Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX with 2 tunnels

Hi,

I am looking for a sample config that shows one pix (515e) terminating two tunnels from two remote locations, both 501's

Thanks in advance

3 REPLIES
Silver
New Member

Re: PIX with 2 tunnels

Ok, i tried that config and am getting the following error

crypto_isakmp_process_block:src:64.56.102.70, dest:64.56.98.107 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 2230297198, message ID = 2938608687

ISAKMP (0): deleting spi 1856171908 message ID = 671982714

return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 1,

here is the config for the pix seeing that error

access-list 100 permit ip 172.20.2.0 255.255.255.0 10.19.12.0 255.255.255.0

access-list neuro-vpn permit ip 172.20.2.0 255.255.255.0 10.19.12.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set geset esp-3des esp-md5-hmac

crypto map gems 20 ipsec-isakmp

crypto map gems 20 match address neuro-vpn

crypto map gems 20 set peer 64.56.102.70

crypto map gems 20 set transform-set geset

crypto map gems interface outside

isakmp enable outside

isakmp key ******** address 64.56.102.70 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Ok on the other pix here is what i see

crypto_isakmp_process_block:src:64.56.98.107, dest:64.56.102.70 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 4037427190

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 64.56.102.70, src= 64.56.98.107,

dest_proxy= 10.19.12.0/255.255.255.0/0/0 (type=4),

src_proxy= 172.20.2.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 64.56.102.70, src= 64.56.98.107,

dest_proxy= 172.20.2.0/255.255.255.0/0/0 (type=4),

src_proxy= 10.19.12.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

here is the config for this side

access-list 100 permit ip host 10.19.65.18 150.2.0.0 255.255.0.0

access-list 100 permit ip host 10.19.12.20 150.2.0.0 255.255.0.0

access-list 100 permit ip host 10.19.12.20 172.20.2.0 255.255.255.0

access-list gems-vpn permit ip host 10.19.65.18 150.2.0.0 255.255.0.0

access-list gems-vpn permit ip host 10.19.12.20 150.2.0.0 255.255.0.0

access-list gems-vpn permit ip host 10.19.12.20 172.20.2.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set geset esp-3des esp-md5-hmac

crypto map gems 10 ipsec-isakmp

crypto map gems 10 match address gems-vpn

crypto map gems 10 set peer 208.51.30.227

crypto map gems 10 set transform-set geset

crypto map gems 20 ipsec-isakmp

crypto map gems 20 match address gems-vpn

crypto map gems 20 set peer 64.56.98.107

crypto map gems 20 set transform-set geset

crypto map gems interface outside

isakmp enable outside

isakmp key ******** address 208.51.30.227 netmask 255.255.255.255

isakmp key ******** address 64.56.98.107 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

i dont see what i am missing

thanks in advance

New Member

Re: PIX with 2 tunnels

i found the issue, my acl was not "an exact match" thanks

219
Views
0
Helpful
3
Replies
CreatePlease login to create content