Wandering_Wizard
asked on
Pix to Pix Vpn Problem
I have setup a pn between 2 pixs, the configuration was tested in the office. But by the time it has been implimented the configuation of the main pix has been changed to permit a des vpn aswell as the 3des.
When you connect from the remote site. the connection fails (i haven't been able to try from the HO).
On recieving interesting data the remote site trys to initiate the vpn, trys to do the isa key exchange and then fails.
The following is the debug trace (ips change to protect the innocent!) does anyone know what "ISAKMP: reserved not zero on payload 5!" means??????
=====Debug from HO site=============
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISADB: reaper checking SA 0x80d61c20, conn_id = 0
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISAKMP (0): deleting SA: src 10.0.0.1, dst 172.16.1.1
ISADB: reaper checking SA 0x80d61c20, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:10.0.0.1 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:10.0.0.1 Total VPN peers:0
When you connect from the remote site. the connection fails (i haven't been able to try from the HO).
On recieving interesting data the remote site trys to initiate the vpn, trys to do the isa key exchange and then fails.
The following is the debug trace (ips change to protect the innocent!) does anyone know what "ISAKMP: reserved not zero on payload 5!" means??????
=====Debug from HO site=============
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISADB: reaper checking SA 0x80d61c20, conn_id = 0
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISAKMP (0): deleting SA: src 10.0.0.1, dst 172.16.1.1
ISADB: reaper checking SA 0x80d61c20, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:10.0.0.1 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:10.0.0.1 Total VPN peers:0
ASKER
Here are the configs, hope you can help
HO Site
=======
access-list 100 permit ip 10.0.2.0 255.255.255.0 10.0.18.0 255.255.255.0
access-list 100 permit ip 10.0.2.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list l-ho permit ip 10.0.2.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list l-ho permit ip 10.0.2.0 255.255.255.0 10.0.18.0 255.255.255.0
nat (inside) 0 access-list 100
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-des esp-md5-hmac
crypto map l-ho 10 ipsec-isakmp
crypto map l-ho 10 match address l-ho
crypto map l-ho 10 set peer 192.168.1.1
crypto map l-ho 10 set peer 10.0.0.1
crypto map l-ho 10 set transform-set myset myset2
crypto map l-ho 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map l-ho interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
isakmp key ******** address 10.0.0.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Remote-Site
===========
access-list 100 permit ip 10.0.12.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list l-ho permit ip 10.0.12.0 255.255.255.0 10.0.2.0 255.255.255.0
nat (inside) 0 access-list 100
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map l-ho 10 ipsec-isakmp
crypto map l-ho 10 match address lem-ho
crypto map l-ho 10 set peer 172.16.1.1
crypto map l-ho 10 set transform-set myset
crypto map l-ho 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map l-ho interface outside
isakmp enable outside
isakmp key ******** address 172.16.1.1 netmask 255.255.255.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
HO Site
=======
access-list 100 permit ip 10.0.2.0 255.255.255.0 10.0.18.0 255.255.255.0
access-list 100 permit ip 10.0.2.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list l-ho permit ip 10.0.2.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list l-ho permit ip 10.0.2.0 255.255.255.0 10.0.18.0 255.255.255.0
nat (inside) 0 access-list 100
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-des esp-md5-hmac
crypto map l-ho 10 ipsec-isakmp
crypto map l-ho 10 match address l-ho
crypto map l-ho 10 set peer 192.168.1.1
crypto map l-ho 10 set peer 10.0.0.1
crypto map l-ho 10 set transform-set myset myset2
crypto map l-ho 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map l-ho interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
isakmp key ******** address 10.0.0.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Remote-Site
===========
access-list 100 permit ip 10.0.12.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list l-ho permit ip 10.0.12.0 255.255.255.0 10.0.2.0 255.255.255.0
nat (inside) 0 access-list 100
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map l-ho 10 ipsec-isakmp
crypto map l-ho 10 match address lem-ho
crypto map l-ho 10 set peer 172.16.1.1
crypto map l-ho 10 set transform-set myset
crypto map l-ho 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map l-ho interface outside
isakmp enable outside
isakmp key ******** address 172.16.1.1 netmask 255.255.255.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you have 3DES licenses at both ends ?
Please reject Quirkyquirky's answer. He has posted like this locking up questions in almost every category using 3 different names: EliteKiller, LiloXwin and Quirkyquirky
This person has been suspended for multiple violations of the Member
Agreement, and I will reject the proposed answer, and return your question to
the Active Questions List.
Thank you,
kb
Experts Exchange Moderator
Agreement, and I will reject the proposed answer, and return your question to
the Active Questions List.
Thank you,
kb
Experts Exchange Moderator
yes, and you guys think you're experts - sheesh :-(
Suspended his account. Related to the three posters from yesterday.
Regards,
ComTech
CS Admin @ EE
Regards,
ComTech
CS Admin @ EE
"ISAKMP: reserved not zero on payload 5!" is an error that usually indicates either a typo in the isakmp pre-shared key or a problem with your access-lists. On the "remote site" PIX, you reference a non-existent access-list in the following crypto map statement -- "crypto map l-ho 10 match address lem-ho". It seems that the crypto map statement should read -- "crypto map l-ho 10 match address l-ho". Also, there is a mistake in the subnet mask in the following statement -- "isakmp key ******** address 172.16.1.1 netmask 255.255.255.0". This should read --"isakmp key ******** address 172.16.1.1 netmask 255.255.255.255". Also, make sure that you didn't fat-finger the pre-shared key on either side. Also, on the HO Site, you will need to seperate the two tunnels by creating a "crypto map l-ho 20..." and moving the code for the other peer to it.
Whenever you make a change to a crypto map statement, be sure to remove the crypto map from the outside interface and enable it again after you make the change. If not, you will lock up the PIX and/or the IOS will not write the code to the PIX.
That is all I notice now so start with these changes and we'll see where you stand then.
Hope this helps,
Tom
Whenever you make a change to a crypto map statement, be sure to remove the crypto map from the outside interface and enable it again after you make the change. If not, you will lock up the PIX and/or the IOS will not write the code to the PIX.
That is all I notice now so start with these changes and we'll see where you stand then.
Hope this helps,
Tom
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:
I recommend: points to llyquid
if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. https://www.experts-exchange.com/Community_Support/
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
thanks,
lrmoore
EE Cleanup Volunteer
---------------------
I will leave a recommendation in the Cleanup topic area for this question:
I recommend: points to llyquid
if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. https://www.experts-exchange.com/Community_Support/
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
thanks,
lrmoore
EE Cleanup Volunteer
---------------------
Finalized as proposed
modulo
Community Support Moderator
Experts Exchange
modulo
Community Support Moderator
Experts Exchange
Are you also trying to support dynamic crypto maps?