Solved: Re: PIX Lan2Lan VPN strange Problem!

blackhat2020 · ‎09-30-2008

Hi,i have configured my two pix firewalls for lan 2 lan vpn(ipsec).this two firewalls connects directly with ethernet 0 and each has a local lan on ethernet 1.when i try to ping station2 from station1 after one time out and when ike phases are complete ping comes up with reply but when i try to ping station 1 from station 2 i dont get any reply .Why my vpn connection comes up in one direction and it doesnt from other side??

(pix1)

ethernet0(outside):20.20.20.1

ethernet1(inside):10.10.10.1

station1 on inside:10.10.10.20

(pix2)

ethernet0(outside):20.20.20.2

ethernet1(inside):15.15.15.1

station2 on inside:15.15.15.20

pix1 config:

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.20.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

access-list ping extended permit icmp any any

access-list ping extended permit tcp any host 10.10.10.15 eq ftp

access-list traffic extended permit ip 10.10.10.0 255.255.255.0 15.15.15.0 255.255.255.0

nat (inside) 0 access-list traffic

access-group ping in interface outside

route outside 15.15.15.0 255.255.255.0 20.20.20.2 1

crypto ipsec transform-set ipsec esp-3des esp-sha-hmac

crypto map crymap 1 match address traffic

crypto map crymap 1 set peer 20.20.20.2

crypto map crymap 1 set transform-set ipsec

crypto map crymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 1000

tunnel-group 20.20.20.2 type ipsec-l2l

tunnel-group 20.20.20.2 ipsec-attributes

pre-shared-key *

!!!!!!!!Pix 2 config

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.20.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 15.15.15.1 255.255.255.0

!

access-list ping extended permit icmp any any

access-list ping extended permit tcp any host 15.15.15.20 eq ftp

access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list traffic

access-group ping in interface outside

route outside 10.10.10.0 255.255.255.0 20.20.20.1 1

crypto ipsec transform-set ipsec esp-3des esp-sha-hmac

crypto map crymap 1 match address traffic

crypto map crymap 1 set peer 20.20.20.2

crypto map crymap 1 set transform-set ipsec

crypto map crymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 1000

tunnel-group 20.20.20.1 type ipsec-l2l

tunnel-group 20.20.20.1 ipsec-attributes

pre-shared-key *

whe i get show crypto isakmp sa every thing looks fine just when i ping station 2 from St1 but after that if i clear isakmp sa and the try to ping station 1 from ST 2 show crypto isakmp sa returns with "no active SA" why?!!

singhsaju · ‎10-01-2008

Do 2 things :

1. The lifetime configured under IKE policy is 1000 . Increase it to 86400. As Isakmp SA lifetime should be greater than Ipsec SA lifetime .

2. Make separate access lists for crypto ACL and the NAT 0 ACL. you are using same access-list "traffic". Create another identical access list and use it separately as Crypto ACL on both sides.

For example on PIX2:

access-list traffic extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list VPNACL extended permit ip 15.15.15.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list traffic

crypto map crymap 1 match address VPNACL

Then check and post results.

HTH

Saju

Pls rate helpful posts

View solution in original post

singhsaju · ‎09-30-2008

On PiX 2

crypto map crymap 1 set peer 20.20.20.2

---------------------------------------

It should be ip address of remote end as shown following.

crypto map crymap 1 set peer 20.20.20.1

HTH

Saju

blackhat2020 · ‎09-30-2008

crypto map crymap 1 set peer 20.20.20.2 in my configuration it is right its next peer ip address crypto map crymap 1 set peer 20.20.20.1 this was copy paste mistake.sorry! ok now what can cause me one way ping problem??

singhsaju · ‎09-30-2008

Other than that your config looks OK . what are the source and destination when you ping?

When you have this problem , can you enable debugs

debug crypto isakmp

debug crypto ipsec

and post results.

blackhat2020 · ‎10-01-2008

ok.here is debug out puts.......

when i ping station 1(10.10.10.20)(on pix 1) from station2 (15.15.15.20)(on pix 2) every thing is fine and this is sh crypto isakmp sa output:

PIX1# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 20.20.20.2

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

PIX2# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 20.20.20.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

but if i clear the isakmp sa and then try to ping station 2(15.15.15.20) from sation 1(10.10.10.20) ping doesnt work and this is debug crypto isakmp and ipsec outputs:

PIX1# Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, construct_i

psec_delete(): No SPI to identify Phase 2 SA!

Oct 01 19:29:42 [IKEv1]: Group = 20.20.20.2, IP = 20.20.20.2, Removing peer from