Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Not Link after generate key

Hello,

I have pix 515e.I used CA GEN RSA KEY 1024 command to generate key. After enter this command, a message asks me to delete all the keys. In this case, does it affect to my vpn link, coz after use this command my vpn was disconnected.

Thanks,

VIN

20 REPLIES
Gold

Re: VPN Not Link after generate key

providing the vpn is authenticated by using digital certificate, then regenerating the rsa key will kill the vpn. the reason being the digital certificate is no longer valid, so the authentication at the vpn peer will be failed.

New Member

Re: VPN Not Link after generate key

Hi Jackko,

Thanks for your reply. Is there any possible way to fix this problem?

Regards,

Vin

Gold

Re: VPN Not Link after generate key

i guess the only way is to enrol with the ca again, as you can't restore the keys or manually copy it back.

Re: VPN Not Link after generate key

Do you really use a Certificate Authority or do you just use a Pre Shared key (PSK) for the VPN.

If you have preshared keys and you just want to assign a ssh key, because you have changed the hostname or domainname, then this will not affect your VPN !

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html#wp1009419

sincerely

Patrick

New Member

Re: VPN Not Link after generate key

Hello Patrick/Jackko,

I am using a Pre Shared Key for my VPN, and I just assign ssh key for remote access. Now i can access to my firewall through the ssh , but the vpn dosen't link. Anyway, as Jackko above mentioned i need to restore or copy the keys back. Beside this way, do you think should i upload the new flash image to the pix to solve this problem? If can, please help me to way to upload.

Thanks in advances.

Regards,

VIN

Gold

Re: VPN Not Link after generate key

as patrick suggested, providing the vpn authentication doesn't rely on ca digital certificate, then re-generating the rsa key for ssh will not crash the existing vpn. it's got to do with something else.

just wondering whether you are referring to lan-lan vpn or remote vpn access. either case, would you please post the config?

New Member

Re: VPN Not Link after generate key

Hello Jackko,

What am i doing is site-to-site vpn. please kindly check my configuration in the attached files.

Note: I have tried to use debug command , but nothing appear, meaning that no debug message appear.

Regards,

Vin

Re: VPN Not Link after generate key

Your Access-lists seems to be wrong ! The Remote Network and Local Network in the access-list does not correspond with the interface IP and Subnet mask.

example:

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto map REMOTE 10 match address VPN

You just can add another line to the access-list that matches the right subnet maks and IP Network on both sides and it should rock.

Reset the Security Assoiciation:

clear ipsec sa

clear isakmp sa

See VPN guide:

Site-to-Site VPN Configuration Examples

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html

sincerely

Patrick

Gold

Re: VPN Not Link after generate key

192.168.0.0/24 <--> rt <--> 192.168.250.4/30 <--> headoffice pix <--> www/vpn <--> ...

... <--> www/vpn <--> branchoffice pix <--> 192.168.110.0/30 <--> rt <--> 192.168.9.0/24

assuming the above topology is accurate, then a static route is missing on the headoffice pix for destination 192.168.0.0/24

on branchoffic pix existing config:

route outside 0.0.0.0 0.0.0.0 10.105.1.1 1

route inside 192.168.9.0 255.255.255.0 192.168.110.2 1

on headoffice pix existing config:

route outside 0.0.0.0 0.0.0.0 10.200.5.33 1

so you need to add back the route on headoffice pix e.g.

route inside 192.168.0.0 255.255.255.0 192.168.250.5

New Member

Re: VPN Not Link after generate key

Hello Patrick/Jackko,

Sorry for late reply. I have applied access-list and routing as you above suggested. But the main issue is that why the vpn still cannot link, eventhough the access-list was incorrect, the two peers still cannot establish the link. I mean that when i use the debug command and clear ipsec/isakmp sa to reset the security association, but nothing happen.

Thanks,

Vin

Gold

Re: VPN Not Link after generate key

please post the latest config

New Member

Re: VPN Not Link after generate key

Hello Patrick/Jackko,

I have done the config ,and now it works. The problem coused from Access-list.

It seems i am not good at access-list, and now i have a few networks in my network system. Through this VPN, can you plz advise me on access-list how to allow LAN1,LAN2 access to LAN3 and LAN3 access to LAN1,LAN2 as shown in the attached file.

Thank you in advances

Regards,

VIN

Gold

Re: VPN Not Link after generate key

on h.o. pix

access-list no_nat 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list crypto_traffic 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list crypto_traffic 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

on branch pix

access-list no_nat 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list no_nat 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list crypto_traffic 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list crypto_traffic 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

another point needs to be noticed is the routing.

on h.o. pix

route inside 192.168.0.0 255.255.255.0 192.168.3.1; and

route inside 172.16.1.0 255.255.255.0 192.168.3.1

on branch pix

route inside 192.168.1.0 255.255.255.0 192.168.2.1

on the lan1 router

ip route 0.0.0.0 0.0.0.0 192.168.3.2; or

ip route 192.168.1.0 255.255.255.0 192.168.3.2; and

ip route 172.16.1.0 255.255.255.0 192.168.4.2

on the lan2 router

ip route 0.0.0.0 0.0.0.0 192.168.4.1; or

ip route 192.168.1.0 255.255.255.0 192.168.4.1;

on the lan3 router

ip route 0.0.0.0 0.0.0.0 192.168.2.2; or

ip route 192.168.0.0 255.255.255.0 192.168.2.2; and

ip route 172.16.1.0 255.255.255.0 192.168.2.2

New Member

Re: VPN Not Link after generate key

Hello Jackko,

Thank you Jackko, now I got my vpn works. but my branch office can't access Internet. Do you think what command should i add in the pix?

Thanks.

Regards,

VIN

New Member

Re: VPN Not Link after generate key

Please note that my head office has the Internet connection which connect with the HO Router.

Thanks

VIN

Gold

Re: VPN Not Link after generate key

just wondering if the branch office accesses internet directly or via the head office.

assuming the branch office has direct internet access, then i suspect that the nat/global statement maybe inaccurate.

New Member

Re: VPN Not Link after generate key

Hello Jackko,

The branch office access internet via the head office. The vpn link is for backup purpose. In fact, we have the existing connection from the branch office router to head office router by lease line. and normally brach office access to data center and internet at head office by lease line, but if the lease line is diconnected, we will go back to vpn link backup. And now the problem is that we branch office go though vpn link, they can't access internet.

Note: Head office router connects to another ISP (ISP2), and branch office also go to the internet via ISP2.

Thanks

VIN

Gold

Re: VPN Not Link after generate key

it may not be feasible to allow internet browsing for the branch office via the vpn backup link, assuming that the head office pix has the internet as the default gateway.

e.g. providing we "tunnel everything" from branch office via the vpn. head office pix receives the internet traffic, decrypts the packets and tries to determine the next hop. since the packets are destined for the internet, the head office pix will try to forward the packet back to the outside interface. unfortunately, the operation is not allowed on pix v6.x.

alternatively, if the pix default gateway is not the internet link. then "tunnel everything" originated from the branch office should work.

New Member

Re: VPN Not Link after generate key

Hello Jackky,

Plz find the attached file for the whole network diagram and its scenario.

Plz advise me, coz i have tried to route on the router and pix , but still can't access internet.

Hope to hear from you soon.

Thank you.

Regards,

VIN

Gold

Re: VPN Not Link after generate key

i guess you've got 2 options.

when leased line fails and the vpn backup kicks off, branch office browse the internet directly via isp1; or

when leased line fails and the vpn backup kicks off, branch office browse the internet via the head office.

regardless which option you choose, you'll need to configure 2 routes on the branch office router. one is the primary (i.e. the leased line); another one is a backup (i.e. the vpn link). to configure these 2 routes, you can manipulate the metrics.

now, if you prefer to let the branch office has direct internet access while the leased line fails. you can just configure nat/global.

alternatively, if you prefer to let the branch office to browse via the head office over the vpn. then you'll need to:

1. head office pix point to the internal router as default gateway; configure static route point to branch office via the isp1 link.

2. create an acl "tunnel everything" for traffic originated from and destined for branch office.

138
Views
0
Helpful
20
Replies
CreatePlease login to create content