Advertisement

07.26.2008 at 12:08PM PDT, ID: 23598009
[x]
Attachment Details

L2L tunnel between C2801 and Pix 515

Asked by chris97b in IPSec Security Protocol, Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: Cisco, Router, C2801, VPN to Pix 515

Hello all,

I'm having some issues in establishing a Lan to Lan tunnel between a Cisco 2801 and a PIX 515 (7.2). Essentially, the C2801 is configured for both remote access connections, as well as a L2L tunnel to another location.

The RA vpn is working perfectly, but I cannot seem to get the L2L tunnel up.

I have crawled the Cisco documentation extensively, but I cannot seem to find where the problem may lie. THe debugs indicate that the phase 1 (isakmp) negotiations are not succeeding, but I simply do not see why. Relevant configs and debugs are below.

I am especially confused by the "MM_WAIT_MSG6" in the output of sh isakmp sa on the Pix. Would anyone happen to know what "message 6" is?

Thanks for any light you may be able to shed on this one.

Regads,
Chris


Relevant portions of C2801 config:


crypto keyring endpoints
  pre-shared-key address 0.0.0.0 0.0.0.0 key <snip>
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <snip> address 1.2.3.4 no-xauth
!
crypto isakmp client configuration group <snip>
 key <snip>
 dns 172.16.4.5 172.16.4.11
 domain <snip>
 pool remotepool
 acl 160

crypto isakmp profile ClientVPN
   match identity group Synchronet
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set aes-256-sha1 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!
crypto dynamic-map dynmap 5
 set transform-set aes-256-sha1
 set isakmp-profile ClientVPN
crypto dynamic-map dynmap 10
 set transform-set myset
 match address 170
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap

...

interface FastEthernet0/1
...
 crypto map mymap


access-list 170 permit ip 172.16.4.0 0.0.0.255 192.168.200.0 0.0.0.255




Relevant portions of Pix 515 config:



access-list 101 extended permit ip 192.168.200.0 255.255.255.0 172.16.4.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-none
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set tset esp-aes-256 esp-sha-hmac


crypto map activemap 10 match address 101
crypto map activemap 10 set peer 4.3.2.1
crypto map activemap 10 set transform-set strong


crypto map activemap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400


tunnel-group 4.3.2.1 type ipsec-l2l
tunnel-group 4.3.2.1 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite




output of C2801 sh crypto isakmp sa:

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
4.3.2.1   1.2.3.4  MM_NO_STATE       5819    0 ACTIVE (deleted)
4.3.2.1   1.2.3.4  MM_NO_STATE       5817    0 ACTIVE (deleted)



output of PIX sh isakmp sa:

...

9   IKE Peer: 1.2.3.4
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG6





output of debug crypto isakmp on PIX:




26 10:39:00 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, IKE MM Initiator FSM error history (struct &0x5079368)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT
Jul 26 10:39:00 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, IKE SA MM:bf4d360f terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Jul 26 10:39:00 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, sending delete/delete with reason message
Jul 26 10:39:00 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing blank hash payload                                                    Jul 26 10:39:00 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing IKE delete payload
Jul 26 10:39:00 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing qm hash payload
Jul 26 10:39:00 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=5b742beb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jul 26 10:39:00 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Removing peer from peer table failed, no match!
Jul 26 10:39:00 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Error: Unable to remove PeerTblEntry                                                     undJul 26 10:39:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 26 10:39:02 [IKEv1]: IP = 1.2.3.4, IKE Initiator: New Phase 1, Intf cna, IKE Peer 1.2.3.4  local Proxy Address 192.168.200.0, remote Proxy Address 172.16.4.0,  Crypto map (activemap)
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing ISAKMP SA payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
Jul 26 10:39:02 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Jul 26 10:39:02 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 88
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, processing SA payload
eJul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Oakley proposal is acceptable
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing ke payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing nonce payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing Cisco Unity VID payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing xauth V6 VID payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Send IOS VID
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing VID payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 26 10:39:02 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
Jul 26 10:39:02 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, processing ke payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, processing ISA_KE payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, processing nonce payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, processing VID payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Received Cisco Unity client VID
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, processing VID payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Received DPD VID
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, processing VID payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f)
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, processing VID payload
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Received xauth V6 VID
Jul 26 10:39:02 [IKEv1]: IP = 1.2.3.4, Connection landed on tunnel_group 1.2.3.4
Jul 26 10:39:02 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Generating keys for Initiator...
Jul 26 10:39:02 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing ID payload
Jul 26 10:39:02 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing hash payload
Jul 26 10:39:02 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Computing hash for ISAKMP
Jul 26 10:39:02 [IKEv1 DEBUG]: IP = 1.2.3.4, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jul 26 10:39:02 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing dpd vid payload
Jul 26 10:39:02 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
bugJul 26 10:39:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 26 10:39:03 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
 allJul 26 10:39:04 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 26 10:39:04 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 26 10:39:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 26 10:39:05 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Start Free Trial
[+][-]07.27.2008 at 09:27AM PDT, ID: 22098852

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]07.28.2008 at 11:47AM PDT, ID: 22105758

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Cisco PIX Firewall
Tags: Cisco, Router, C2801, VPN to Pix 515
Sign Up Now!
Solution Provided By: chris97b
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628