[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.0

Cannot establish site-to-site ISAKMP SA between PIX 501 & 506

Asked by dmccallum in Network Software Firewalls, Cisco PIX Firewall, Enterprise Firewalls

Tags: isakmp, pix, peer_reaper_timer

I have spent a good deal of time attempting to set up what I feel should be a straight forward site-to-site shared-key VPN between two recently installed Cisco PIX firewalls. I have followed Cisco documents explaining step by step how to do this manualy for exactly this scenario, and I have also used the PDM wizards to set it up, amoung many other combinations.
What I observe is the connection getting no further than and failing to establish a phase 1 ISAKMP SA.
Both the 501 and 515E are both running PIX FW 6.2(2) and PDM 2.0(2) and both are licensed for 3DES.
This should be just sooooo easy to set up. The binaries for both devices is the same and the only diference between the two is the hardware, but as yet I have not found documents that suggest someone alse has struck this.

Chances are the fix will be fairly simple and I'd appreciate it if anyone has observed this before and can point out what's missing from the configs below.

Thanks for your help
Derek McCallum

PIX-501 CONFIG
: Saved
: Written by enable_15 at 06:38:15.836 UTC Wed Oct 30 2002
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password pL35NP2NgsUBXkpC encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname raynham
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.10.11.0 raynham_road
name 10.10.10.0 woodside
access-list inside_outbound_nat0_acl permit ip raynham_road 255.255.255.0 woodside 255.255.255.0
access-list outside_cryptomap_20 permit ip raynham_road 255.255.255.0 woodside 255.255.255.0
pager lines 24
logging on
logging console alerts
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 217.205.145.246 255.255.255.248
ip address inside 10.10.11.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location raynham_road 255.255.255.0 inside
pdm location woodside 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 217.205.145.245 netmask 255.255.255.255
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 raynham_road 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 217.205.145.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http raynham_road 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map raynhamrd 1 ipsec-isakmp
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 193.129.19.230
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 193.129.19.230 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
dhcpd address 10.10.11.100-10.10.11.131 inside
dhcpd dns 195.40.1.36 193.131.248.36
dhcpd wins 10.10.10.3 10.10.10.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:46b85fb322aca01490d80b9931c5c358

sh version
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

raynham up 2 hours 48 mins

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000a.f45f.21eb, irq 9
1: ethernet1: address is 000a.f45f.21ec, irq 10
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       10
Throughput:         Limited


PIX - 515E CONFIG

: Saved
: Written by fwadmin at 14:34:05.983 UTC Wed Oct 30 2002
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password pL35NP2NgsUBXkpC encrypted
passwd pL35NP2NgsUBXkpC encrypted
hostname pixfw
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.10.10.254 proxy
name 10.10.10.6 webint
name 10.10.10.4 enweb1
name 10.10.10.8 dns1
name 158.43.192.1 resolver1.pipex
name 158.43.128.1 resolver0.pipex
name 10.10.11.0 raynham_road
name 10.10.10.0 woodside
object-group service proxy_services tcp
 port-object eq www
 port-object eq smtp
object-group service webint tcp
 port-object eq www
object-group service enweb1_services tcp
 port-object eq pop3
 port-object eq www
 port-object eq smtp
 port-object eq lotusnotes
object-group service dns1_service tcp-udp
 port-object eq domain
object-group network resolvers.pipex
 network-object resolver0.pipex 255.255.255.255
 network-object resolver1.pipex 255.255.255.255
access-list outside_access_in permit tcp any host 193.129.19.225
object-group proxy_services
access-list outside_access_in permit tcp any host 193.129.19.227
object-group webint
access-list outside_access_in permit tcp any host 193.129.19.226
object-group enweb1_services
access-list outside_access_in permit tcp object-group resolvers.pipex
host
193.129.19.228 object-group dns1_service
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip woodside 255.255.255.0
raynham_road 255.255.255.0
access-list outside_cryptomap_20 permit ip woodside 255.255.255.0
raynham_road 255.255.255.0
pager lines 24
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
icmp deny any echo outside
icmp deny any router-solicitation outside
icmp deny any information-request outside
icmp deny any timestamp-request outside
icmp deny any mask-request outside
mtu outside 1500
mtu inside 1500
ip address outside 193.129.19.230 255.255.255.240
ip address inside 10.10.10.10 255.255.255.0
ip verify reverse-path interface outside
ip audit name CorneliusPIX515 attack action alarm
ip audit interface outside CorneliusPIX515
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.11 255.255.255.255 inside
pdm location 10.10.10.12 255.255.255.255 inside
pdm location 10.10.10.13 255.255.255.255 inside
pdm location proxy 255.255.255.255 inside
pdm location webint 255.255.255.255 inside
pdm location enweb1 255.255.255.255 inside
pdm location dns1 255.255.255.255 inside
pdm location resolver0.pipex 255.255.255.255 outside
pdm location resolver1.pipex 255.255.255.255 outside
pdm location raynham_road 255.255.255.0 outside
pdm location raynham_road 255.255.255.0 inside
pdm group resolvers.pipex outside
pdm history enable
arp timeout 14400
global (outside) 1 193.129.19.225
global (outside) 2 193.129.19.231
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 woodside 255.255.255.0 0 0
static (inside,outside) 193.129.19.225 proxy netmask 255.255.255.255 0
0
norandomseq
static (inside,outside) 193.129.19.227 webint netmask 255.255.255.255 0
0
static (inside,outside) 193.129.19.226 enweb1 netmask 255.255.255.255 0
0
static (inside,outside) 193.129.19.228 dns1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.129.19.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 158.43.128.66 source outside prefer
http server enable
http 10.10.10.11 255.255.255.255 inside
http 10.10.10.12 255.255.255.255 inside
http 10.10.10.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community c0rnel1us
no snmp-server enable traps
tftp-server inside 10.10.10.11 pix515_config.txt
floodguard enable
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map raynham 1 ipsec-isakmp
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.205.145.246
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.205.145.246 netmask 255.255.255.255
no-xauth
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 10.10.10.11 255.255.255.255 inside
telnet 10.10.10.12 255.255.255.255 inside
telnet 10.10.10.13 255.255.255.255 inside
telnet timeout 5
ssh 10.10.10.11 255.255.255.255 inside
ssh timeout 5
username fwmon password ohVqc//5NxtvgaXR encrypted privilege 3
username fwadmin password Docym4drZdgh5KPp encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
terminal width 80
Cryptochecksum:14dcf7ed2bc59f63dcef4c44fd9c42d2


THE DEBUG INFORMATION BELOW IS GENERATED BY THE 501 IN RESPONSE TO SOMEONE ON THE REMOTE 515 PRIVATE-SIDE SUBNET TRYING TO TALK TO THE LOCAL 501 INSIDE SUBNET:

PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_block: src 193.129.19.230, dest 217.205.145.246
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

validate_payload: len 84
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_fields: responder
VPN Peer: ISAKMP: Added new peer: ip:193.129.19.230 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:193.129.19.230 Ref cnt incremented to:1 Total VPN Peers:1
is_auth_policy_configured: auth 4
gen_cookie:
gen_cookie:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0

check_isakmp_proposal:
is_auth_policy_configured: auth 1
is_auth_policy_configured: auth 4
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_parameters: dhset 0x80a781ac, phase 0
DH_ALG_PHASE1
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_isakmp_sa: auth 7
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x7
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 193.129.19.230, port 500
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block: src 193.129.19.230, dest 217.205.145.246
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

validate_payload: len 84
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_fields: responder
VPN Peer: ISAKMP: Peer ip:193.129.19.230 Ref cnt incremented to:2 Total VPN Peers:1
is_auth_policy_configured: auth 4
gen_cookie:
gen_cookie:
isadb_free_isakmp_sa:
VPN Peer: ISAKMP: Peer ip:193.129.19.230 Ref cnt decremented to:1 Total VPN Peers:1
P1RETRANS_TIMER
ISAKMP (0): retransmitting phase 1...
send_response:
isakmp_send: ip 193.129.19.230, port 500
PEER_REAPER_TIMER

ISAKMP msg received
crypto_isakmp_process_block: src 193.129.19.230, dest 217.205.145.246
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

validate_payload: len 84
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_fields: responder
VPN Peer: ISAKMP: Peer ip:193.129.19.230 Ref cnt incremented to:2 Total VPN Peers:1
is_auth_policy_configured: auth 4
gen_cookie:
gen_cookie:
isadb_free_isakmp_sa:
VPN Peer: ISAKMP: Peer ip:193.129.19.230 Ref cnt decremented to:1 Total VPN Peers:1
P1RETRANS_TIMER
ISAKMP (0): retransmitting phase 1...
send_response:
isakmp_send: ip 193.129.19.230, port 500
PEER_REAPER_TIMER
QM_TIMER
ISAKMP (0): deleting SA: src 193.129.19.230, dst 217.205.145.246
REAPER_TIMER
ISADB: reaper checking SA 0x80a77ef8, conn_id = 0  DELETE IT!

crypto_gen_isakmp_delete:
isadb_free_isakmp_sa:
VPN Peer: ISAKMP: Peer ip:193.129.19.230 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:193.129.19.230 Total VPN peers:0
 
Related Solutions
Keywords: Cannot establish site-to-site ISAKMP…
Title
1 pix and router ipsec vpn
2 PIX to PIX VPN - ISAKMP Failing
3 PIX to PIX VPN not working!
4 PIX to PIX VPN Help
5 PIX to PIX VPN issue
6 Cisco PIX 501 cannot establish tunn…
 
Loading Advertisement...
 
[+][-]11/01/02 05:56 PM, ID: 7398993Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Network Software Firewalls, Cisco PIX Firewall, Enterprise Firewalls
Tags: isakmp, pix, peer_reaper_timer
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 2
Solution Grade: C
 
[+][-]11/01/02 11:35 PM, ID: 7399519Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/07/02 01:27 AM, ID: 7418916Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92