Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5638
  • Last Modified:

515 pix to 515 pix VPN trouble.

Hello, I have a 515 on site with one established VPN tunnel that works great. I need to add a second one, and that is what i am having trouble with. Maybe someone can look over my logs and see what I am doing wrong?

LOCALPIX ---->INTERNET<--- REMOTEPIX ---- REMOTE BOX

When I check the PDM monitor, all I am getting is errors, no encaps.
The end result is that I should be able to ping the remote box (10.10.3.130)
Please assume everything is correct on the other end.

It looks like I have a tunnel, but thats about it. I am not sure. Here is the debug info:
(I  changed IPs)
***********************************************************
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 2016513549:78318e0dIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x97479435(2538050613) for SA
        from    13.56.184.30 to    65.43.14.131 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:13.56.184.30/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:13.56.184.30/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 2732413543
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with    13.56.184.30

return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 2538050613, message ID = 114356279
ISAKMP (0): deleting spi 898910103 message ID = 2016513549
return status is IKMP_NO_ERR_NO_TRANS
*************************************************
*************************************************
*************************************************
*************************************************
HERE IS MY CONFIG
*************************************************

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 102 permit ip InternalLan 255.255.255.0 192.168.113.0 255.255.255.0
access-list 103 permit ip InternalLan 255.255.255.0 192.168.113.0 255.255.255.0
access-list 103 permit ip InternalLan 255.255.255.0 10.10.3.0 255.255.255.0
access-list 104 permit ip InternalLan 255.255.255.0 10.10.3.0 255.255.255.0
icmp permit any outside
icmp permit any inside
ip address outside 65.43.14.131 255.255.255.128
ip address inside 11.11.11.252 255.255.255.0
ip local pool ippool 1.1.3.1-1.1.3.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 103
nat (inside) 1 1.0.0.0 255.0.0.0 0 0
conduit permit icmp any any
rip outside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 65.43.14.132 1
route outside 10.0.0.0 255.0.0.0 65.43.14.132 1
route outside 10.10.3.0 255.255.255.0 65.43.14.132 1
route outside 10.11.11.0 255.255.255.0 65.43.14.132 1
route outside 192.168.113.0 255.255.255.0 65.43.14.132 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 102
crypto map mymap 20 set peer ********(OTHER WORKING VPN)****
crypto map mymap 20 set transform-set ESP-3DES-MD5
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 104
crypto map mymap 30 set peer 13.56.184.30
crypto map mymap 30 set transform-set ESP-3DES-MD5
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address ********** netmask 255.255.255.255
isakmp key ******** address 13.56.184.30 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

***************************************************************************************************************************************************************************************************************************************************
Here is the other side's relevant config
*******************************************
crypto map VPNMap 11 ipsec-isakmp
crypto map VPNMap 11 match address intselector
crypto map VPNMap 11 set peer 65.43.14.131
crypto map VPNMap 11 set transform-set stronger

isakmp key ************ address 65.43.14.131 netmask 255.255.255.255

object-group network i-grp-intmonitor
  network-object host 10.10.3.130
  network-object host 10.10.3.131
  network-object host 10.10.3.132

 object-group service grp-intmonitor tcp
  port-object eq 3389

object-group network Intellinet
  network-object 11.11.11.252 255.255.255.255

access-list intselector permit tcp object-group i-grp-intmonitor object-group grp-intmonitor object-group Intellinet
access-list intselector permit icmp object-group i-grp-intmonitor object-group Intellinet

**********************************

please let me know if anything else is needed. I am putting 500 points on this one.
0
narcus
Asked:
narcus
  • 4
1 Solution
 
grbladesCommented:
Hi narcus,
Can you post the complete config for the other side.
0
 
narcusAuthor Commented:
that is all I have. I did request one change to the other side:
**************
object-group network Intellinet
  network-object 11.11.11.252 255.255.255.255
********
CHANGED TO:
********
object-group network Intellinet
  network-object 11.11.11.0 255.255.255.0

I can now ping the other side from my pix, but only from my pix. WEIRD THING is that it appears to be creating a tunnel inside a tunnel.
check out the attached pic from the PDM:
<a href=http://www.hippofest.com/pix.gif>PDM SCREEN SHOW</a>
0
 
narcusAuthor Commented:
wow. i need to watch my spelling.
anyway, click on the above link for the screen shot.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
narcusAuthor Commented:
our internal network (not really, but in this scenario) is all in 11.11.11.0/24
0
 
rader19Commented:
OK based on the your debug from up top it looks like the isakmp passwords might not match. Have them power down the device on the other side. Then power it back up. While they are doing this execute the following command on your pix show isakmp sa she what the status is. If you get and idle then you have established a vpn tunnel. Let me know what else you get. Based on your config everything looks ok. You may want to add the following command sysopt ipsec pl-compatible. The use of the sysopt ipsec pl-compatible command allows IPSec packets to bypass the NAT and ASA features, and enables incoming IPSec packets to terminate on the inside interface only after initially terminating on the outside interface.
0
 
narcusAuthor Commented:
The vpn is established, it is just that all the packets are erroring out.

I am going to close this one, I have a strong feeling this issue isnt on my end. Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now