Solved

515 pix to 515 pix VPN trouble.

Posted on 2004-07-30
6
5,595 Views
Last Modified: 2010-05-18
Hello, I have a 515 on site with one established VPN tunnel that works great. I need to add a second one, and that is what i am having trouble with. Maybe someone can look over my logs and see what I am doing wrong?

LOCALPIX ---->INTERNET<--- REMOTEPIX ---- REMOTE BOX

When I check the PDM monitor, all I am getting is errors, no encaps.
The end result is that I should be able to ping the remote box (10.10.3.130)
Please assume everything is correct on the other end.

It looks like I have a tunnel, but thats about it. I am not sure. Here is the debug info:
(I  changed IPs)
***********************************************************
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 2016513549:78318e0dIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x97479435(2538050613) for SA
        from    13.56.184.30 to    65.43.14.131 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:13.56.184.30/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:13.56.184.30/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 2732413543
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with    13.56.184.30

return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:13.56.184.30, dest:65.43.14.131 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 2538050613, message ID = 114356279
ISAKMP (0): deleting spi 898910103 message ID = 2016513549
return status is IKMP_NO_ERR_NO_TRANS
*************************************************
*************************************************
*************************************************
*************************************************
HERE IS MY CONFIG
*************************************************

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 102 permit ip InternalLan 255.255.255.0 192.168.113.0 255.255.255.0
access-list 103 permit ip InternalLan 255.255.255.0 192.168.113.0 255.255.255.0
access-list 103 permit ip InternalLan 255.255.255.0 10.10.3.0 255.255.255.0
access-list 104 permit ip InternalLan 255.255.255.0 10.10.3.0 255.255.255.0
icmp permit any outside
icmp permit any inside
ip address outside 65.43.14.131 255.255.255.128
ip address inside 11.11.11.252 255.255.255.0
ip local pool ippool 1.1.3.1-1.1.3.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 103
nat (inside) 1 1.0.0.0 255.0.0.0 0 0
conduit permit icmp any any
rip outside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 65.43.14.132 1
route outside 10.0.0.0 255.0.0.0 65.43.14.132 1
route outside 10.10.3.0 255.255.255.0 65.43.14.132 1
route outside 10.11.11.0 255.255.255.0 65.43.14.132 1
route outside 192.168.113.0 255.255.255.0 65.43.14.132 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 102
crypto map mymap 20 set peer ********(OTHER WORKING VPN)****
crypto map mymap 20 set transform-set ESP-3DES-MD5
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 104
crypto map mymap 30 set peer 13.56.184.30
crypto map mymap 30 set transform-set ESP-3DES-MD5
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address ********** netmask 255.255.255.255
isakmp key ******** address 13.56.184.30 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

***************************************************************************************************************************************************************************************************************************************************
Here is the other side's relevant config
*******************************************
crypto map VPNMap 11 ipsec-isakmp
crypto map VPNMap 11 match address intselector
crypto map VPNMap 11 set peer 65.43.14.131
crypto map VPNMap 11 set transform-set stronger

isakmp key ************ address 65.43.14.131 netmask 255.255.255.255

object-group network i-grp-intmonitor
  network-object host 10.10.3.130
  network-object host 10.10.3.131
  network-object host 10.10.3.132

 object-group service grp-intmonitor tcp
  port-object eq 3389

object-group network Intellinet
  network-object 11.11.11.252 255.255.255.255

access-list intselector permit tcp object-group i-grp-intmonitor object-group grp-intmonitor object-group Intellinet
access-list intselector permit icmp object-group i-grp-intmonitor object-group Intellinet

**********************************

please let me know if anything else is needed. I am putting 500 points on this one.
0
Comment
Question by:narcus
  • 4
6 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11679528
Hi narcus,
Can you post the complete config for the other side.
0
 
LVL 2

Author Comment

by:narcus
ID: 11679994
that is all I have. I did request one change to the other side:
**************
object-group network Intellinet
  network-object 11.11.11.252 255.255.255.255
********
CHANGED TO:
********
object-group network Intellinet
  network-object 11.11.11.0 255.255.255.0

I can now ping the other side from my pix, but only from my pix. WEIRD THING is that it appears to be creating a tunnel inside a tunnel.
check out the attached pic from the PDM:
<a href=http://www.hippofest.com/pix.gif>PDM SCREEN SHOW</a>
0
 
LVL 2

Author Comment

by:narcus
ID: 11680009
wow. i need to watch my spelling.
anyway, click on the above link for the screen shot.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Author Comment

by:narcus
ID: 11680020
our internal network (not really, but in this scenario) is all in 11.11.11.0/24
0
 
LVL 1

Accepted Solution

by:
rader19 earned 500 total points
ID: 11680753
OK based on the your debug from up top it looks like the isakmp passwords might not match. Have them power down the device on the other side. Then power it back up. While they are doing this execute the following command on your pix show isakmp sa she what the status is. If you get and idle then you have established a vpn tunnel. Let me know what else you get. Based on your config everything looks ok. You may want to add the following command sysopt ipsec pl-compatible. The use of the sysopt ipsec pl-compatible command allows IPSec packets to bypass the NAT and ASA features, and enables incoming IPSec packets to terminate on the inside interface only after initially terminating on the outside interface.
0
 
LVL 2

Author Comment

by:narcus
ID: 11681661
The vpn is established, it is just that all the packets are erroring out.

I am going to close this one, I have a strong feeling this issue isnt on my end. Thanks
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now