cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
574
Views
0
Helpful
6
Replies

PIX Lan2Lan VPN strange Problem!

blackhat2020
Level 1
Level 1

Hi,i have configured my two pix firewalls for lan 2 lan vpn(ipsec).this two firewalls connects directly with ethernet 0 and each has a local lan on ethernet 1.when i try to ping station2 from station1 after one time out and when ike phases are complete ping comes up with reply but when i try to ping station 1 from station 2 i dont get any reply .Why my vpn connection comes up in one direction and it doesnt from other side??

(pix1)

ethernet0(outside):20.20.20.1

ethernet1(inside):10.10.10.1

station1 on inside:10.10.10.20

(pix2)

ethernet0(outside):20.20.20.2

ethernet1(inside):15.15.15.1

station2 on inside:15.15.15.20

pix1 config:

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.20.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

access-list ping extended permit icmp any any

access-list ping extended permit tcp any host 10.10.10.15 eq ftp

access-list traffic extended permit ip 10.10.10.0 255.255.255.0 15.15.15.0 255.255.255.0

nat (inside) 0 access-list traffic

access-group ping in interface outside

route outside 15.15.15.0 255.255.255.0 20.20.20.2 1

crypto ipsec transform-set ipsec esp-3des esp-sha-hmac

crypto map crymap 1 match address traffic

crypto map crymap 1 set peer 20.20.20.2

crypto map crymap 1 set transform-set ipsec

crypto map crymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 1000

tunnel-group 20.20.20.2 type ipsec-l2l

tunnel-group 20.20.20.2 ipsec-attributes

pre-shared-key *

!!!!!!!!Pix 2 config

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.20.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 15.15.15.1 255.255.255.0

!

access-list ping extended permit icmp any any

access-list ping extended permit tcp any host 15.15.15.20 eq ftp

access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list traffic

access-group ping in interface outside

route outside 10.10.10.0 255.255.255.0 20.20.20.1 1

crypto ipsec transform-set ipsec esp-3des esp-sha-hmac

crypto map crymap 1 match address traffic

crypto map crymap 1 set peer 20.20.20.2

crypto map crymap 1 set transform-set ipsec

crypto map crymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 1000

tunnel-group 20.20.20.1 type ipsec-l2l

tunnel-group 20.20.20.1 ipsec-attributes

pre-shared-key *

whe i get show crypto isakmp sa every thing looks fine just when i ping station 2 from St1 but after that if i clear isakmp sa and the try to ping station 1 from ST 2 show crypto isakmp sa returns with "no active SA" why?!!

1 Accepted Solution

Accepted Solutions

Do 2 things :

1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .

2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.

For example on PIX2:

access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list traffic

crypto map crymap 1 match address VPNACL

Then check and post results.

HTH

Saju

Pls rate helpful posts

View solution in original post

6 Replies 6

singhsaju
Level 4
Level 4

On PiX 2

crypto map crymap 1 set peer 20.20.20.2

---------------------------------------

It should be ip address of remote end as shown following.

crypto map crymap 1 set peer 20.20.20.1

HTH

Saju

crypto map crymap 1 set peer 20.20.20.2 in my configuration it is right its next peer ip address crypto map crymap 1 set peer 20.20.20.1 this was copy paste mistake.sorry! ok now what can cause me one way ping problem??

Other than that your config looks OK . what are the source and destination when you ping?

When you have this problem , can you enable debugs

debug crypto isakmp

debug crypto ipsec

and post results.

ok.here is debug out puts.......

when i ping station 1(10.10.10.20)(on pix 1) from station2 (15.15.15.20)(on pix 2) every thing is fine and this is sh crypto isakmp sa output:

PIX1# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 20.20.20.2

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

PIX2# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 20.20.20.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

but if i clear the isakmp sa and then try to ping station 2(15.15.15.20) from sation 1(10.10.10.20) ping doesnt work and this is debug crypto isakmp and ipsec outputs:

PIX1# Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_i

psec_delete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from

correlator table failed, no match!

Oct 01 19:29:45 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de

lete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:45 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from

correlator table failed, no match!

Oct 01 19:29:49 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de

lete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:49 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from

correlator table failed, no match!

Oct 01 19:29:52 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_ipsec_de

lete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:52 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from

correlator table failed, no match!

PIX2# Oct 01 19:27:40 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM erro

r (P2 struct &0x2988630, mess id 0xa54f21b0)!

Oct 01 19:27:40 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from

correlator table failed, no match!

Oct 01 19:27:43 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s

truct &0x2988738, mess id 0xb1221bf2)!

Oct 01 19:27:43 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from

correlator table failed, no match!

Oct 01 19:27:46 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s

truct &0x2988738, mess id 0x925a2fc8)!

Oct 01 19:27:46 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from

correlator table failed, no match!

Oct 01 19:27:50 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, QM FSM error (P2 s

truct &0x2988738, mess id 0x9224a705)!

Oct 01 19:27:50 [IKEv1]: Group = 20.20.20.1, IP = 20.20.20.1, Removing peer from

correlator table failed, no match!

what is the problem??? where is the problem???please help me to find out???

Do 2 things :

1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .

2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.

For example on PIX2:

access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list traffic

crypto map crymap 1 match address VPNACL

Then check and post results.

HTH

Saju

Pls rate helpful posts

Thanks.Now its working :).I Separated access list for crypto map and for NAT 0 and then every thing works fine.Thank You.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: