09-30-2008 02:25 AM
Hi,i have configured my two pix firewalls for lan 2 lan vpn(ipsec).this two firewalls connects directly with ethernet 0 and each has a local lan on ethernet 1.when i try to ping station2 from station1 after one time out and when ike phases are complete ping comes up with reply but when i try to ping station 1 from station 2 i dont get any reply .Why my vpn connection comes up in one direction and it doesnt from other side??
(pix1)
ethernet0(outside):20.20.20.1
ethernet1(inside):10.10.10.1
station1 on inside:10.10.10.20
(pix2)
ethernet0(outside):20.20.20.2
ethernet1(inside):15.15.15.1
station2 on inside:15.15.15.20
pix1 config:
interface Ethernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
access-list ping extended permit icmp any any
access-list ping extended permit tcp any host 10.10.10.15 eq ftp
access-list traffic extended permit ip 10.10.10.0 255.255.255.0 15.15.15.0 255.255.255.0
nat (inside) 0 access-list traffic
access-group ping in interface outside
route outside 15.15.15.0 255.255.255.0 20.20.20.2 1
crypto ipsec transform-set ipsec esp-3des esp-sha-hmac
crypto map crymap 1 match address traffic
crypto map crymap 1 set peer 20.20.20.2
crypto map crymap 1 set transform-set ipsec
crypto map crymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1000
tunnel-group 20.20.20.2 type ipsec-l2l
tunnel-group 20.20.20.2 ipsec-attributes
pre-shared-key *
!!!!!!!!Pix 2 config
interface Ethernet0
nameif outside
security-level 0
ip address 20.20.20.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 15.15.15.1 255.255.255.0
!
access-list ping extended permit icmp any any
access-list ping extended permit tcp any host 15.15.15.20 eq ftp
access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list traffic
access-group ping in interface outside
route outside 10.10.10.0 255.255.255.0 20.20.20.1 1
crypto ipsec transform-set ipsec esp-3des esp-sha-hmac
crypto map crymap 1 match address traffic
crypto map crymap 1 set peer 20.20.20.2
crypto map crymap 1 set transform-set ipsec
crypto map crymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1000
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
pre-shared-key *
whe i get show crypto isakmp sa every thing looks fine just when i ping station 2 from St1 but after that if i clear isakmp sa and the try to ping station 1 from ST 2 show crypto isakmp sa returns with "no active SA" why?!!
Solved! Go to Solution.
10-01-2008 12:01 PM
Do 2 things :
1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .
2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.
For example on PIX2:
access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list traffic
crypto map crymap 1 match address VPNACL
Then check and post results.
HTH
Saju
Pls rate helpful posts
09-30-2008 07:42 AM
On PiX 2
crypto map crymap 1 set peer 20.20.20.2
---------------------------------------
It should be ip address of remote end as shown following.
crypto map crymap 1 set peer 20.20.20.1
HTH
Saju
09-30-2008 11:10 AM
crypto map crymap 1 set peer 20.20.20.2 in my configuration it is right its next peer ip address crypto map crymap 1 set peer 20.20.20.1 this was copy paste mistake.sorry! ok now what can cause me one way ping problem??
09-30-2008 02:33 PM
Other than that your config looks OK . what are the source and destination when you ping?
When you have this problem , can you enable debugs
debug crypto isakmp
debug crypto ipsec
and post results.
10-01-2008 11:51 AM
ok.here is debug out puts.......
when i ping station 1(10.10.10.20)(on pix 1) from station2 (15.15.15.20)(on pix 2) every thing is fine and this is sh crypto isakmp sa output:
PIX1# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 20.20.20.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
PIX2# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 20.20.20.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
but if i clear the isakmp sa and then try to ping station 2(15.15.15.20) from sation 1(10.10.10.20) ping doesnt work and this is debug crypto isakmp and ipsec outputs:
PIX1# Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_i
psec_delete(): No SPI to identify Phase 2 SA!
Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from
correlator table failed, no match!
Oct 01 19:29:45 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de
lete(): No SPI to identify Phase 2 SA!
Oct 01 19:29:45 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from
correlator table failed, no match!
Oct 01 19:29:49 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de
lete(): No SPI to identify Phase 2 SA!
Oct 01 19:29:49 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from
correlator table failed, no match!
Oct 01 19:29:52 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de
lete(): No SPI to identify Phase 2 SA!
Oct 01 19:29:52 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from
correlator table failed, no match!
PIX2# Oct 01 19:27:40 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM erro
r (P2 struct &0x2988630, mess id 0xa54f21b0)!
Oct 01 19:27:40 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from
correlator table failed, no match!
Oct 01 19:27:43 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s
truct &0x2988738, mess id 0xb1221bf2)!
Oct 01 19:27:43 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from
correlator table failed, no match!
Oct 01 19:27:46 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s
truct &0x2988738, mess id 0x925a2fc8)!
Oct 01 19:27:46 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from
correlator table failed, no match!
Oct 01 19:27:50 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s
truct &0x2988738, mess id 0x9224a705)!
Oct 01 19:27:50 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from
correlator table failed, no match!
what is the problem??? where is the problem???please help me to find out???
10-01-2008 12:01 PM
Do 2 things :
1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .
2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.
For example on PIX2:
access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list traffic
crypto map crymap 1 match address VPNACL
Then check and post results.
HTH
Saju
Pls rate helpful posts
10-01-2008 11:39 PM
Thanks.Now its working :).I Separated access list for crypto map and for NAT 0 and then every thing works fine.Thank You.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: