Re: Pix to Router Phase 2 error

patrick.cannon · ‎04-05-2004

Having a challenge getting a pix to router vpn working. Any suggestions? It appears Phase 1 is working.

Pix Config

nat (inside) 0 access-list 120

access-list 120 permit ip 10.1.0.0 255.255.0.0 host 65.245.104.120

sysopt connection permit-ipsec

crypto ipsec transform-set remote esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map remote 20 ipsec-isakmp

crypto map remote 20 match address 120

crypto map remote 20 set peer peer1.peer1.peer1.peer1

crypto map remote 20 set transform-set remote

crypto map remote interface outside

isakmp enable outside

isakmp key ******** address peer1.peer1.peer1.peer1 netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

Debug

PEER_REAPER_TIMERIPSEC(key_engine): request timer fired: count = 1,

(identity) local= "localpeer", remote= "remotepeer",

local_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= "remote host"/255.255.255.255/0/0 (type=1)

IPSEC(key_engine_sa_req): setting timer running retry <2>

crypto_ke_process_block:

KEYENG_IKMP_SA_SPEC

gen_cookie:

ipsec_db_get_ipsec_sa_list:

ipsec_db_add_sa_req:

ipsec_db_get_ipsec_sa_list:

ipsec_db_add_ipsec_sa_list:

ipsec_db_get_ipsec_sa_list:

begin phase one

sa->state 0x9

QM_TIMER

ipsec_db_get_ipsec_sa_list:

oakley_begin_qm:

ipsec_db_get_ipsec_sa_list:

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1160930063:bacd9cf1

compute_quick_mode_iv:

crypto_isakmp_spi_starve:IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xe4846667(3833882215) for SA

from "remotepeer" to "localpeer" for prot 3

crypto_ke_process_block:

KE_TIMER

starve:

ipsec_db_get_ipsec_sa_list:

oakley_const_qm:

ipsec_db_get_ipsec_sa_list:

construct_header: message_id 0xbacd9cf1

ipsec_db_get_ipsec_sa_list:

construct_blank_hash:

construct_ipsec_sa:

ipsec_db_get_ipsec_sa_list:

set_ipsec_proposals:

set_proposal: protocol 0x3, proposal_num 1, extra_info 0x0

construct_ipsec_nonce:

ipsec_db_get_ipsec_sa_list:

construct_proxy_id:

ipsec_db_get_ipsec_sa_list:

construct_proxy_id:

ipsec_db_get_ipsec_sa_list:

construct_qm_hash:

ipsec_db_get_ipsec_sa_list:

throw: mess_id 0xbacd9cf1

ipsec_db_get_ipsec_sa_list:

isakmp_ce_encrypt_payload: offset 28, length 164

pix_des_encrypt: data 0x3c05aec, len 144

des_encdec:

send_response:

isakmp_send: ip "remotepeer", port 500

ISAKMP msg received

crypto_isakmp_process_block:src:"remotepeer", dest:"localpeer" spt:500 dpt:500

gen_cookie:

fill_sa_key:isadb_search returned sa = 0x3b3153c

ipsec_db_get_ipsec_sa_list:

ipsec_db_add_ipsec_sa_list:

ipsec_db_get_ipsec_sa_list:

compute_quick_mode_iv:

isakmp_ce_decrypt_payload:

pix_des_decrypt: data 0x7b1dc8, len 104

des_encdec:

validate_payload: len 132

valid_payload:

ISAKMP_INFO exchange

process_isakmp_info:

verify_qm_hash:

ipsec_db_get_ipsec_sa_list:

process_isakmp_packet:

process_notify:

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 373755288IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with "remotepeer"

ipsec_db_delete_ipsec_sa_list:

ipsec_db_delete_sa_list_entry:

return status is IKMP_NO_ERR_NO_TRANS

ipsec_db_delete_ipsec_sa_list:

P2RETRANS_TIMER

ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xaf9eeee7

send_response:

isakmp_send: ip "remotepeer", port 500

sirpa_k · ‎04-13-2004

Any update on this?

patrick.cannon · ‎04-13-2004

I ended up clearing out the vpn config on both sides and reapplying it then it worked.

It appeared that I was making changes during troubleshooting then not properly clearing the SA.