02-03-2004 10:13 AM
Hi,
I am looking for a sample config that shows one pix (515e) terminating two tunnels from two remote locations, both 501's
Thanks in advance
02-03-2004 11:13 AM
02-04-2004 10:23 AM
Ok, i tried that config and am getting the following error
crypto_isakmp_process_block:src:64.56.102.70, dest:64.56.98.107 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 2230297198, message ID = 2938608687
ISAKMP (0): deleting spi 1856171908 message ID = 671982714
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 1,
here is the config for the pix seeing that error
access-list 100 permit ip 172.20.2.0 255.255.255.0 10.19.12.0 255.255.255.0
access-list neuro-vpn permit ip 172.20.2.0 255.255.255.0 10.19.12.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set geset esp-3des esp-md5-hmac
crypto map gems 20 ipsec-isakmp
crypto map gems 20 match address neuro-vpn
crypto map gems 20 set peer 64.56.102.70
crypto map gems 20 set transform-set geset
crypto map gems interface outside
isakmp enable outside
isakmp key ******** address 64.56.102.70 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Ok on the other pix here is what i see
crypto_isakmp_process_block:src:64.56.98.107, dest:64.56.102.70 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 4037427190
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 64.56.102.70, src= 64.56.98.107,
dest_proxy= 10.19.12.0/255.255.255.0/0/0 (type=4),
src_proxy= 172.20.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 64.56.102.70, src= 64.56.98.107,
dest_proxy= 172.20.2.0/255.255.255.0/0/0 (type=4),
src_proxy= 10.19.12.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
here is the config for this side
access-list 100 permit ip host 10.19.65.18 150.2.0.0 255.255.0.0
access-list 100 permit ip host 10.19.12.20 150.2.0.0 255.255.0.0
access-list 100 permit ip host 10.19.12.20 172.20.2.0 255.255.255.0
access-list gems-vpn permit ip host 10.19.65.18 150.2.0.0 255.255.0.0
access-list gems-vpn permit ip host 10.19.12.20 150.2.0.0 255.255.0.0
access-list gems-vpn permit ip host 10.19.12.20 172.20.2.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set geset esp-3des esp-md5-hmac
crypto map gems 10 ipsec-isakmp
crypto map gems 10 match address gems-vpn
crypto map gems 10 set peer 208.51.30.227
crypto map gems 10 set transform-set geset
crypto map gems 20 ipsec-isakmp
crypto map gems 20 match address gems-vpn
crypto map gems 20 set peer 64.56.98.107
crypto map gems 20 set transform-set geset
crypto map gems interface outside
isakmp enable outside
isakmp key ******** address 208.51.30.227 netmask 255.255.255.255
isakmp key ******** address 64.56.98.107 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
i dont see what i am missing
thanks in advance
02-04-2004 11:01 AM
i found the issue, my acl was not "an exact match" thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide