to apply to the Crypto Map and the ACL that defines who and what protocols are allowed to come into the Outside PIX interfaces UDP 500-IKE and IP 50-ESP)

---Make sure NAT is set up right

(don't NAT traffic between those 2 LANs)

also, i may be off course but if this is a LAN2LAN VPN, i noticed that you are only protecting 1 host on one side of your configuration (in the split tunnel ACLs) (?).

inbound SA from 192.44.158.68 to 195.xx.xx.79 (proxy 155.128.147.1 to 192.0.2.0)

outbound SA from 195.xx.xx.79 to 192.44.158.68 (proxy 192.0.2.0 to 155.128.147.1)

dest_proxy= 192.0.2.0/255.255.255.0/0/0 (type=4),

src_proxy= 155.128.147.1/255.255.255.255/0/0 (type=1),

also, when that one side is successful in pinging the other, are you sure that those icmp packets are being encrypted and decrypted (on both ends)?

amn · ‎10-27-2003

thanks for the reply ,here is my setup can you have alook at it

User Access Verification

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname Aawpix

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_outbound_nat0_acl permit ip any 192.168.x.0 255.255.255.128

access-list inside_outbound_nat0_acl permit ip any 192.168.x.0 255.255.255.192

access-list inside_outbound_nat0_acl permit ip x.x.x.0 255.255.255.0 host 143.26.128.x