VPN between 2811 and pix 501

palvin_225 · ‎06-05-2006

We replaced a PIX 501 at our headoffice with 2811, IOS- advanced Security, version 12.4(8). We cannot get our VPN working. Everything else is working as it should be. Here is our VPN config from 2811

*****************************************

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key somekey address 1.2.3.4

!

crypto ipsec transform-set someset esp-3des esp-sha-hmac

!

crypto map somemap 1 ipsec-isakmp

set peer 1.2.3.4

set transform-set someset

match address 130

interface FastEthernet0/0

description $ETH-WAN$

ip address a.b.c.d w.w.w.w

ip broadcast-address 0.0.0.0

ip access-group 101 in

ip inspect ARULE in

ip inspect ARULE out

ip nat outside

ip virtual-reassembly

duplex full

speed 10

crypto map somemap

ip nat inside source list 112 interface FastEthernet0/0 overload

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

access-list 101 permit udp host 1.2.3.4 any eq isakmp

access-list 101 permit esp host 1.2.3.4 any

some more access-list 101 rules follow

access-list 112 deny ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255

access-list 112 permit ip 10.0.0.0 0.255.255.255 any

access-list 130 remark ISAKMP_VPN

access-list 130 permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255

Our internal headoffice address range is 10.0.0.0 and our branch office (behind pix 501) address range is 10.0.10.0. We have a NAT configured in our 2811.

If I do the VPN Tunnel test using SDM, it fails on the firewall test. What entries should we add in our firewall to allow VPN traffic? Please advise.

Thanks in advance.

Vikas Saxena · ‎06-05-2006

Hello Palvin,

Since you have NAT configured on the router you must have NAT bypass entries also in the router.

The crypto config is ok here.

Could you also post the debugs.

What do you mean by FW test?

Vikas

palvin_225 · ‎06-05-2006

Hi Vikas,

Thanks for your reply. There is an option in SDM to check the VPN status. When I check it I get an error that there is a problem in my firewall. I have attached the SDM report with this mail. Can you please give me an example for NAT Bypass entries?? I think I am missing that.

Thanx.

Vikas Saxena · ‎06-05-2006

Hello Palvin,

I apologize you already have the bypass entries

ip nat inside source list 112 interface FastEthernet0/0 overload

access-list 112 deny ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255

access-list 112 permit ip 10.0.0.0 0.255.255.255 any

This access list is telling the NAT algo that it should not nat the 10.0/24 while it is going to 10.0.10/24 and nat if it is going to anywhere else.

Tha commands on the Fa0/0

ip inspect ARULE in

ip inspect ARULE out

are the FW commands. You can try removing these commands which will disable the FW and you can check whether it is the FW or not. Once the VPN is up you can enable the FW.

The router FW will require a hole in order to let the incoming connections. However, if the connection is already made from inside then the traffic would flow.

Did you try clicking on the button which says 'configure your FW'.

I am sorry I have no idea about SDM I am a CLI person.

-Vikas

palvin_225 · ‎06-06-2006

Hi Vikas,

The ip inspect ARULE is just an inspect rule for passive ftp. I tried removing it but still no luck. Even I am new to SDM. Clicking on button 'configure your FW' does not do anything. This SDM thing is not so good. It just adds a lot more useless extra code into the config than solving a problem. I even removed access-list and tried it but the tunnel status is down.

Thanks.

Vikas Saxena · ‎06-06-2006

Hello Palvin,

Can you post the debugs. It is high time that we should be looking at the debugs now.

Vikas

palvin_225 · ‎06-08-2006

Hi Vikas,

Here are the debugs of VPN and Crypto. The router address is reffered to as

Vikas Saxena · ‎06-08-2006

Hello Palvin,

Here is the analysis of the debug:

(key eng. msg.) OUTBOUND local= a.b.c.d(2811 IP Address), remote= 1.2.3.4(Peer Address),

You sent a packet. You are the initiator and 1.2.3.4 is the responder.

*Jun 8 12:27:44.914: ISAKMP: received ke message (1/1)

you received Key Exchange message this is IKE peer auth process.

*Jun 8 12:27:44.914: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

You are now entering Main Mode Exchange: phase 1.

*Jun 8 12:27:44.914: ISAKMP:(0:0:N/A:0): sending packet to 1.2.3.4(Peer Address) my_port 500 peer_port 500 (I) MM_NO_STATE >>>MainMode No State

*Jun 8 12:27:45.302: ISAKMP (0:0): received packet from 1.2.3.4(Peer Address) dport 500 sport 500 Global (N) NEW SA

You ARE receiving packets.

*Jun 8 12:27:45.302: %CRYPTO-4-IKMP_NO_SA: IKE message from 1.2.3.4(Peer Address) has no SA and is not an initialization offer

The other party has sent us a packet which was not part of the initialization process. This is the problem.

*Jun 8 12:27:54.914: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

You are retrying. Rest of the logs are rest of the attempts.

Can I get the config and debugs of the other side also?

Vikas

palvin_225 · ‎06-09-2006

Hi Vikas,

Please find attached the debugs from pix.

thnx a lot,

Palwinder

palvin_225 · ‎06-09-2006

Hi Vikas,

Please ignore the above debug document as after I copied that info, there were some more events generated. Attached is the full debug from pix.

thnx,

Palwinder