Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure a VPN client and Site to Site VPN tunnel

Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.

SiteA config with working VPN tunnel to SiteB:

SITE A

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 webdmz security20

enable password xxx

passwd xxx

hostname SiteA-pix

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 200.x.x.0 SiteA_INT

name 201.x.x.201 SiteA_EXT

name 200.x.x.254 PIX_INT

name 10.10.10.0 SiteB_INT

name 11.x.x.11 SiteB_EXT

access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0

access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0

access-list acl_inside permit icmp any any

access-list acl_inside permit ip any any

access-list acl_outside permit ip any any

access-list acl_outside permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu webdmz 1500

ip address outside SiteA_EXT 255.x.x.128

ip address inside PIX_INT 255.255.0.0

no ip address webdmz

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

route outside 0.0.0.x.x.0.0 201.201.201.202 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer SiteB_EXT

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

SiteA-pix(config)#

Lines I add for Cisco VPN clients is attached

I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.

Anyone any ideas what this can be?

Thanks

19 REPLIES
Cisco Employee

Re: Configure a VPN client and Site to Site VPN tunnel

Hi,

Instead of adding this

crypto map VPNPEER 30 ipsec-isakmp dynamic DYNOMAP

crypto map VPNPEER client authentication RADIUS

crypto map VPNPEER interface outside

Add this:

crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

You can have only one crypto map name applied to an interface but different sequence numbers.

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

Hi, I made the changes and I can see by doing sh isakmp sa that the site to site tunnel stays up. The VPN client connection and inside IAS server authenticates me in my domain but stops at the Securing Communication Channel. I remember this from ages ago but cannot remember how I resolved.

Any ideas?

thanks

Cisco Employee

Re: Configure a VPN client and Site to Site VPN tunnel

Martin,

Can you post the pix configuration after you made the changes. And also the outputs of "deb cry is" and "deb cry ips" from the pix and logs from the VPN Client.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

Heres my config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 webdmz security20

enable password xxx

passwd xxx

hostname SiteA-pix

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 200.x.x.0 SiteA_INT

name 201.x.x.201 SiteA_EXT

name 200.x.x.254 PIX_INT

name 10.10.10.0 SiteB_INT

name 11.11.11.11 SiteB_EXT

access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0

access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0

access-list acl_inside permit icmp any any

access-list acl_inside permit ip any any

access-list acl_outside permit ip any any

access-list acl_outside permit icmp any any

access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu webdmz 1500

ip address outside SiteA_EXT 255.255.255.128

ip address inside PIX_INT 255.255.0.0

no ip address webdmz

ip audit info action alarm

ip audit attack action alarm

ip local pool pix_inside 200.x.x.100-200.220.200.150

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

route outside 0.0.0.0 0.0.0.x.x.201.202 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set AAADES esp-3des esp-md5-hmac

crypto dynamic-map DYNOMAP 10 match address 80

crypto dynamic-map DYNOMAP 10 set transform-set AAADES

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer SiteB_EXT

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

isakmp enable outside

isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup Remote address-pool pix_inside

vpngroup Remote dns-server 200.200.200.20

vpngroup Remote wins-server 200.200.200.20

vpngroup Remote default-domain mycorp.co.uk

vpngroup Remote idle-time 1800

vpngroup Remote password password

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

I will attach debug output later today.

Thanks

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

Heres the debug from the pix from the deb cry is command, the vpn client produced no logging.

thanks

Cisco Employee

Re: Configure a VPN client and Site to Site VPN tunnel

Hi Marty,

Is this issue resolved? If not, can you please let me know if you can send me the VPN client logs.

Thanks

Gilbert

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

Hi Gilbert, still not resolved. Still stopping at the securing communications channel. The VPN client doesnot capture any logs.

I am getting authenticated by the Radius and domain contrller inside the network. If I do sh isakmp sa I see that the site to site tunnel is stillup and the tunnel to remote client ip address is also listed.

Thanks

Cisco Employee

Re: Configure a VPN client and Site to Site VPN tunnel

Send me an email at ggilbert@cisco.com.

We can catch up from there.

Regards,

Gilbert

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

OK, I captured vpn client log entry,

1 20:38:27.937 12/11/06 Sev=Warning/3 IKE/0xE3000002

Function initialize_qm failed with an error code of 0x00000000(INITIATE:650)

Cisco Employee

Re: Configure a VPN client and Site to Site VPN tunnel

Marty -

Can you try to use the new version of the VPN client instead of the 3.6 version and see what happens.

Thanks

Gilbert

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

Can this be downloaded from the Cisco site? My account has guest rights only.

Cisco Employee

Re: Configure a VPN client and Site to Site VPN tunnel

Its a cryptographic software.

Your account should be tied to a contract inorder to download this software.

Gilbert

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

No same thing with it, Securing communication channel...

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

OK, some success here.

I can connect with VPN client now and the site to site tunnel remains up. I'm assigned an ip address from the address pool 200.220.200.1xx BUT What I cannot do from my remote client is ping or connect to any inside host eg 200.200.200.10.

I found that the line crypto dynamic-map dynmap 10 match address 80 would break the site to site tunnel. so I left it out

The config is attached

Thanks for any help

Re: Configure a VPN client and Site to Site VPN tunnel

Well done, one more step needed:

Add the communication between 200.220.200.x and 200.200.200.x to NAT 0, i.e.:

access-list inside_outbound_nat0_acl permit ip 200.220.200.0 255.255.255.0 200.200.200.0 255.255.255.0

Please rate if this helped.

Regards,

Daniel

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

Daniel, thanks thats done it. Ive changed the IP pool slightly but this acces-list allows ping from remote client to inside pcs.

Is there an alternative to radius, like be use anymous or a local pc username to connect rather than a domain account?

Cheers

Re: Configure a VPN client and Site to Site VPN tunnel

Hi,

just replace:

crypto map outside_map client authentication RADIUS

with

crypto map outside_map client authentication LOCAL

and make sure you add some local users on the PIX:

username aaaa password aaaa

Please rate if this helped.

Cheers,

Daniel

New Member

Re: Configure a VPN client and Site to Site VPN tunnel

Daniel, perhapse you can help me out as well as I have a similar problem with a project that I've just inherited. I'm using a PIX 515 with 6.3(5) at my primary location and I have a PIX 501 with 6.3(5) at a remote location. I have a VPN tunnel up between both locations which partly works, and individuals are able to connect to the 515 with the VPN client installed on laptops, but I'm having some problems. First, I can map drives to the machine at the remote location and I can ping it from the primary location, but I cannot start a remote desktop session or a VNC session (both of which are enabled) across the network. The machine at the remote site is also having problems connecting to a mainframe application that runs on a specific TCP port. Can you offer me any suggestions on how to troubleshoot the connection? I've attached a copy of my config file here at the primary location.

Thanks!

Re: Configure a VPN client and Site to Site VPN tunnel

Hi,

Sometimes you have problem with VPNs if both remote access and site to site are configured on the same machine.

Try adding the command:

isakmp key ******** address abc.abc.abc.abc netmask 255.255.255.255 no-xauth no-config-mode

If this doesn't work, the problem might be the MTU.

You can lower the MTU setting on both PIX inside interfaces to 1400 and give it a try.

Please rate if this helped.

Regards,

Daniel

312
Views
9
Helpful
19
Replies