06-05-2006 07:07 AM
We replaced a PIX 501 at our headoffice with 2811, IOS- advanced Security, version 12.4(8). We cannot get our VPN working. Everything else is working as it should be. Here is our VPN config from 2811
*****************************************
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key somekey address 1.2.3.4
!
!
crypto ipsec transform-set someset esp-3des esp-sha-hmac
!
crypto map somemap 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set someset
match address 130
interface FastEthernet0/0
description $ETH-WAN$
ip address a.b.c.d w.w.w.w
ip broadcast-address 0.0.0.0
ip access-group 101 in
ip inspect ARULE in
ip inspect ARULE out
ip nat outside
ip virtual-reassembly
duplex full
speed 10
crypto map somemap
ip nat inside source list 112 interface FastEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
access-list 101 permit udp host 1.2.3.4 any eq isakmp
access-list 101 permit esp host 1.2.3.4 any
some more access-list 101 rules follow
access-list 112 deny ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 112 permit ip 10.0.0.0 0.255.255.255 any
access-list 130 remark ISAKMP_VPN
access-list 130 permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
Our internal headoffice address range is 10.0.0.0 and our branch office (behind pix 501) address range is 10.0.10.0. We have a NAT configured in our 2811.
If I do the VPN Tunnel test using SDM, it fails on the firewall test. What entries should we add in our firewall to allow VPN traffic? Please advise.
Thanks in advance.
06-05-2006 07:58 AM
Hello Palvin,
Since you have NAT configured on the router you must have NAT bypass entries also in the router.
The crypto config is ok here.
Could you also post the debugs.
What do you mean by FW test?
Vikas
06-05-2006 10:30 AM
Hi Vikas,
Thanks for your reply. There is an option in SDM to check the VPN status. When I check it I get an error that there is a problem in my firewall. I have attached the SDM report with this mail. Can you please give me an example for NAT Bypass entries?? I think I am missing that.
Thanx.
06-05-2006 08:33 PM
Hello Palvin,
I apologize you already have the bypass entries
ip nat inside source list 112 interface FastEthernet0/0 overload
access-list 112 deny ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 112 permit ip 10.0.0.0 0.255.255.255 any
This access list is telling the NAT algo that it should not nat the 10.0/24 while it is going to 10.0.10/24 and nat if it is going to anywhere else.
Tha commands on the Fa0/0
ip inspect ARULE in
ip inspect ARULE out
are the FW commands. You can try removing these commands which will disable the FW and you can check whether it is the FW or not. Once the VPN is up you can enable the FW.
The router FW will require a hole in order to let the incoming connections. However, if the connection is already made from inside then the traffic would flow.
Did you try clicking on the button which says 'configure your FW'.
I am sorry I have no idea about SDM I am a CLI person.
-Vikas
06-06-2006 04:20 AM
Hi Vikas,
The ip inspect ARULE is just an inspect rule for passive ftp. I tried removing it but still no luck. Even I am new to SDM. Clicking on button 'configure your FW' does not do anything. This SDM thing is not so good. It just adds a lot more useless extra code into the config than solving a problem. I even removed access-list and tried it but the tunnel status is down.
Thanks.
06-06-2006 09:47 PM
Hello Palvin,
Can you post the debugs. It is high time that we should be looking at the debugs now.
Vikas
06-08-2006 04:34 AM
06-08-2006 09:24 AM
Hello Palvin,
Here is the analysis of the debug:
(key eng. msg.) OUTBOUND local= a.b.c.d(2811 IP Address), remote= 1.2.3.4(Peer Address),
You sent a packet. You are the initiator and 1.2.3.4 is the responder.
*Jun 8 12:27:44.914: ISAKMP: received ke message (1/1)
you received Key Exchange message this is IKE peer auth process.
*Jun 8 12:27:44.914: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
You are now entering Main Mode Exchange: phase 1.
*Jun 8 12:27:44.914: ISAKMP:(0:0:N/A:0): sending packet to 1.2.3.4(Peer Address) my_port 500 peer_port 500 (I) MM_NO_STATE >>>MainMode No State
*Jun 8 12:27:45.302: ISAKMP (0:0): received packet from 1.2.3.4(Peer Address) dport 500 sport 500 Global (N) NEW SA
You ARE receiving packets.
*Jun 8 12:27:45.302: %CRYPTO-4-IKMP_NO_SA: IKE message from 1.2.3.4(Peer Address) has no SA and is not an initialization offer
The other party has sent us a packet which was not part of the initialization process. This is the problem.
*Jun 8 12:27:54.914: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
You are retrying. Rest of the logs are rest of the attempts.
Can I get the config and debugs of the other side also?
Vikas
06-09-2006 10:07 AM
06-09-2006 10:19 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide