narcus
asked on
515 pix to 515 pix VPN trouble.
Hello, I have a 515 on site with one established VPN tunnel that works great. I need to add a second one, and that is what i am having trouble with. Maybe someone can look over my logs and see what I am doing wrong?
LOCALPIX ---->INTERNET<--- REMOTEPIX ---- REMOTE BOX
When I check the PDM monitor, all I am getting is errors, no encaps.
The end result is that I should be able to ping the remote box (10.10.3.130)
Please assume everything is correct on the other end.
It looks like I have a tunnel, but thats about it. I am not sure. Here is the debug info:
(I changed IPs)
************************** ********** ********** ********** ***
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_bloc k:src:13.5 6.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc k:src:13.5 6.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc k:src:13.5 6.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 2016513549:78318e0dIPSEC(k ey_engine) : got a queue event...
IPSEC(spi_response): getting spi 0x97479435(2538050613) for SA
from 13.56.184.30 to 65.43.14.131 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:13.56.184.30/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:13.56.184.30/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_bloc k:src:13.5 6.184.30, dest:65.43.14.131 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 2732413543
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_e ngine): got a queue event...
IPSEC(key_engine_delete_sa s): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sa s): delete all SAs shared with 13.56.184.30
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc k:src:13.5 6.184.30, dest:65.43.14.131 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 2538050613, message ID = 114356279
ISAKMP (0): deleting spi 898910103 message ID = 2016513549
return status is IKMP_NO_ERR_NO_TRANS
************************** ********** ********** ***
************************** ********** ********** ***
************************** ********** ********** ***
************************** ********** ********** ***
HERE IS MY CONFIG
************************** ********** ********** ***
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 102 permit ip InternalLan 255.255.255.0 192.168.113.0 255.255.255.0
access-list 103 permit ip InternalLan 255.255.255.0 192.168.113.0 255.255.255.0
access-list 103 permit ip InternalLan 255.255.255.0 10.10.3.0 255.255.255.0
access-list 104 permit ip InternalLan 255.255.255.0 10.10.3.0 255.255.255.0
icmp permit any outside
icmp permit any inside
ip address outside 65.43.14.131 255.255.255.128
ip address inside 11.11.11.252 255.255.255.0
ip local pool ippool 1.1.3.1-1.1.3.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 103
nat (inside) 1 1.0.0.0 255.0.0.0 0 0
conduit permit icmp any any
rip outside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 65.43.14.132 1
route outside 10.0.0.0 255.0.0.0 65.43.14.132 1
route outside 10.10.3.0 255.255.255.0 65.43.14.132 1
route outside 10.11.11.0 255.255.255.0 65.43.14.132 1
route outside 192.168.113.0 255.255.255.0 65.43.14.132 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 102
crypto map mymap 20 set peer ********(OTHER WORKING VPN)****
crypto map mymap 20 set transform-set ESP-3DES-MD5
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 104
crypto map mymap 30 set peer 13.56.184.30
crypto map mymap 30 set transform-set ESP-3DES-MD5
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address ********** netmask 255.255.255.255
isakmp key ******** address 13.56.184.30 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
************************** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** *******
Here is the other side's relevant config
************************** ********** *******
crypto map VPNMap 11 ipsec-isakmp
crypto map VPNMap 11 match address intselector
crypto map VPNMap 11 set peer 65.43.14.131
crypto map VPNMap 11 set transform-set stronger
isakmp key ************ address 65.43.14.131 netmask 255.255.255.255
object-group network i-grp-intmonitor
network-object host 10.10.3.130
network-object host 10.10.3.131
network-object host 10.10.3.132
object-group service grp-intmonitor tcp
port-object eq 3389
object-group network Intellinet
network-object 11.11.11.252 255.255.255.255
access-list intselector permit tcp object-group i-grp-intmonitor object-group grp-intmonitor object-group Intellinet
access-list intselector permit icmp object-group i-grp-intmonitor object-group Intellinet
************************** ********
please let me know if anything else is needed. I am putting 500 points on this one.
LOCALPIX ---->INTERNET<--- REMOTEPIX ---- REMOTE BOX
When I check the PDM monitor, all I am getting is errors, no encaps.
The end result is that I should be able to ping the remote box (10.10.3.130)
Please assume everything is correct on the other end.
It looks like I have a tunnel, but thats about it. I am not sure. Here is the debug info:
(I changed IPs)
**************************
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 2016513549:78318e0dIPSEC(k
IPSEC(spi_response): getting spi 0x97479435(2538050613) for SA
from 13.56.184.30 to 65.43.14.131 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:13.56.184.30/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:13.56.184.30/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_bloc
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 2732413543
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_e
IPSEC(key_engine_delete_sa
IPSEC(key_engine_delete_sa
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 2538050613, message ID = 114356279
ISAKMP (0): deleting spi 898910103 message ID = 2016513549
return status is IKMP_NO_ERR_NO_TRANS
**************************
**************************
**************************
**************************
HERE IS MY CONFIG
**************************
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 102 permit ip InternalLan 255.255.255.0 192.168.113.0 255.255.255.0
access-list 103 permit ip InternalLan 255.255.255.0 192.168.113.0 255.255.255.0
access-list 103 permit ip InternalLan 255.255.255.0 10.10.3.0 255.255.255.0
access-list 104 permit ip InternalLan 255.255.255.0 10.10.3.0 255.255.255.0
icmp permit any outside
icmp permit any inside
ip address outside 65.43.14.131 255.255.255.128
ip address inside 11.11.11.252 255.255.255.0
ip local pool ippool 1.1.3.1-1.1.3.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 103
nat (inside) 1 1.0.0.0 255.0.0.0 0 0
conduit permit icmp any any
rip outside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 65.43.14.132 1
route outside 10.0.0.0 255.0.0.0 65.43.14.132 1
route outside 10.10.3.0 255.255.255.0 65.43.14.132 1
route outside 10.11.11.0 255.255.255.0 65.43.14.132 1
route outside 192.168.113.0 255.255.255.0 65.43.14.132 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 102
crypto map mymap 20 set peer ********(OTHER WORKING VPN)****
crypto map mymap 20 set transform-set ESP-3DES-MD5
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 104
crypto map mymap 30 set peer 13.56.184.30
crypto map mymap 30 set transform-set ESP-3DES-MD5
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address ********** netmask 255.255.255.255
isakmp key ******** address 13.56.184.30 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
**************************
Here is the other side's relevant config
**************************
crypto map VPNMap 11 ipsec-isakmp
crypto map VPNMap 11 match address intselector
crypto map VPNMap 11 set peer 65.43.14.131
crypto map VPNMap 11 set transform-set stronger
isakmp key ************ address 65.43.14.131 netmask 255.255.255.255
object-group network i-grp-intmonitor
network-object host 10.10.3.130
network-object host 10.10.3.131
network-object host 10.10.3.132
object-group service grp-intmonitor tcp
port-object eq 3389
object-group network Intellinet
network-object 11.11.11.252 255.255.255.255
access-list intselector permit tcp object-group i-grp-intmonitor object-group grp-intmonitor object-group Intellinet
access-list intselector permit icmp object-group i-grp-intmonitor object-group Intellinet
**************************
please let me know if anything else is needed. I am putting 500 points on this one.
ASKER
that is all I have. I did request one change to the other side:
**************
object-group network Intellinet
network-object 11.11.11.252 255.255.255.255
********
CHANGED TO:
********
object-group network Intellinet
network-object 11.11.11.0 255.255.255.0
I can now ping the other side from my pix, but only from my pix. WEIRD THING is that it appears to be creating a tunnel inside a tunnel.
check out the attached pic from the PDM:
<a href=http://www.hippofest.com/pix.gif>PDM SCREEN SHOW</a>
**************
object-group network Intellinet
network-object 11.11.11.252 255.255.255.255
********
CHANGED TO:
********
object-group network Intellinet
network-object 11.11.11.0 255.255.255.0
I can now ping the other side from my pix, but only from my pix. WEIRD THING is that it appears to be creating a tunnel inside a tunnel.
check out the attached pic from the PDM:
<a href=http://www.hippofest.com/pix.gif>PDM SCREEN SHOW</a>
ASKER
wow. i need to watch my spelling.
anyway, click on the above link for the screen shot.
anyway, click on the above link for the screen shot.
ASKER
our internal network (not really, but in this scenario) is all in 11.11.11.0/24
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The vpn is established, it is just that all the packets are erroring out.
I am going to close this one, I have a strong feeling this issue isnt on my end. Thanks
I am going to close this one, I have a strong feeling this issue isnt on my end. Thanks
Can you post the complete config for the other side.