Solved

Pix to Pix VPN

Posted on 2004-08-19
25
3,776 Views
Last Modified: 2012-05-05
Ok, here goes my first question at Experts-Exchange, which looks to me like the perfect place to get an answer.
This first post is intended to explain the case and get some preliminary advice (if needed). Hopefully tomorrow i will be able to post more specific information about the case (configuration files).

I need to connect through VPN one central office with at least 4 remote offices, I also need to support mobile remote VPN clients.

For the central office i got PIX 515E, and for each one of the remote offices i got PIX 501. The mobile remote VPN clients will be Cisco VPN software client and also Microsoft PPTP client.

Every office has a DSL access to the internet. At this point, i will assume that every PIX has a public IP on its outside interface, so NAT performed by DSL routers will not be an issue for now.

I dont really think im too far away from the correct configuration, thats why i mentioned i will post the config files for the 515 and the 501 and we will start working from there. Once you all have seen them, i will be more specific to the problems i am facing.

After i started configuring the Firewalls i knew about Cisco "Easy VPN". I have not used Easy VPN, but if an expert tells me that it is the best choice, i will use it. If i didnt use in the first time is simply because i didnt know about that feature, and also because i found out it is not compatible with NAT-T, which i plan to use in case i have problems with DSL Routers. Please, feel free to comment the "Easy VPN" issue.

Well, i think thats about it, i hope you guys can understand my English, since im writing here in Spain, but most important, i hope i can understand your English, so i beg you to use as simple language as you can.
0
Comment
Question by:llandajuela
  • 12
  • 9
  • 4
25 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11841132
Using a normal fixed VPN connection between offices is the best approach. The EasyVPN is best used for client to LAN connections so individual users can authenticate and be allocated with a virtual IP address on the internal network. The PPTP configuration is fairly similar to the EasyVPN one.

Here is a good collection of configuration examples which can be very usefull
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Here is my page about configuring EasyVPN with a RADIUS authentication server to you can control what services each individual end user is permitted to acces.
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 

Author Comment

by:llandajuela
ID: 11859895
I will start posting two config files, one for the central PIX 515E called "sede2", and the other one for one of the PIX 501, called "sede5". I have them both on the top of my desk, i mean that they are not placed in their offices with Internet in the middle, they have a switch connecting their outside interfaces. My purpose, so far, is to create an IPSec VPN between them. I tried with PDM's VPN Wizards, and the problem is i cant get the two LAN's connected. As a test tool, i have a Terminal Server client on one side and a Terminal Server on the other side. From the 501 inside LAN i try to connect to the server on the 515 inside LAN and the VPN led in the 501 turns on, but nothing else happens, i dont get the connection. From the 515 inside LAN, when i try to connect to the 501 inside LAN, nothing happens, not even the VPN led on the 501 turns on.

                                                  sede5                10.0.3.0/24                      sede2
192.168.5.0/24----------------------PIX 501-----------------------------------------PIX 515----------------------192.168.2.0/24

sede2
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password aOEfjA4eLBhByK/2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname sede2
domain-name ***.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.5.0 sede5
access-list inside_outbound_nat0_acl permit ip any sede5 255.255.255.0
access-list outside_cryptomap_20 permit ip any sede5 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 10.0.3.2 255.255.255.0
ip address inside 192.168.2.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.0 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.2.100 255.255.255.255 inside
pdm location sede5 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route inside 0.0.0.0 0.0.0.0 10.0.3.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 10.0.3.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 10.0.3.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:483857f076d81b614896039f33b3191e



sede5

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aOEfjA4eLBhByK/2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname sede5
domain-name tarracoprevencio.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip any 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.3.4 255.255.255.0
ip address inside 192.168.5.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.5.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.3.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 10.0.3.2
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 10.0.3.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:6e127f375b287f69036494d3a70b933e
0
 
LVL 36

Expert Comment

by:grblades
ID: 11862948
sede2:-
route inside 0.0.0.0 0.0.0.0 10.0.3.254 1
This should be 'route outside 0.0.0.0 0.0.0.0 10.0.3.254 1'

I cant see anything else wrong. If fixing the command above does not help then go into the command line interface and enter the following two debug commands and post the output when you try and send traffic over the VPN.
debug crypto ipsec
debug crypto isakmp
0
 

Author Comment

by:llandajuela
ID: 11863748
Ok, i agree the "route inside" is a  mistake, thanks. I will do the debug you propose.
But, anyway, i think that in this case, where the outside interfaces are in the same network, the default gateway should not be relevant at all. I have observed that, if not present, the VPN led doesnt even turn on.

But as i said, i will post the debug tomorrow, it was just a comment.

Thank you very much
0
 

Author Comment

by:llandajuela
ID: 11867681
I changed the "inside" for the "outside". When i try to connect from the 515 inside LAN to the 501 inside LAN, the "VPN Tunnel" led in the 501 turns on.
Here's what i get in the 515:

sede2# debug crypto ipsec
sede2# debug crypto isakmp
sede2#
ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 2085383268:7c4c6c64IPSEC(key_
engine): got a queue event...
IPSEC(spi_response): getting spi 0xad1d38d9(2904373465) for SA
        from        10.0.3.4 to        10.0.3.2 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 2691634822
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with        10.0.3.4

return status is IKMP_NO_ERR_NO_TRANS
VPN Peer: ISAKMP: Added new peer: ip:10.0.3.4/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:10.0.3.4/500 Ref cnt incremented to:1 Total VPN Peers:
1
crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 2904373465, message ID = 3777760658
ISAKMP (0): deleting spi 3644333485 message ID = 2085383268
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: cou
nt = 1,
  (identity) local= 10.0.3.2, remote= 10.0.3.4,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= sede5/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -2089006276:837c4b3cIPSEC(key
_engine): got a queue event...
IPSEC(spi_response): getting spi 0x92d5dcfe(2463489278) for SA
        from        10.0.3.4 to        10.0.3.2 for prot 3

crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 2463489278, message ID = 3309990897
ISAKMP (0): deleting spi 4275885458 message ID = 2205961020
return status is IKMP_NO_ERR_NO_TRANS
0
 
LVL 36

Expert Comment

by:grblades
ID: 11867971
It looks like something is timing out but I cannot tell what it is.

Can you also post the debug output from the 501 when you connect from the 151 to the 501.
0
 

Author Comment

by:llandajuela
ID: 11878644
Debug from the 501 when generating traffic from the 515 to the 501:

sede5# debug crypto ipsec
sede5# debug crypto isakmp
sede5#
sede5#

crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:10.0.3.2/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:10.0.3.2/500 Ref cnt incremented to:1 Total VPN Peers:
1
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 910564751
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with        10.0.3.2

return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 503246918

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
  (key eng. msg.) dest= 10.0.3.4, src= 10.0.3.2,
    dest_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 10.0.3.4, src= 10.0.3.2,
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    src_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3510050058

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
  (key eng. msg.) dest= 10.0.3.4, src= 10.0.3.2,
    dest_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 10.0.3.4, src= 10.0.3.2,
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    src_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
0
 
LVL 36

Expert Comment

by:grblades
ID: 11879011
I can't see whats wrong. I have asked lrmoore to have a look.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11880172
2 things to look at:
>where the outside interfaces are in the same network, the default gateway should not be relevant at all
absolutely not true. It has every relevance..

1. Both PIX's have this same default route

>route outside 0.0.0.0 0.0.0.0 10.0.3.254 1

Unless .254 is a router, and that router has routes to both 192.168.5.0 and 192.168.2.0 pointing to the outisde interface of each respective pix, you will get this situation.

Suggest:
 no route outside 0.0.0.0 0.0.0.0 10.0.3.254 1
On sede5:
  route outside 192.168.2.0 255.255.255.0 10.0.3.2
On sede2
  route outside 192.168.5.0 255.255.255.0 10.0.3.4

2. Make sure the default gateway of the two PC clients is the respective PIX inside interface.
 
0
 

Author Comment

by:llandajuela
ID: 11880655
I made the changes you suggest, and i made sure the default gateway is the firewall inside interface on both clients.
Anyway, this last change wont be an issue when the firewalls will be finally working in place, because each one of them will have a default gateway wich will be pointing to the ADSL router.

Nothing seems to have changed, i made both debugs again, and eventhough they look the same to me, i post them just in case you detect some differences. Traffic was generated from the 515 to the 501, led on the 501 turns on and stays.

Debug for the 501

sede5# debug crypto ipsec
sede5# debug crypto isakmp
sede5#

crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:10.0.3.2/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:10.0.3.2/500 Ref cnt incremented to:1 Total VPN Peers:
1
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 2622177340
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with        10.0.3.2

return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3959588010

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
  (key eng. msg.) dest= 10.0.3.4, src= 10.0.3.2,
    dest_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 10.0.3.4, src= 10.0.3.2,
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    src_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:10.0.3.2, dest:10.0.3.4 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1945305963

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
  (key eng. msg.) dest= 10.0.3.4, src= 10.0.3.2,
    dest_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 10.0.3.4, src= 10.0.3.2,
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    src_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS


Debug for the 515

sede2# debug crypto ipsec
sede2# debug crypto isakmp
sede2#
sede2#
ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -158487190:f68dad6aIPSEC(key_
engine): got a queue event...
IPSEC(spi_response): getting spi 0xcddbac04(3453725700) for SA
        from        10.0.3.4 to        10.0.3.2 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 4162877023
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with        10.0.3.4

return status is IKMP_NO_ERR_NO_TRANS
VPN Peer: ISAKMP: Added new peer: ip:10.0.3.4/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:10.0.3.4/500 Ref cnt incremented to:1 Total VPN Peers:
1
crypto_isakmp_process_block:src:10.0.3.4, dest:10.0.3.2 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 3453725700, message ID = 3337773786
ISAKMP (0): deleting spi 78437325 message ID = 4136480106
return status is IKMP_NO_ERR_NO_TRANS
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11881011
Can you post result of "show cry is sa" and "sho cry ip sa"
From both sides..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11881064
Suggest deleting and re-setting the keys on both sides:

   no isakmp key <oldkey> address 10.0.3.2 netmask 255.255.255.255 no-xauth no-config-mode
Clear SA's
   clear cry is sa
   clear cry ip sa

Re-enter key
   isakmp key <newkey> address 10.0.3.2 netmask 255.255.255.255 no-xauth no-config-mode

Make sure they match 100% on both ends.
Re-apply the crypto map to the interfaces:

   crypto map outside_map interface outside

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:llandajuela
ID: 11881875
Im not sure if you wanted the show commands after or before reentering the keys, here's how i did it: (still having the same behavior)

515 (sede2)

sede2(config)#
sede2(config)# no isakmp key ----------- address 10.0.3.4 netmask 255.255.255.$
sede2(config)# clear cry ip sa
sede2(config)# clear cry is sa
sede2(config)# isakmp key ----------- address 10.0.3.4 netmask 255.255.255.255$
sede2(config)# crypto map outside_map interface outside

-------------------------------------------
traffic generated from sede2 to sede5
-------------------------------------------

sede2(config)# sh cry is sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
        10.0.3.4         10.0.3.2    QM_IDLE         0           0
sede2(config)# sh cry ip sa


interface: outside
    Crypto map tag: outside_map, local addr. 10.0.3.2

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (sede5/255.255.255.0/0/0)
   current_peer: 10.0.3.4:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 10.0.3.2, remote crypto endpt.: 10.0.3.4
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


sede2(config)#



501 (sede5)

sede5(config)# no isakmp key ----------- address 10.0.3.2 netmask 255.255.255.$
sede5(config)# clear cry is sa
sede5(config)# clear cry ip sa
sede5(config)# isakmp key ----------- address 10.0.3.2 netmask 255.255.255.255$
sede5(config)# crypto map outside_map interface outside

-------------------------------------------
traffic generated from sede2 to sede5
-------------------------------------------

sede5(config)# sh cry is sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
        10.0.3.4         10.0.3.2    QM_IDLE         0           0
sede5(config)# sh cry ip sa


interface: outside
    Crypto map tag: outside_map, local addr. 10.0.3.4

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 10.0.3.2:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.3.4, remote crypto endpt.: 10.0.3.2
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


sede5(config)#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11883155
>       10.0.3.4         10.0.3.2    QM_IDLE         0           0
QM_IDLE means the isakmp phase 1 is complete, keys match and the tunnel is established.

> #pkts encaps: 0, #pkts encrypt: 0,
> #pkts decaps: 0, #pkts decrypt: 0,
> #send errors 0, #recv errors 0

Looks like there is still a routing issue between the two end-user PC's.

PC1 on sede2 side , verify:
IP address 192.168.2.x / 255.255.255.0
Gateway 192.168.2.254

PC on sede5 side, verify:
IP address 192.168.5.x / 255.255.255.0
Gateway 192.168.5.254

Verify routes on PIX's:
on sede 2, verify
     route outside 192.168.5.0 255.255.255.0 10.0.3.4

on sede 5, verify
    route outside 192.168.2.0 255.255.255.0 10.0.3.2

0
 

Author Comment

by:llandajuela
ID: 11889719
Checked everything you suggest and looks fine to me.

Anyway, since it looks we are a little stuck with sede5, i have some good (or bad, not sure) news to announce. As i said before, i also have two more PIX 501. I tried to connect to another 501 called "sede4". The connections are as follows:

                                                  sede5                10.0.3.0/24                      sede2
192.168.5.0/24----------------------PIX 501-----------------------------------------PIX 515----------------------192.168.2.0/24
                                                                                  |
                                                                                  |
                                                  sede4                       |
192.168.4.0/24----------------------PIX 501-----------------|

I copied the config from sede5 to sede4 (changed what was necessary) and i added the necessary config to sede2, and guess what , IT WORKED!. Connections in both directions between sede2 and sede4 can be made with no problem at all. I post both config files, so you can check if everything is correct, in fact, as i said, config from sede4 was made from sede5's config. Should we think there is something wrong with sede5?? (I mean hardware malfunction). I hope this helps

sede2# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password aOEfjA4eLBhByK/2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname sede2
domain-name tarracoprevencio.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.5.0 sede5
name 192.168.4.0 sede4
access-list inside_outbound_nat0_acl permit ip any sede5 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any sede4 255.255.255.0
access-list outside_cryptomap_20 permit ip any sede5 255.255.255.0
access-list outside_cryptomap_40 permit ip any sede4 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 10.0.3.2 255.255.255.0
ip address inside 192.168.2.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.0 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.2.100 255.255.255.255 inside
pdm location sede5 255.255.255.0 outside
pdm location sede4 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside sede4 255.255.255.0 10.0.3.3 1
route outside sede5 255.255.255.0 10.0.3.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 10.0.3.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 10.0.3.3
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 10.0.3.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 10.0.3.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:4d614bb1ff97c949896722776fe9cb33
: end
sede2#


sede4# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aOEfjA4eLBhByK/2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname sede4
domain-name tarracoprevencio.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 sede2
access-list inside_outbound_nat0_acl permit ip 192.168.4.0 255.255.255.0 sede2 2
55.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.4.0 255.255.255.0 sede2 255.2
55.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.3.3 255.255.255.0
ip address inside 192.168.4.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.4.0 255.255.255.0 inside
pdm location sede2 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside sede2 255.255.255.0 10.0.3.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 10.0.3.2
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 10.0.3.2 netmask 255.255.255.255 no-xauth no-config-
mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:450b8e2b3c50f66aa0802f78c227e7ca
: end
sede4#
0
 

Author Comment

by:llandajuela
ID: 11890827
OK, since i had one of the PIX working fine, i checked every line of it and put it into sede5's config. To my surprise, i didnt have the "nat (inside) 0 ..." statement in sede5. Dont ask me why, i only use pdm to modify config, and i dont understand it. I finally got to work with sede5. I better start forgetting about pdm and work only through CLI.

But now new problems arise (sorry guys, youre probably hating me by now). I have to take into consideration what would happen if ligths go out in the central office and the 515 reboots. I have observed that if the 515 reboots, the vpn tunnel keeps established in the 501's, but it doesnt really work. What would i have to do to take this case into consideration?

I hope you dont feel youre wasting your time with me, yes, it probably was my mistake before (it sure was!) but so far, i feel i learned a lot about debugging and troubleshooting the PIX, and im really impresed with the help im getting from you. I promise we are close to the final solution, so please, dont give up with me!

Thanks!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11891164
Good work! Happy you are working (and learning!)

> have observed that if the 515 reboots, the vpn tunnel keeps established in the 501's, but it doesnt really work.
There really is nothing you can do. The PIX simply does not have advanced routing intelligence to know if the remote side is up or down with the exception of the timeouts on the SA. It simply cannot react to any event the way a router could, like send traffic through a different path, so I'm not sure what you are asking.
0
 

Author Comment

by:llandajuela
ID: 11891245
Basically, what im asking is:

What do i have to do to get the system back to work when the 515 reboots accidentally?

The only thing i know makes the system work again is to reboot every PIX in every office, but youll agree with me that this is not a nice solution.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11891511
The tunnels should automatically re-establish themselves with no intervention on your part.
0
 

Author Comment

by:llandajuela
ID: 11893502
As you said the tunnels seem to re-establish automatically, but i still have some problems.
Let me explain to you the test i have made with the 515 and one of the 501 only, so you can tell me what you think:

Test 1

- PIX 515 and 501 are on, with  tunnel established, both directions working correctly
- PIX 515 reboots
- Generation of traffic from 501 to 515 (terminal server, TS)
- TS session doesn´t work
- Generation of traffic from 515 to 501 (terminal server, TS)
- TS session doesn't work (but something else is happening because.. from this point, everything gets back to normal)
- TS from 501 to 515 works fine
- TS from 515 to 501 works fine

As you can see, assuming that the servers will be behind the 515 and the clients behind the 501 (most of them), in the remote offices they would have to wait (in case of a reboot of the 515) for traffic to be generated from the central to the remote office (which is not a normal situation)

Do you think this behavior is normal?

If you would like me to test some more situations, please tell me.

Thanks






0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11893954
>Do you think this behavior is normal?
No. traffic generated from either end should re-establish communications.
If you simply wait a couple of minutes after the 515 reboots and try again, what happens?
I'm thinking that it is a routing issue at the terminal server end. If you have a static route on it that points to the 515 to get to the 501 subnet, that route goes away for awhile?
0
 

Author Comment

by:llandajuela
ID: 11900612
>If you simply wait a couple of minutes after the 515 reboots and try again, what happens?

It doesnt work until i try to generate traffic from the 515 to the 501. I waited more than two minutes.
The terminal server is a windows and has its default gateway as the inside interface of the PIX, this static route never goes away.
But as you say, it may be some routing issue that i will not find when they are finally in their respective office. I think im almost ready to deploy them.

Finally, i just need confirmation on some issues about NAT.
Correct me if im wrong, in order to this config to work, when the firewall is behind a DSL router performing NAT, i need to redirect port UDP 500 (IKE) and protocol 50 (ESP) to the outside interface of every PIX. If i enable NAT-T i understand that i need to redirect ports UDP 500 (IKE) and UDP 4500 (NAT-T). Is this correct?, which one is better?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11901538
If your remote site is behind a NAT router, then you should enable nat-t and open UDP 500 and 4500
0
 

Author Comment

by:llandajuela
ID: 11910247
lrmoore, sorry but i have a final question i forgot to mention. Im still considering the answer as accepted, im sure this wont take too much thinking.

When i deploy the PIX's in every office with a DSL router in front of them, will i still need static routes to the inside LAN of the remote offices, or the default gateway pointing to the router will do?

For example, in the central office sede2 (515), will i need to add static routes to 192.168.4.0 through the public IP of sede4 ? or having the default gateway to the router will be enough?

Thanks again, and sorry i forgot about this

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11911960
Only one default to the gateway router is all you need
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now