Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco PIX 515E to SRP527W IPSec VPN issue

Hi,

I have a Cisco PIX 515E (7.1(2)) and a Cisco SRP527W (1.01.29 (002)), I am trying to connect them via a IPSec VPN l2l.

When I ping from a device either end of the VPN the link tries to come up with:

Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG6

 

If I use the SRP VPN status feature (which brings up the tunnel), the PIX side shows the tunnel as active and ok. As soon as I ping from the LAN it fails with MSG6.

 

Logs show:

 

Sep 30 12:20:00 [IKEv1]: IP = *.*.*.*, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180

Sep 30 12:20:00 [IKEv1 DEBUG]: IP = *.*.*.*, processing ke payload

Sep 30 12:20:00 [IKEv1 DEBUG]: IP = *.*.*.*, processing ISA_KE payload

Sep 30 12:20:00 [IKEv1 DEBUG]: IP = *.*.*.*, processing nonce payload

Sep 30 12:20:00 [IKEv1]: IP = *.*.*.*, Connection landed on tunnel_group *.*.*.*

Sep 30 12:20:00 [IKEv1 DEBUG]: Group = *.*.*.*, IP = *.*.*.*, Generating keys for Initiator...

Sep 30 12:20:00 [IKEv1 DEBUG]: Group = *.*.*.*, IP = *.*.*.*, constructing ID payload

Sep 30 12:20:00 [IKEv1 DEBUG]: Group = *.*.*.*, IP = *.*.*.*, constructing hash payload

Sep 30 12:20:00 [IKEv1 DEBUG]: Group = *.*.*.*, IP = *.*.*.*, Computing hash for ISAKMP

Sep 30 12:20:00 [IKEv1 DEBUG]: Group = *.*.*.*, IP = *.*.*.*, constructing dpd vid payload

Sep 30 12:20:00 [IKEv1]: IP = *.*.*.*, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 104

 

BEFORE ENCRYPTION

ISAKMP Header

  Initiator COOKIE: 1d 87 ad e6 4e 69 a0 93

  Responder COOKIE: 1e c9 74 f5 26 c1 b4 55

  Next Payload: Identification

  Version: 1.0

  Exchange Type: Identity Protection (Main Mode)

  Flags: (none)

  MessageID: 00000000

  Length: 469762048

  Payload Identification

    Next Payload: Hash

    Reserved: 00

    Payload Length: 32

    ID Type: FQDN (2)

    Protocol ID (UDP/TCP, etc...): 0

    Port: 0

    ID Data: FWL-CHEP.txo-systems.com

  Payload Hash

    Next Payload: Vendor ID

    Reserved: 00

    Payload Length: 24

    Data:

      e2 c8 ad 6d 39 7f cc a8 f8 4c 4c bc c9 ee 40 aa

      7f c5 d9 0d

  Payload Vendor ID

    Next Payload: None

    Reserved: 00

    Payload Length: 20

    Data (In Hex):

      af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00

 

ISAKMP Header

  Initiator COOKIE: 1d 87 ad e6 4e 69 a0 93

  Responder COOKIE: 1e c9 74 f5 26 c1 b4 55

  Next Payload: Identification

  Version: 1.0

  Exchange Type: Identity Protection (Main Mode)

  Flags: (Encryption)

  MessageID: 00000000

  Length: 108

 

 RECV PACKET from *.*.*.*

ISAKMP Header

  Initiator COOKIE: 1d 87 ad e6 4e 69 a0 93

  Responder COOKIE: 1e c9 74 f5 26 c1 b4 55

  Next Payload: Hash

  Version: 1.0

  Exchange Type: Informational

  Flags: (Encryption)

  MessageID: 2D639847

  Length: 68

 

ISAKMP Header

  Initiator COOKIE: 1d 87 ad e6 4e 69 a0 93

  Responder COOKIE: 1e c9 74 f5 26 c1 b4 55

  Next Payload: Identification

  Version: 1.0

  Exchange Type: Identity Protection (Main Mode)

  Flags: (Encryption)

  MessageID: 00000000

  Length: 108

 

 RECV PACKET from *.*.*.*

ISAKMP Header

  Initiator COOKIE: 1d 87 ad e6 4e 69 a0 93

  Responder COOKIE: 1e c9 74 f5 26 c1 b4 55

  Next Payload: Hash

  Version: 1.0

  Exchange Type: Informational

  Flags: (Encryption)

  MessageID: 98341399

  Length: 68

 

 RECV PACKET from *.*.*.*

ISAKMP Header

  Initiator COOKIE: 1d 87 ad e6 4e 69 a0 93

  Responder COOKIE: 1e c9 74 f5 26 c1 b4 55

  Next Payload: Key Exchange

  Version: 1.0

  Exchange Type: Identity Protection (Main Mode)

  Flags: (none)

  MessageID: 00000000

  Length: 180

  Payload Key Exchange

    Next Payload: Nonce

    Reserved: 00

    Payload Length: 132

    Data:

      58 66 f5 73 4e 52 2b ac 64 32 91 f3 20 30 86 71

      f8 98 a4 e8 e8 1a 21 dd 55 a0 86 b3 f4 31 b7 79

      b1 2c 78 e9 b1 df aa bb 7f c2 a8 61 e4 b5 bf 0b

      58 98 bb 61 6d 31 64 a8 40 e6 16 01 23 74 3c 35

      27 d3 fb 48 53 7b 4c ca 36 c0 21 ea 6e cd f3 a1

      78 c9 83 43 6d bf 26 8b fd f7 76 66 8a 1f 5c 09

      2a d0 0e 5a 0b 94 38 ce 49 a6 ea ae fe 88 bd 6a

      94 9c c3 a4 ce d7 63 09 49 bb 23 64 02 1e cc 24

  Payload Nonce

    Next Payload: None

    Reserved: 00

    Payload Length: 20

    Data:

      ce 67 5c 4c 5a 7a 4a 84 18 f9 c6 d2 a5 0b 10 6c

Sep 30 12:20:11 [IKEv1]: Group = *.*.*.*, IP = *.*.*.*, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Sep 30 12:20:11 [IKEv1]: Group = *.*.*.*, IP = *.*.*.*, P1 Retransmit msg dispatched to MM FSM

 

ISAKMP Header

  Initiator COOKIE: 1d 87 ad e6 4e 69 a0 93

  Responder COOKIE: 1e c9 74 f5 26 c1 b4 55

  Next Payload: Identification

  Version: 1.0

  Exchange Type: Identity Protection (Main Mode)

  Flags: (Encryption)

  MessageID: 00000000

  Length: 108

 

 RECV PACKET from *.*.*.*

ISAKMP Header

  Initiator COOKIE: 1d 87 ad e6 4e 69 a0 93

  Responder COOKIE: 1e c9 74 f5 26 c1 b4 55

  Next Payload: Hash

  Version: 1.0

  Exchange Type: Informational

  Flags: (Encryption)

  MessageID: 1A9B7ED1

  Length: 68

 

PIX config –

access-list TO-BR extended permit ip 192.168.10.0 255.255.255.248 192.168.70.0 255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.248 192.168.70.0 255.255.255.0

 

crypto ipsec transform-set TO-BR esp-des esp-sha-hmac

crypto map txovpn 10 match address TO-BR

crypto map txovpn 10 set pfs

crypto map txovpn 10 set peer *.*.*.*

crypto map txovpn 10 set transform-set TO-BR

crypto map txovpn interface outside

isakmp enable outside

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

 

tunnel-group *.*.*.* type ipsec-l2l

tunnel-group *.*.*.* ipsec-attributes

 pre-shared-key *

 

SRP527W Config –

IKE POLICY

 

1              TO-UK  

IKE Details

Name   

Value

Policy Name       TO-UK

Exchange Mode               Main

Encryption Algorithm     DES

Authentication Algorithm             SHA-1

Diffie-Hellman (DH) Group          Group 2 (1024 bit)

Auto Pre-Shared Key     **********

Enable Dead Peer Detection       Disable

DPD Interval      

DPD Timeout    

XAUTH client enable       Disable

User Name        

Password           

 

IPSec Policy

 

                1              TO-UK  

NAT-T Enable:  Disabled

 

IPSec Details

Name   

Value

Status   Enable

Policy Name       TO-UK

Local Group Type             IP Address & Subnet

Local Group IP Address 192.168.70.0

Local Group IP Subnet   255.255.255.0

Remote Endpoint            IP Address

Remote security gateway address           *.*.*.*

Remote security domain name 

Remote group type        IP Address & Subnet

Remote group IP              192.168.10.0

Remote group Subnet Mask       255.255.255.0

Encrypted algorithm       DES

Integrity algorithm          SHA-1

Police type          Auto

Manual encryption key

Manual auth key             

Inbound SPI      

Outbound SPI   

PFS         Enable

Key life time       28800

Now using IKE police      TO-UK

 

 

 

Everyone's tags (1)
44
Views
0
Helpful
0
Replies