Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSEc between PIX devices

Hi guys I am trying to create an IPSEC tunnel between a 515 and a 506.

Obviously it isn't working, otherwise I wouldn't be here :)

The 515 has these entries for the tunnel:

crypto map melbMap 22 ipsec-isakmp

crypto map melbMap 22 match address 22

crypto map melbMap 22 set peer 10.43.136.10

crypto map melbMap 22 set transform-set DSAT_CCIS_SYDset

crypto map melbMap 22 set security-association lifetime seconds 10800 kilobytes 4608000

crypto ipsec transform-set DSAT_CCIS_SYDset esp-des esp-sha-hmac

There is also an isakmp key for the peer

On the 506 I have this:

access-list NONAT permit ip 172.17.217.0 255.255.255.0 172.29.152.0 255.255.255.0

crypto ipsec transform-set melboffice esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 10800

crypto map sydoffice 20 ipsec-isakmp

crypto map sydoffice 20 match address NONAT2

crypto map sydoffice 20 set peer 210.8.162.2

crypto map sydoffice 20 set transform-set melboffice

crypto map sydoffice interface outside

isakmp enable outside

I can't see any IPOSEC traffic...where should I start to look?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPSEc between PIX devices

Hello,

Please review this link and see if this helps

Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Any possibility you can gather complete configs and debugs from both ends?

debug cry isakmp

debug crypto ipsec

Hope that helps! If so, please rate.

Thanks

7 REPLIES
Cisco Employee

Re: IPSEc between PIX devices

Hello,

Please review this link and see if this helps

Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Any possibility you can gather complete configs and debugs from both ends?

debug cry isakmp

debug crypto ipsec

Hope that helps! If so, please rate.

Thanks

Community Member

Re: IPSEc between PIX devices

Both configs attached. All debug cry isa sa shows is that it can't find the peer:

ISAKMP: larval sa found

ISAKMP (0): deleting SA: src 203.63.107.141, dst 10.43.136.10

ISADB: reaper checking SA 0xd00b7c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 203.63.107.141/500 not found - peers:0

Community Member

Re: IPSEc between PIX devices

Hi Dean,

Can try the commands

sh isakmp sa

&

sh ipsec sa

Do a continous ping from any host behind the pix firewall

and enable the command

'debug icmp trace' on your pix check where the traffic is getting drapped

Community Member

Re: IPSEc between PIX devices

HI Dean,

As per the Configurations you have given the problem with the phase 1 establishment

in your 515 sydpix you have entered DH group 1

But in the 506 ccispix you have entered DH group 2

Please change the Dhgroup value to 1

Hope this helps

Thanks

Krish

Community Member

Re: IPSEc between PIX devices

please check the isakmp lifetime value also

isakmp value in 515 is 10800

'

but in 506 it is 86400

change those values also

isakmp lifetime value should be more than ipsec lifetime

hope this helps

Krish

Community Member

Re: IPSEc between PIX devices

Hi again, I have chagned DH group to 1 and lifetime of 10800, still not a lot of action. I have degug cry isa sa turned on, but there's no response on the monitor

Community Member

Re: IPSEc between PIX devices

Hi,

On 515 you have put peer address as 10.43.136.10.You need to terminate the tunnel on 506 on public IP address.Ideally you should be using public IP as peer on 515.Also I would be interested to know the transform-set melboffice.

cheers

Sachin

166
Views
0
Helpful
7
Replies
CreatePlease to create content