Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix-vpn site-to-site

Hi,

I have a pix firewall with vpn configured recently. As the tunnel is not up i have enabled debug crypto isakmp and able to see the attached messages.

I have confirmed the pre-shared keys in both end and found same.

Please advice on where could be the problem. The other end firewall is not a pix which is configured with the same similar parameters.

Please help on this...

PIX Version 6.3(4)

Pix-506

regards

Rajesh

21 REPLIES
Hall of Fame Super Blue

Re: Pix-vpn site-to-site

Hi Rajesh

I appreciate that you have checked the keys but this message is the one seen when the keys do not match.

Could you change the key to something really simple like "test" just to make sure.

Jon

New Member

Re: Pix-vpn site-to-site

Hi Jon,

I could see that the phase 1 is okay. Please find the attached show crypto isakmp sa and show crypto ipsec sa. And please suggest..

regards

Rajesh

Cisco Employee

Re: Pix-vpn site-to-site

Rajesh,

If you have already checked the pre shared keys on both the pixes, can you type "isakmp identity address" on the pixes and bring up the tunnel.

I hope it helps.

Regards,

Arul

New Member

Re: Pix-vpn site-to-site

Hi Arul,

Thanks for your reply.

Actually i have enabled the command "isakmp identity address".

You may find the below config too..

//user configured ACL

access-list 101 permit ip remote_local_subnet 255.255.255.0 user_local_subnet 255.255.255.0

access-list vpnacl permit ip host user_test_machine_ip remote_local_subnet 255.255.255.0

//ACL for vpn configured by me

access-list vpnacl permit ip remote_local_subnet 255.255.255.0 host user_test_machine_ip

nat (inside) 0 access-list vpnacl

access-group 101 in interface outside

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address vpnacl

crypto map outside_map 20 set peer remote_ip

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key key123 address remote_ip netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Even i restarted my this end firewall after configuring the preshared key.

Pls let me know some tips...

regards

Rajesh

Hall of Fame Super Blue

Re: Pix-vpn site-to-site

Hi Rajesh

Could you

1) turn on the following debugging

debug crypto isa

debug crypto ipsec

2) Clear any existing Phase 1 & 2 connections for this VPN.

3) Try and initiate the connection and then post the output of the debug together with firewall config (minus any sensitive info).

Jon

New Member

Re: Pix-vpn site-to-site

Hi Jon,

Please find the debug crypto isakmp sa and ipsec sa.

We had restarted both the end firewalls after giving the preshared key.

regards

Rajesh P

Hall of Fame Super Blue

Re: Pix-vpn site-to-site

Rajesh

Coud you post configs of both firewalls or alternatively can you check the crypto map access-lists to make sure they agree on the local and remote subnets.

Jon

New Member

Re: Pix-vpn site-to-site

Hi Jon,

Shall i send you tomorrow morning @ 10am.

since i have to go to the client place and send it.

regards

Rajesh

Hall of Fame Super Blue

Re: Pix-vpn site-to-site

Hi Rajesh

Yes that will be fine.

Jon

Cisco Employee

Re: Pix-vpn site-to-site

Rajesh,

Based on the debugs, the proxy identities are not matching, meaning the Crypto access-lists are not mirror images of each other.

Make sure that if you have a crypto acl on pix A:

access-list vpnacl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Then Remote Side Pix B:

access-list vpnacl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Regards,

Arul

Hall of Fame Super Blue

Re: Pix-vpn site-to-site

Hi Arul

Agreed which is why i wanted to see the configs from both ends to make sure the local and remote networks match.

Jon

Cisco Employee

Re: Pix-vpn site-to-site

Got it John. You Rock :-)

Lets get this VPN Rock and Rollin for Rajesh.

Regards,

Arul

New Member

Re: Pix-vpn site-to-site

Hi Jon/Arul,

The scenario is like this. This end we use Pix firewall where as the other end its another vendor firewall where in there is no access lists configured for vpn specifically. Remote end firewall is basically GUI based, and i could not see any ACL configuration. I knew that both the end should have mirrored ACLs. Remote end has already two VPNs up and running and they want to configure one more. In the access list option i could see only one accesslist-button-check-box which is already checked and apart from that no options... I think i need to inform customer to configure the other end by his own with VPN-ACL. But client should not say how the other two Vpns are working without ACL..Unforunately i do not have the remote end config. Please find the attached config of thie end firewall

regards

Rajesh P

New Member

Re: Pix-vpn site-to-site

Hi

What was the spefic debug message that points to the ACL's not mirroring each other?

Thanks

Hall of Fame Super Blue

Re: Pix-vpn site-to-site

Hi Graham

Basically the part about proxy identities ie.

=============================================

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= remote_ip, src= this_ip,

dest_proxy= remote_local_subnet/255.255.255.0/0/0 (type=4),

src_proxy= user_local_subnet/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

=============================================

For Phase 2 to complete both ends must agree on the local and remote networks they are encrypting traffic for.

Jon

New Member

Re: Pix-vpn site-to-site

Nice one Jon

5 points to you!

New Member

Re: Pix-vpn site-to-site

Hi All,

So, basically its a crypto ACL issue i hope..isn't it ?

regards

Rajesh P

Hall of Fame Super Blue

Re: Pix-vpn site-to-site

Hi Rajesh

It does look like it from the debugs you provided.

Jon

New Member

Re: Pix-vpn site-to-site

Hi all,

Can someone help me please

An inside server (192.168.92.6) need to access to a remote network 192.168.31.0.

A VPN site to site is established between Pix outside (192.168.111.6) and Multitech Firewall (192.168.111.200).

Now my inside server should connect to the remote network with this IP 172.20.20.6. So I have to Nat my inside server IP (192.168.92.6) to 172.20.20.6.

The remote network should connect to inside network by the 172.20.20.6.

My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.

The weird thing is I can ping from both network each other.

This is my config below

access-list Outside_1_cryptomap extended permit ip 172.20.20.0 255.255.255.0 192.168.31.0 255.255.255.0

access-list Inside_nat_static extended permit ip host I92.168.92.6 192.168.31.0 255.255.255.0

static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer 192.168.111.200

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

service-policy global_policy global

tunnel-group 192.168.111.200 type ipsec-l2l

tunnel-group 192.168.111.200 ipsec-attributes

pre-shared-key *

Thanks for answers

New Member

Re: Pix-vpn site-to-site

Hi All,

vpn problem has been resolved. its an ACL issue (crypto)

Thanks for the support.

regards

Rajesh P

Hall of Fame Super Blue

Re: Pix-vpn site-to-site

Hi Rajesh

Glad to hear you got it working and thanks for letting us know the outcome.

Jon

151
Views
19
Helpful
21
Replies
CreatePlease to create content