cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2616
Views
0
Helpful
5
Replies

Unable to establish L2L ipsec VPN

jibsoni
Level 1
Level 1

Dear all,

I am having a PIX firewall in which 20 VPNs are terminated. one of my new requirment is to establish a vpn tunnel to another location in which i dont have access. my side i am having a pool of private ips that is only allowed through the tunnel.I have configured a one to one nat with one of the pool IP and my internal server.

I have tried a lot VPN tunnel is not comming up

Please check the brief configuration and the attached full configuration. In my config 10.66.100.208 255.255.255.248 is the ip pool and 192.168.0.239 is my server. when i try to ping  192.168.108.75 from 192.168.0.239 VPN acl count is increasing but tunnel is not comming up

Please look in to this  and help me to sourt out this issue.

==============================================================
access-list NAT permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75
access-list NAT permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5

access-list NI permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75
access-list NI permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5


crypto ipsec transform-set NI esp-3des esp-sha-hmac

isakmp policy 25 authentication pre-share
isakmp policy 25 encryption 3des
isakmp policy 25 hash sha
isakmp policy 25 group 5
isakmp policy 25 lifetime 1440

crypto map forsberg 38 ipsec-isakmp
crypto map forsberg 38 match address NI
crypto map forsberg 38 set peer 1.1.1.250

crypto map forsberg 38 set transform-set NI
crypto map forsberg 38 set security-association lifetime seconds 3600

static (inside,outside) 10.66.100.209 192.168.0.239 netmask 255.255.255.255 0 0

isakmp key Fa$1xx!@$ address 1.1.1.250 netmask 255.255.255.255


======================================================================================

pixfirewall# sh access-list NI
access-list NI; 2 elements
access-list NI line 1 permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75 (hitcnt=87)
access-list NI line 2 permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5 (hitcnt=0)
pixfirewall#

1 Accepted Solution

Accepted Solutions

Hi,

The reason for this can be many. Can you paste the entire debugs over here? Just "clear crypto isakmp sa" and "clear crypto ipsec sa" and then initiate the tunnel to get the complete set of debugs.

Thanks and Regards,

Prapanch

View solution in original post

5 Replies 5

praprama
Cisco Employee
Cisco Employee

Hi,

What do the debugs say when bringing the tunnel up? Please enable "debugs crypto isa 127" and "debug crypto ipsec 127" and paste those outputs here after sanitizing it.

Thanks and Regards,

Prapanch

Hi Prapanch, Thanks for you kind support \

Please check the debug crypto ipse 127 out put , I believe here is the issue.

when i do debug crypto isa 127 i can t see the peer IP address

pixfirewall# debug crypto ipse 127
pixfirewall# IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created

Could you please suggest me ......

Please note that my side I am using cisco PIX 6.3 and the other side they are using cisco router. I got the other side ACL , I am mentioning that as well. I dont have any other config of my peer end.

Extended IP access list FDN-VPN
10 permit ip host 192.168.108.75 10.66.100.208 0.0.0.7
20 permit ip host 10.67.1.5 10.66.100.208 0.0.0.7

Hi,

The reason for this can be many. Can you paste the entire debugs over here? Just "clear crypto isakmp sa" and "clear crypto ipsec sa" and then initiate the tunnel to get the complete set of debugs.

Thanks and Regards,

Prapanch

Thanks Prapanch, Thanks for your support

After clearing the Isakmp and ipsec it started working

Great. Glad to know that!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: