Solved

Pix 501 VPN issue

Posted on 2004-09-28
4
480 Views
Last Modified: 2008-01-09
Hello everyone-

I'm having issue with a vpn between two lans.  It worked up until today when we changed subnets at work.  
Previously we were (lana) 192.168.1.x now we're 192.168.15.x
The other lan (lanb) 192.168.16.x nothing has changed.

Here is the current config...

 Saved
: Written by enable_15 at 23:32:54.084 UTC Tue Sep 28 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password P******X encrypted
passwd **** encrypted
hostname ******
domain-name ****.com
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service as400 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq telnet
  port-object eq https
  port-object eq www
  port-object range 8477 8480
  port-object range 449 449
  port-object range 5555 5555
  port-object range 5010 5010
  port-object range 397 397
  port-object range 2001 2001
  port-object range 8470 8476
  port-object range 446 447
  port-object range 24 24
object-group service Domain tcp
  port-object eq ftp
  port-object range 3333 3333
  port-object eq https
  port-object eq www
  port-object eq smtp
object-group service Dave tcp
  port-object range 3389 3389
  port-object eq ftp
  port-object eq ftp-data
access-list outside_access_in permit tcp any host **.239.225.195 object-group Domain
access-list outside_access_in permit tcp any host **.239.225.194 object-group as400
access-list outside_access_in permit tcp any host **.239.225.198 object-group Domain
access-list outside_access_in permit tcp any interface outside object-group Dave
access-list outside_cryptomap_20 permit ip **.239.225.0 255.255.255.0 192.168.16.0 255.255.255.0
pager lines 24
logging on
logging console alerts
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside **.239.225.200 255.255.255.0
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool doyles 192.168.15.250-192.168.15.252
pdm location ***.255.199.0 255.255.255.0 outside
pdm location ***.255.199.79 255.255.255.255 outside
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location **.32.35.0 255.255.255.0 outside
pdm location 192.168.15.10 255.255.255.255 inside
pdm location 192.168.15.2 255.255.255.255 inside
pdm location 192.168.15.5 255.255.255.255 inside
pdm location 192.168.1.153 255.255.255.255 inside
pdm location 192.168.15.153 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.15.153 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.15.153 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.15.153 3389 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.194 192.168.15.10 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.195 192.168.15.2 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.198 192.168.15.5 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 **.239.225.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http ***.255.199.0 255.255.255.0 outside
http **.32.35.0 255.255.255.0 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer **.101.107.75
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address **.101.107.75 netmask 255.255.255.255 no-xauth no-config-mode
isakmp client configuration address-pool local doyles outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet ***.255.199.0 255.255.255.0 outside
telnet 192.168.15.0 255.255.255.0 inside
telnet timeout 30
ssh ***.255.199.79 255.255.255.255 outside
ssh timeout 15
console timeout 0
username ***** password ******** encrypted privilege 15
terminal width 80
Cryptochecksum:173fcd9e9fcaf2c124fce397c1dcee20

debug crypto ipsec 1
debug crypto isakmp 1  show's

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:**.101.107.75, dest:****.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:**.101.107.75, dest:****.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 35
ISAKMP (0): Total payload length: 39
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:**.101.107.75, dest:****.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -110**131**15:be11c5**1IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xeb970417(3952542743) for SA
        from   **.101.107.75 to  ****.239.225.200 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:**.101.107.75/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:**.101.107.75/500 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xbe11c5**1IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= ****.239.225.200, remote= **.101.107.75,
    local_proxy= ****.239.225.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.1**8.1**.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -172**053**:f5b58fd8IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xb4817fcd(3028385741) for SA
        from   **.101.107.75 to  ****.239.225.200 for prot 3

ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xbe11c5**1
ISAKMP (0): retransmitting phase 2 (0/2)... mess_id 0xf5b58fd8
ISAKMP (0): retransmitting phase 2 (2/3)... mess_id 0xbe11c5**1IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= ****.239.225.200, remote= **.101.107.75,
    local_proxy= ****.239.225.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.1**8.1**.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2 (1/4)... mess_id 0xf5b58fd8
ISAKMP (0): retransmitting phase 2 (3/5)... mess_id 0xbe11c5**1
ISAKMP (0): deleting SA: src ****.239.225.200, dst **.101.107.75
ISADB: reaper checking SA 0xae**c9c, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:**.101.107.75/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:**.101.107.75/500 Total VPN peers:0



I know this is easy for the folks with the super cisco brains. :)

XJ

0
Comment
Question by:XJGPER
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12175953
>access-list outside_cryptomap_20 permit ip **.239.225.0 255.255.255.0 192.168.16.0 255.255.255.0
>crypto map outside_map 20 match address outside_cryptomap_20

I would expect to see instead:
    access-list outside_cryptomap_20 permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0

Also, you need to add:
    access-list no_nat permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
    nat (inside) 0 access-list no_nat

Expect mirror-images of these two access-lists and the nat "0" on the other end, too...
0
 

Author Comment

by:XJGPER
ID: 12186874
Ok i did some thinkering here's where its at now.   BTW its connecting a netscreen 5xp to a 501.   It did work until the ip change.  Right now the netscreen reports SA status active but its still hanging on something.


: Saved
: Written by enable_15 at 03:35:04.666 UTC Thu Sep 30 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****encrypted
passwd *****encrypted
hostname pixfirewall
domain-name *****
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service as400 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq telnet
  port-object eq https
  port-object eq www
  port-object range 8477 8480
  port-object range 449 449
  port-object range 5555 5555
  port-object range 5010 5010
  port-object range 397 397
  port-object range 2001 2001
  port-object range 8470 8476
  port-object range 446 447
  port-object range 24 24
object-group service Domain tcp
  port-object eq ftp
  port-object range 3333 3333
  port-object eq https
  port-object eq www
  port-object eq smtp
  port-object range 5900 5900
object-group service Dave tcp
  port-object range 3389 3389
  port-object eq ftp
  port-object eq ftp-data
access-list outside_access_in permit tcp any host *.239.225.195 object-group Domain
access-list outside_access_in permit tcp any host *.239.225.194 object-group as400
access-list outside_access_in permit tcp any host *.239.225.198 object-group Domain
access-list outside_access_in permit tcp any interface outside object-group Dave
access-list outside_access_in permit tcp any host *.239.225.196 object-group Domain
access-list outside_cryptomap_20 permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
pager lines 24
logging on
logging console alerts
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside *.239.225.200 255.255.255.0
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool doyles 192.168.15.250-192.168.15.252
pdm location *.255.199.0 255.255.255.0 outside
pdm location *.255.199.79 255.255.255.255 outside
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location *.32.35.0 255.255.255.0 outside
pdm location 192.168.15.10 255.255.255.255 inside
pdm location 192.168.15.2 255.255.255.255 inside
pdm location 192.168.15.5 255.255.255.255 inside
pdm location 192.168.1.153 255.255.255.255 inside
pdm location 192.168.15.153 255.255.255.255 inside
pdm location 192.168.15.3 255.255.255.255 inside
pdm location 192.168.15.11 255.255.255.255 inside
pdm location *.101.107.0 255.255.255.0 inside
pdm location *.101.107.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.15.153 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.15.153 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.15.153 3389 netmask 255.255.255.255 0 0
static (inside,outside) *.239.225.194 192.168.15.10 netmask 255.255.255.255 0 0
static (inside,outside) *.239.225.195 192.168.15.2 netmask 255.255.255.255 0 0
static (inside,outside) *.239.225.198 192.168.15.5 netmask 255.255.255.255 0 0
static (inside,outside) *.239.225.196 192.168.15.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.239.225.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http *.255.199.0 255.255.255.0 outside
http *.32.35.0 255.255.255.0 outside
http *.101.107.0 255.255.255.0 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer *.101.107.75
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address *.101.107.75 netmask 255.255.255.255 no-xauth no-config-mode
isakmp client configuration address-pool local doyles outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet *.255.199.0 255.255.255.0 outside
telnet *.101.107.0 255.255.255.0 outside
telnet 192.168.15.0 255.255.255.0 inside
telnet timeout 30
ssh *.255.199.79 255.255.255.255 outside
ssh *.101.107.0 255.255.255.0 outside
ssh timeout 15
console timeout 0
username *** password ******  encrypted privilege 15
terminal width 80
Cryptochecksum:f4d74aae95a2fadc5b3b0664dfc017d0

Now for the debug:


ISADB: reaper checking SA 0xaebebc, conn_id = 0
ISADB: reaper checking SA 0xade7e4, conn_id = 0
crypto_isakmp_process_block:src:*.101.107.75, dest:*.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:*.101.107.75, dest:*.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:*.101.107.75, dest:*.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 35
ISAKMP (0): Total payload length: 39
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Peer ip:*.101.107.75/500 Ref cnt incremented to:5 Total VPN Peers:1
crypto_isakmp_process_block:src:*.101.107.75, dest:*.239.225.200 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 1959652789
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with   *.101.107.75

VPN Peer: IPSEC: Peer ip:*.101.107.75/500 Decrementing Ref cnt to:4 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:*.101.107.75/500 Decrementing Ref cnt to:3 Total VPN Peers:1
ISAKMP (0): deleting SA: src *.101.107.75, dst *.239.225.200
ISAKMP (0): deleting SA: src *.239.225.200, dst *.101.107.75
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xae4274, conn_id = 0
ISADB: reaper checking SA 0xaebebc, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:*.101.107.75/500 Ref cnt decremented to:2 Total VPN Peers:1
ISADB: reaper checking SA 0xae4274, conn_id = 0
ISADB: reaper checking SA 0xade7e4, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:*.101.107.75/500 Ref cnt decremented to:1 Total VPN Peers:1
ISADB: reaper checking SA 0xae4274, conn_id = 0
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1309968770:4e148982IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x59057003(1493528579) for SA
        from   *.101.107.75 to  *.239.225.200 for prot 3

crypto_isakmp_process_block:src:*.101.107.75, dest:*.239.225.200 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1309968770

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= *.239.225.200, src= *.101.107.75,
    dest_proxy= 192.168.16.0/255.255.255.0/0/0 (type=4),
    src_proxy= 192.168.15.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): peer address *.239.225.200 not found
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= *.239.225.200, src= *.101.107.75,
    dest_proxy= 192.168.15.0/255.255.255.0/0/0 (type=4),
    src_proxy= 192.168.16.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

ISAKMP (0): processing NONCE payload. message ID = 1309968770

ISAKMP (0): processing KE payload. message ID = 1309968770

ISAKMP (0): processing ID payload. message ID = 1309968770
ISAKMP (0): processing ID payload. message ID = 1309968770
ISAKMP (0): processing NOTIFY payload 24576 protocol 3
        spi 1087708709, message ID = 1309968770
ISAKMP (0): processing responder lifetime
ISAKMP (0): responder lifetime of 3600s
ISAKMP (0): responder lifetime of 0kb
ISAKMP (0): Creating IPSec SAs
        inbound SA from   *.101.107.75 to  *.239.225.200 (proxy    192.168.16.0 to    192.168.15.0)
        has spi 1493528579 and conn_id 4 and flags 25
        lifetime of 3600 seconds
        outbound SA from  *.239.225.200 to   *.101.107.75 (proxy    192.168.15.0 to    192.168.16.0)
        has spi 1087708709 and conn_id 3 and flags 25
        lifetime of 3600 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= *.239.225.200, src= *.101.107.75,
    dest_proxy= 192.168.15.0/255.255.255.0/0/0 (type=4),
    src_proxy= 192.168.16.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 3600s and 0kb,
    spi= 0x59057003(1493528579), conn_id= 4, keysize= 0, flags= 0x25
IPSEC(initialize_sas): ,
  (key eng. msg.) src= *.239.225.200, dest= 65.101.107.75,
    src_proxy= 192.168.15.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 192.168.16.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 3600s and 0kb,
    spi= 0x40d51e25(1087708709), conn_id= 3, keysize= 0, flags= 0x25

VPN Peer: IPSEC: Peer ip:*.101.107.75/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:*.101.107.75/500 Ref cnt incremented to:3 Total VPN Peers:1


Lets see what i did wrong this time :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12189350
Did you make any changes on the Netscreen side? It should have a setting for remote LAN that you would have to change..
0
 

Author Comment

by:XJGPER
ID: 12191260
Yeah i changed all the netscreen stuff to mirror the pix.   Seems to be working... Thanks for your help as usual.
XJ
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now