04-05-2004 10:57 AM
Having a challenge getting a pix to router vpn working. Any suggestions? It appears Phase 1 is working.
Pix Config
nat (inside) 0 access-list 120
access-list 120 permit ip 10.1.0.0 255.255.0.0 host 65.245.104.120
sysopt connection permit-ipsec
crypto ipsec transform-set remote esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map remote 20 ipsec-isakmp
crypto map remote 20 match address 120
crypto map remote 20 set peer peer1.peer1.peer1.peer1
crypto map remote 20 set transform-set remote
crypto map remote interface outside
isakmp enable outside
isakmp key ******** address peer1.peer1.peer1.peer1 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
Debug
PEER_REAPER_TIMERIPSEC(key_engine): request timer fired: count = 1,
(identity) local= "localpeer", remote= "remotepeer",
local_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= "remote host"/255.255.255.255/0/0 (type=1)
IPSEC(key_engine_sa_req): setting timer running retry <2>
crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
gen_cookie:
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_sa_req:
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
begin phase one
sa->state 0x9
QM_TIMER
ipsec_db_get_ipsec_sa_list:
oakley_begin_qm:
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1160930063:bacd9cf1
compute_quick_mode_iv:
crypto_isakmp_spi_starve:IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xe4846667(3833882215) for SA
from "remotepeer" to "localpeer" for prot 3
crypto_ke_process_block:
KE_TIMER
starve:
ipsec_db_get_ipsec_sa_list:
oakley_const_qm:
ipsec_db_get_ipsec_sa_list:
construct_header: message_id 0xbacd9cf1
ipsec_db_get_ipsec_sa_list:
construct_blank_hash:
construct_ipsec_sa:
ipsec_db_get_ipsec_sa_list:
set_ipsec_proposals:
set_proposal: protocol 0x3, proposal_num 1, extra_info 0x0
construct_ipsec_nonce:
ipsec_db_get_ipsec_sa_list:
construct_proxy_id:
ipsec_db_get_ipsec_sa_list:
construct_proxy_id:
ipsec_db_get_ipsec_sa_list:
construct_qm_hash:
ipsec_db_get_ipsec_sa_list:
throw: mess_id 0xbacd9cf1
ipsec_db_get_ipsec_sa_list:
isakmp_ce_encrypt_payload: offset 28, length 164
pix_des_encrypt: data 0x3c05aec, len 144
des_encdec:
send_response:
isakmp_send: ip "remotepeer", port 500
ISAKMP msg received
crypto_isakmp_process_block:src:"remotepeer", dest:"localpeer" spt:500 dpt:500
gen_cookie:
fill_sa_key:isadb_search returned sa = 0x3b3153c
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
compute_quick_mode_iv:
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7b1dc8, len 104
des_encdec:
validate_payload: len 132
valid_payload:
valid_payload:
ISAKMP_INFO exchange
process_isakmp_info:
verify_qm_hash:
ipsec_db_get_ipsec_sa_list:
process_isakmp_packet:
process_notify:
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 373755288IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with "remotepeer"
ipsec_db_delete_ipsec_sa_list:
ipsec_db_delete_sa_list_entry:
return status is IKMP_NO_ERR_NO_TRANS
ipsec_db_delete_ipsec_sa_list:
P2RETRANS_TIMER
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xaf9eeee7
send_response:
isakmp_send: ip "remotepeer", port 500
04-13-2004 09:40 AM
Any update on this?
04-13-2004 10:56 AM
I ended up clearing out the vpn config on both sides and reapplying it then it worked.
It appeared that I was making changes during troubleshooting then not properly clearing the SA.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: