PIX 501 - PIX501 VPN Tunnel

You need a route statement in a lab like this...

route outside 0.0.0.0 0.0.0.0 <peer outside ip>

Or at least network specific routes
PIX1
  route outside 192.168.2.0 255.255.255.0 192.168.0.3

PIX2
  route outside 192.168.3.0 255.255.255.0 192.168.0.2

Hi Flexology,
I don't use the PDM much but I do PIX based VPN's all the time. A copy of your PIX config would help which I believe you can get from the PDM in some format. Both sides of it if possible.

Just offhand, here are some common things to check:
    - Nonat (split-tunneling) are you doing NAT on the pixes and if so have you defined VPN traffic as NOT NAT'ed.
    - If you can see your config, ensure the following is present on each end:
        sysopt connection permit-ipsec
        <some sort of crypto ipsec transform-set> These should match on each end.
        <some sort of crypto map> Ensure the last line of it is:    
                crypto map <mapname> interface outside
        <isakmp key> this should have a key to the remote endpoint's address
        isakmp enable outside
        isakmp identity address
        <some sort of isakmp policy> These should match at each end.

-skpruett

route outside 0.0.0.0 0.0.0.0 192.168.0.2
and
route outside 0.0.0.0 0.0.0.0 192.168.0.3
gives me "possible confliict with existing rules "

PIX1
  route outside 192.168.2.0 255.255.255.0 192.168.0.3

PIX2
  route outside 192.168.3.0 255.255.255.0 192.168.0.2

I get "route already exists"

This for PIX1 (Office)

The config is out of the box except i've changed the inside IP and DHCP scope:

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt4 encrypted
passwd 2KFQnbN encrypted
hostname office
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 shop
access-list inside_outbound_nat0_acl permit ip 192.168.3.0 255.255.255.0 shop 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.3.0 255.255.255.0 shop 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location shop 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.168.0.3
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.0.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.3.2-192.168.3.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:300fb76e6ced3a3a912828
: end
[OK]

This the shop pix (PIX2)

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2Y4 encrypted
passwd 2KFQU encrypted
hostname shop
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.3.0 Office
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 Office 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 Office 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Office 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.168.0.2
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.0.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside

Thanks very much for your reply and help...

I did....

PIX2:
  ip address outside 192.168.0.3
  route outside 192.168.3.0 255.255.255.0 192.168.0.2

PIX1
  ip address outside 192.168.0.2
  route outside 192.168.2.0 255.255.255.0 192.168.0.3

I can ping the outside of both firewalls from each other but 192.168.3.1 can't see 192.168.2.1 and vice-versa

Can you post result of "show cry is sa"

This is from the shop (PIX2)

Total: 0
Embryonic: 0
dst          src         state         pending          created

Flexology,
A few questions. But first, you don't need to play with routes for the VPN. They are added dymanically when the VPN connects to point to the remote network.

1) It looks like you have a DHCP address on the outside at both points. If these offices are physically remote from each other then your VPN needs static addressing at each end since it need to point to a specific IP address. It could be that you have a statically assigned IP at each end, but it's given to you via DHCP? If so, you will need to know these IP addresses for question 2 below.

2) Your tunnel endpoints are private addresses. The tunnel can't connect, since it has no way of knowing where those addresses are.
Office:
crypto map outside_map 20 set peer 192.168.0.3
isakmp key ******** address 192.168.0.3 netmask 255.255.255.255 no-xauth no-config-mode
    - These should be changed from 192.168.0.3 to the actual public address of the shop end if it's public

Shop:
crypto map outside_map 20 set peer 192.168.0.2
isakmp key ******** address 192.168.0.2 netmask 255.255.255.255 no-xauth no-config-mode
    - These should be changed from 192.168.0.2 to the actual public address of the office end if it's public.

3) Both sides probably need the line:
isakmp identity address
    - This tells each end to identify the remote end based on it's endpoint address, not it's hostname. Your rules use addressing so this is needed.

-skpruett

lrmoore beat me to the punch on item 1 and 2, related to your outside addressing. Check step 3 though and see if that affects the VPN connection.

-skpruett

skpruett,
I must take exception to this statement:
>But first, you don't need to play with routes for the VPN. They are added dymanically when the VPN connects to point to the remote network.
You MUST have either a default route or static routes. I've been down this road too many times in a lab environment. I won a case of beer over this exact issue.

Remember, this IS setup in a lab environment where there is no actual public IP addressing..

>3) Both sides probably need the line:
>isakmp identity address

Good catch, skpruett. Glad to have you on the team!

YEA!!!!

I ping'd from my pc on PIX1 to another on PIX2 and it all lit up like a christmas tree....

show cry is sa

now shows

dst                         src                   state                        pending                created
192.168.0.3        192.168.0.2           qm_idle                        0                            1


I obvisously need to accept one of your answers, but not sure which one. I guess it was a combination of setting static routes/outside IP's and also your last comment on testing.

Thanks very very very much for your help

Andrew

lrmoore,
Lessons learned from my past, never take a bet with someone who frequently takes your beer. :) I'll take your word on that routing issue. I'm usually a production environment to the VPN's connect with our PIX's. Since I'm only connecting to networks that are defined in the encryption domain (SA) so I don't need to play with routing. I can see where it would have a place though.

Flexology,
Any luck with the tunnel?

Cool tip for both of you guys:
Add the endpoint for each side in the definition of the encryption domain. This will allow you from one PIX to ping the outside address of the remote PIX to bring up the tunnel. You aren't relying on internal stations at that point and it's a great way to troubleshoot the actual VPN encryption pice of the connection. For this setup, do it like so:

Add to the Office PIX:
access-list inside_outbound_nat0_acl permit ip 192.168.3.0 255.255.255.0 192.168.0.3 255.255.255.255
access-list outside_cryptomap_20 permit ip 192.168.3.0 255.255.255.0 192.168.0.3 255.255.255.255

Add to the Shop PIX:
access-list inside_outbound_nat0_acl permit ip 192.168.3.0 255.255.255.0 192.168.0.2 255.255.255.255
access-list outside_cryptomap_20 permit ip 192.168.3.0 255.255.255.0 192.168.0.2 255.255.255.255

To bring up the tunnel from one side, ping the opposite sides outside address.

Why do this?
- It lets you test VPN rules outside of the actual internal networks and routing.
- You can also do this as a backup conection for a separate tunnel and test the rules, then use the normal tunnel for network traffic.

-skpruett

Yippee!
How about a split? You have a link right above the text input box that will let you split the points.

When I do a route do I need to put in the outside of the PIX or do I need to put the WAN Side of the router

PIX is inside 192.168.3.1 and outside 192.168.6.1
The ADSL Router is LAN 192.168.3.10 & WAN 212.x.x.x

i've put in these routes

        outside 0.0.0.0 0.0.0.0 192.168.6.10 1 DHCP static
        outside 192.168.1.0 255.255.255.0 192.168.6.10 0 OTHER static
        outside 192.168.1.0 255.255.255.0 192.168.6.1 1 OTHER static
        inside 192.168.3.0 255.255.255.0 192.168.3.1 1 CONNECT static
        outside 192.168.6.0 255.255.255.0 192.168.6.1 1 CONNECT static

but still I can't ping 192.168.1.1 (a server) but the VPN tunnel creates itself