Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to establish L2L ipsec VPN

Dear all,

I am having a PIX firewall in which 20 VPNs are terminated. one of my new requirment is to establish a vpn tunnel to another location in which i dont have access. my side i am having a pool of private ips that is only allowed through the tunnel.I have configured a one to one nat with one of the pool IP and my internal server.

I have tried a lot VPN tunnel is not comming up

Please check the brief configuration and the attached full configuration. In my config 10.66.100.208 255.255.255.248 is the ip pool and 192.168.0.239 is my server. when i try to ping  192.168.108.75 from 192.168.0.239 VPN acl count is increasing but tunnel is not comming up

Please look in to this  and help me to sourt out this issue.

==============================================================
access-list NAT permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75
access-list NAT permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5

access-list NI permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75
access-list NI permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5


crypto ipsec transform-set NI esp-3des esp-sha-hmac

isakmp policy 25 authentication pre-share
isakmp policy 25 encryption 3des
isakmp policy 25 hash sha
isakmp policy 25 group 5
isakmp policy 25 lifetime 1440

crypto map forsberg 38 ipsec-isakmp
crypto map forsberg 38 match address NI
crypto map forsberg 38 set peer 1.1.1.250

crypto map forsberg 38 set transform-set NI
crypto map forsberg 38 set security-association lifetime seconds 3600

static (inside,outside) 10.66.100.209 192.168.0.239 netmask 255.255.255.255 0 0

isakmp key Fa$1xx!@$ address 1.1.1.250 netmask 255.255.255.255


======================================================================================

pixfirewall# sh access-list NI
access-list NI; 2 elements
access-list NI line 1 permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75 (hitcnt=87)
access-list NI line 2 permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5 (hitcnt=0)
pixfirewall#

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Unable to establish L2L ipsec VPN

Hi,

The reason for this can be many. Can you paste the entire debugs over here? Just "clear crypto isakmp sa" and "clear crypto ipsec sa" and then initiate the tunnel to get the complete set of debugs.

Thanks and Regards,

Prapanch

5 REPLIES
Cisco Employee

Re: Unable to establish L2L ipsec VPN

Hi,

What do the debugs say when bringing the tunnel up? Please enable "debugs crypto isa 127" and "debug crypto ipsec 127" and paste those outputs here after sanitizing it.

Thanks and Regards,

Prapanch

New Member

Re: Unable to establish L2L ipsec VPN

Hi Prapanch, Thanks for you kind support \

Please check the debug crypto ipse 127 out put , I believe here is the issue.

when i do debug crypto isa 127 i can t see the peer IP address

pixfirewall# debug crypto ipse 127
pixfirewall# IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created

Could you please suggest me ......

Please note that my side I am using cisco PIX 6.3 and the other side they are using cisco router. I got the other side ACL , I am mentioning that as well. I dont have any other config of my peer end.

Extended IP access list FDN-VPN
10 permit ip host 192.168.108.75 10.66.100.208 0.0.0.7
20 permit ip host 10.67.1.5 10.66.100.208 0.0.0.7

Cisco Employee

Re: Unable to establish L2L ipsec VPN

Hi,

The reason for this can be many. Can you paste the entire debugs over here? Just "clear crypto isakmp sa" and "clear crypto ipsec sa" and then initiate the tunnel to get the complete set of debugs.

Thanks and Regards,

Prapanch

New Member

Re: Unable to establish L2L ipsec VPN

Thanks Prapanch, Thanks for your support

After clearing the Isakmp and ipsec it started working

Cisco Employee

Re: Unable to establish L2L ipsec VPN

Great. Glad to know that!!

1716
Views
0
Helpful
5
Replies