09-30-2007 10:42 PM
Hi,
I have a pix firewall with vpn configured recently. As the tunnel is not up i have enabled debug crypto isakmp and able to see the attached messages.
I have confirmed the pre-shared keys in both end and found same.
Please advice on where could be the problem. The other end firewall is not a pix which is configured with the same similar parameters.
Please help on this...
PIX Version 6.3(4)
Pix-506
regards
Rajesh
10-04-2007 03:03 AM
Hi Graham
Basically the part about proxy identities ie.
=============================================
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= remote_ip, src= this_ip,
dest_proxy= remote_local_subnet/255.255.255.0/0/0 (type=4),
src_proxy= user_local_subnet/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
=============================================
For Phase 2 to complete both ends must agree on the local and remote networks they are encrypting traffic for.
Jon
10-04-2007 04:46 AM
Nice one Jon
5 points to you!
10-05-2007 04:05 AM
Hi All,
So, basically its a crypto ACL issue i hope..isn't it ?
regards
Rajesh P
10-05-2007 05:39 AM
Hi Rajesh
It does look like it from the debugs you provided.
Jon
10-08-2007 12:21 AM
Hi all,
Can someone help me please
An inside server (192.168.92.6) need to access to a remote network 192.168.31.0.
A VPN site to site is established between Pix outside (192.168.111.6) and Multitech Firewall (192.168.111.200).
Now my inside server should connect to the remote network with this IP 172.20.20.6. So I have to Nat my inside server IP (192.168.92.6) to 172.20.20.6.
The remote network should connect to inside network by the 172.20.20.6.
My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.
The weird thing is I can ping from both network each other.
This is my config below
access-list Outside_1_cryptomap extended permit ip 172.20.20.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list Inside_nat_static extended permit ip host I92.168.92.6 192.168.31.0 255.255.255.0
static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 192.168.111.200
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
service-policy global_policy global
tunnel-group 192.168.111.200 type ipsec-l2l
tunnel-group 192.168.111.200 ipsec-attributes
pre-shared-key *
Thanks for answers
10-08-2007 10:28 PM
Hi All,
vpn problem has been resolved. its an ACL issue (crypto)
Thanks for the support.
regards
Rajesh P
10-08-2007 10:31 PM
Hi Rajesh
Glad to hear you got it working and thanks for letting us know the outcome.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide