Yes, put the blame on PIX software 7.0 version.

Downgrade to 6.3 version and the problems will vanish.

Hi Jose

I noticed your answer only today.

Thank you very much, and YES I DID IT!!!!

By the way, I think that there are a

simple solution for it!

I did hundreds of tests using all kind of

configurations with no success. Something

is wrong! This feature is very common and

used widely in VPN?s with ADSL and Cables

and there are very few persons claiming

for help or a solution.

I?m just now with a PIX-515E v.7.2 for

tests during next 2 weeks. If I got some

results I?ll inform you as soon as

it works.

Thanks again

Franzin

Yes, it's a very common problem a hub and spoke solution.

The key is the new 7.x version doesn't support the client wild-card. I mean, the "isakmp key address 0.0.0.0 netmask 0.0.0.0" command to accept any VPN client isn't supported (at least in the 7.0 version, I don't know if in the new 7.2 version is supported).

You can do a spoke and hub configuration in the 7.x version but only if you know the ip of all your vpn clients writting a isakmp key entry for each vpn client with it's ip address.

This is a good example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

What's happen with a client with a dynamic ip? I think that Cisco considers there's impossible to have a "hardware" vpn client (ADSL or cable) with a dynamic ip, because only you can configure that clients with soft vpn client.

In my firm we need the 525 to give access aprox. 400 vpn clients. The configuration is a 525 with another 525 failover unit. All the clients have an fixed ip address, but I don't think that write 400 times "isakmp key cisco123 address netmask 255.255.255.255" (or the new command in 7.x version "crypto map mymap set peer ") would be a great idea.

Why punish Cisco to me writting 400 times the same phrase? I don't know. I'm not Bart Simpson writting in the blackboard "I will not burp in class"

The vpn hub is in production and (obviously) I can't made any test (if not, my boos punish to me writting in the blackboard 10.000 times (or more) "I will not play with a system in production").

In a month (I hope) will be a new backup system and I can play with it freely. I promise to install 7.2 pix software version and I'll try it.

Then if you need the PIX for a configuration like mine (lot of vpn clients) or you have vpn clients with a dynamic ip, think again before use 7.x version.

Hi Jose

As I had mentioned, I prepared a PIX 515E v.7.2(1) at my lab and tried during Monday and Tuesday get the right configuration to permit dynamic tunnels for site to site connections.

In my case, we use DLink (DI-804HV) and Nortel (Contivity 100) as remote VPN devices and PIX 515E as concentrators. We have 120 tunnels, most of them using ADSL access with dynamic public IP. We have also, 80 users that can connect through Cisco VPN Client using notebooks or desktops.

As you have mentioned, the problem to establish a tunnel with a non configured remote IP peer was that DefaultRAGroup take precedence over the correct DefaultL2LGroup. After some (exhaustive) tests, I got success using the command:

tunnel-group-map default-group DefaultL2LGroup

that change de precedence of groups maps, giving to DefaultL2LGroup the high precedence.

It worked fine with 5 tunnels using 8 different public IP on remote sites. I think that this solved the problem. The Cisco Client works fine also, using the correct group map. I didn?t test this configuration with other clients (Microsoft).

By the way, I have noticed that:

1.PIX v.7.x is much more restricted to close tunnels with non Cisco devices. With DLINK only using PFS Group2 I get success on ISAKMP negotiation.

2.The use of IPSEC over TCP (port 10000) works fine, but in some Windows desktops I needed to shutdown the MS-Firewall (but not in all).

3.Aggressive mode of DI-804HV didn?t work with PIX v.7.x

I tested also, the url-server configuration, inspection (IM inspection) and HTTP authorization. New problems come up:

1.If I include the IM inspection in the default policy, all HTTP traffic wasn?t tested. Websense was active and up, but no queries was sent from PIX to Websense server.

2.Configuring a new inspection map and applying to outside interface, IM was inspected and only users configured in a regex login-name had access. BUT large packets (more than 1400 bytes) from FTP, telnet, ssh and remote desktop over tunnels stop working and the sessions dropped. Eliminating IM inspection all return to work fine.

3. Using HTTP authorization through PIX with a RADIUS Server, it works fine. But the session ends with the timeout xlate (10 minutes on tests). If you increase this time, you will increase your memory usage with xlate contexts.

So, for my point of view:

1.Use of inspection has performance problems and a lot of side effects.

2.Integration with Websense works fine.

3.Http Authorization can consume too much memory and users will become very nervous.

4.VPN works like version 6.3.5 (lan-to-lan) and IPSEC over TCP will solve a lot of problems due to the fact that in Brazil ISP?s are filtering or reducing priority of UDP traffic (to avoid VoIP).

That?s all.

Thank you for your help, and if you desire more information send a e-mail.

Franzin

Hi Franzin,

You're a great help. Thanks for sharing the result of your tests. I've been struggling to make the VPN link between a hub site with PIX 515-E (with static link) and a spoke site with a n 1841 (dynamic link (ADSL).

Just added the line (which I guess is the key to make this work) and the pre-shared key and boom, the link is back. If it's possible to rate 10, I would for this post.

tunnel-group-map default-group DefaultL2LGroup

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *********

Thanks once again.

Archie

I configured as per your template and I am getting like attached debug message. It seems to process L2L default group, pass Phase-1 successfully but then doesn't end cleanly. Any ideas?

I substituted my remote firewall(pix-501) outside interface address(dhcp client) with xx.xx.xx.xx for security reasons.

Thanks in advance,

Sam

Hello, looiking through your logs:

Sep 27 17:38:08 [IKEv1]: Group = DefaultL2LGroup, IP = XX.XX.XX.XX, All IPSec SA proposals found unacceptable!

Looks to me like you don't have the same settings on both side check that your using the same transform sets.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 10 match address vpn-acl-site1

crypto map outside_map 10 set peer x.x.x.x

crypto map outside_map 10 set transform-set ESP-3DES-MD5

You are correct. I had dynamic map with 2 instances. e.g.

crypto dynamic-map client-vpn 98 set transform-set aes256-sha 3des-sha

crypto dynamic-map client-vpn 99 set transform-set 3des-sha

My dynamic map was using 3des-sha which was lower in priority and never getting evaluated. I changed it to single entry like below and it worked after that.

crypto dynamic-map client-vpn 98 set transform-set aes256-sha 3des-sha

This one is solved.

I have another firewall where it keep evaluating against default-RA-Group for some reason. My config and debug is as below.

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group-map default-group DefaultL2LGroup

Sanitized DEBUG:

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Cisco Unity client VID

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 000000a5)

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing NAT-Discovery payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing NAT-Discovery payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Discovery payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Discovery payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash

Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, Connection landed on tunnel_group DefaultRAGroup

Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Generating keys for Responder...

Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64

Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, processing ID payload

Oct 12 12:47:34 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, ID_IPV4_ADDR ID received

xx.xx.xx.xx

Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, processing hash payload

Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Computing hash for ISAKMP

Oct 12 12:47:34 [IKEv1]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, Connection landed on tunnel_group DefaultRAGroup

Oct 12 12:47:34 [IKEv1]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Freeing previously allocated memory for authorization-dn-attributes

Any ideas?

Hello,

Is this suppose to by a dynamic VPN on this firewall and which device is this debug from?

Patrick

Debug is from the ASA5520 that terminates dynamic lan-to-lan tunnels. PIX 6.3.5 code always worked because of its support for

isakmp key ****** 0.0.0.0 capability. ASAs are really pain for dynamic VPNs.

I was able to get something similar to this working a while back. The one thing was that it took 8-10 minutes for the tunnel to come up. It would continue to land on DefaultRAGroup for a while until it finally landed on the L2L group and the tunnel came up.

Patrick,

Thanks a lot for the link. What I am trying to achieve is dynamic-to-static ipsec VPN not ezvpn. Below is an example link. I need equivalent of this on the ASA working.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

Whenever you have time, I would appreciate any information on another way you just mentioned.

My sanitized config is attached.