02-02-2009 11:18 PM - edited 02-21-2020 04:08 PM
Dear Friends,
I am trying to setup a VPN LAN - LAN TUNNEL between our branch office abd Head Office. First I will explain my existing setup, we have Leased line 512k between these offices and this acts Primary link with OSPF routing protocol. Now our management wants backup for this LL 512k. So I planned to built a LAN-LAN GRE over IPSEC tunnel through Internet for backup. We have Internet Leased line in Head office and ADSL in our branch office which coming through Internet Router and terminating on Cisco PIX at both the ends. We achieved Phase 1 ISAKMP but still Phase II IPSEC still down. When we check out the pix logs, we can see only Encrypted traffic at one end of pix and only Decrypted traffic at other end of pix, its not happening vice versa. Even OSPF is showing INIT at one end of Router and other end is showing nothing. Please find attached the configuration and logs of this scenario. Kindly analyse this problem and give us a feedback.
Thanks in advance
02-03-2009 12:08 AM
Hi,
you do not have a problem with the Phase2. It's something else.
It seem that packets from site B to site A are not encrypted (put in the tunnel). Do you have an access-list applied on inside interface of PixB?
Regards, Celio
02-03-2009 12:23 AM
Hi,
Thanks a lot for your quick response.
No we dont have any acccess-list applied on the inside interface of PIXB. since this interface is having security 100 we did not put any access-list.
Do u want me to paste the pix configs?
Thanks in advance
02-03-2009 03:04 AM
Hi,
Please find the sh ipsec debug message from B end pix
IPSEC(key_engine_delete_sas): delete all SAs shared with 217.17.X.X
IPSEC(key_engine): got a queue event...
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 217.17.X.X
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 217.17.X.X
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 77.69.X.X, src= 217.17.X.X,
dest_proxy= 10.10.13.9/255.255.255.255/0/0 (type=1),
src_proxy= 10.10.13.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x8f461dcf(2403737039) for SA
from 217.17.X.X to 77.69.X.X for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 77.69.X.X, src= 217.17.X.X,
dest_proxy= 10.10.13.9/0.0.0.0/0/0 (type=1),
src_proxy= 10.10.13.1/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 77.69.X.X, src= 217.17.X.X,
dest_proxy= 10.10.13.9/255.255.255.255/0/0 (type=1),
src_proxy= 10.10.13.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xbaab8d0a(3131804938) for SA
from 217.17.X.X to 77.69.X.X for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 77.69.X.X, src= 217.17.X.X,
dest_proxy= 10.10.13.9/0.0.0.0/0/0 (type=1),
src_proxy= 10.10.13.1/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0xbaab8d0a(3131804938), conn_id= 3, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= 77.69.X.X, dest= 217.17.X.X,
src_proxy= 10.10.13.9/0.0.0.0/0/0 (type=1),
dest_proxy= 10.10.13.1/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0xa87f66ad(2826921645), conn_id= 4, keysize= 0, flags= 0x4
Thanks for your time..please check
02-03-2009 07:28 AM
Hi,
please check whats wrong in our configs and kindly get back
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide