XJGPER
asked on
Pix 501 VPN issue
Hello everyone-
I'm having issue with a vpn between two lans. It worked up until today when we changed subnets at work.
Previously we were (lana) 192.168.1.x now we're 192.168.15.x
The other lan (lanb) 192.168.16.x nothing has changed.
Here is the current config...
Saved
: Written by enable_15 at 23:32:54.084 UTC Tue Sep 28 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password P******X encrypted
passwd **** encrypted
hostname ******
domain-name ****.com
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service as400 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq telnet
port-object eq https
port-object eq www
port-object range 8477 8480
port-object range 449 449
port-object range 5555 5555
port-object range 5010 5010
port-object range 397 397
port-object range 2001 2001
port-object range 8470 8476
port-object range 446 447
port-object range 24 24
object-group service Domain tcp
port-object eq ftp
port-object range 3333 3333
port-object eq https
port-object eq www
port-object eq smtp
object-group service Dave tcp
port-object range 3389 3389
port-object eq ftp
port-object eq ftp-data
access-list outside_access_in permit tcp any host **.239.225.195 object-group Domain
access-list outside_access_in permit tcp any host **.239.225.194 object-group as400
access-list outside_access_in permit tcp any host **.239.225.198 object-group Domain
access-list outside_access_in permit tcp any interface outside object-group Dave
access-list outside_cryptomap_20 permit ip **.239.225.0 255.255.255.0 192.168.16.0 255.255.255.0
pager lines 24
logging on
logging console alerts
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside **.239.225.200 255.255.255.0
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool doyles 192.168.15.250-192.168.15. 252
pdm location ***.255.199.0 255.255.255.0 outside
pdm location ***.255.199.79 255.255.255.255 outside
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location **.32.35.0 255.255.255.0 outside
pdm location 192.168.15.10 255.255.255.255 inside
pdm location 192.168.15.2 255.255.255.255 inside
pdm location 192.168.15.5 255.255.255.255 inside
pdm location 192.168.1.153 255.255.255.255 inside
pdm location 192.168.15.153 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.15.153 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.15.153 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.15.153 3389 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.194 192.168.15.10 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.195 192.168.15.2 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.198 192.168.15.5 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 **.239.225.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http ***.255.199.0 255.255.255.0 outside
http **.32.35.0 255.255.255.0 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer **.101.107.75
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address **.101.107.75 netmask 255.255.255.255 no-xauth no-config-mode
isakmp client configuration address-pool local doyles outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet ***.255.199.0 255.255.255.0 outside
telnet 192.168.15.0 255.255.255.0 inside
telnet timeout 30
ssh ***.255.199.79 255.255.255.255 outside
ssh timeout 15
console timeout 0
username ***** password ******** encrypted privilege 15
terminal width 80
Cryptochecksum:173fcd9e9fc af2c124fce 397c1dcee2 0
debug crypto ipsec 1
debug crypto isakmp 1 show's
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_bloc k:src:**.1 01.107.75, dest:****.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc k:src:**.1 01.107.75, dest:****.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 35
ISAKMP (0): Total payload length: 39
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc k:src:**.1 01.107.75, dest:****.239.225.200 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -110**131**15:be11c5**1IPS EC(key_eng ine): got a queue event...
IPSEC(spi_response): getting spi 0xeb970417(3952542743) for SA
from **.101.107.75 to ****.239.225.200 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:**.101.107.75/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:**.101.107.75/500 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xbe11c5**1IPSEC(key_engin e): request timer fired: count = 1,
(identity) local= ****.239.225.200, remote= **.101.107.75,
local_proxy= ****.239.225.0/255.255.255 .0/0/0 (type=4),
remote_proxy= 192.1**8.1**.0/255.255.255 .0/0/0 (type=4)
ISAKMP (0): beginning Quick Mode exchange, M-ID of -172**053**:f5b58fd8IPSEC( key_engine ): got a queue event...
IPSEC(spi_response): getting spi 0xb4817fcd(3028385741) for SA
from **.101.107.75 to ****.239.225.200 for prot 3
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xbe11c5**1
ISAKMP (0): retransmitting phase 2 (0/2)... mess_id 0xf5b58fd8
ISAKMP (0): retransmitting phase 2 (2/3)... mess_id 0xbe11c5**1IPSEC(key_engin e): request timer fired: count = 2,
(identity) local= ****.239.225.200, remote= **.101.107.75,
local_proxy= ****.239.225.0/255.255.255 .0/0/0 (type=4),
remote_proxy= 192.1**8.1**.0/255.255.255 .0/0/0 (type=4)
ISAKMP (0): retransmitting phase 2 (1/4)... mess_id 0xf5b58fd8
ISAKMP (0): retransmitting phase 2 (3/5)... mess_id 0xbe11c5**1
ISAKMP (0): deleting SA: src ****.239.225.200, dst **.101.107.75
ISADB: reaper checking SA 0xae**c9c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:**.101.107.75/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:**.101.107.75/500 Total VPN peers:0
I know this is easy for the folks with the super cisco brains. :)
XJ
I'm having issue with a vpn between two lans. It worked up until today when we changed subnets at work.
Previously we were (lana) 192.168.1.x now we're 192.168.15.x
The other lan (lanb) 192.168.16.x nothing has changed.
Here is the current config...
Saved
: Written by enable_15 at 23:32:54.084 UTC Tue Sep 28 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password P******X encrypted
passwd **** encrypted
hostname ******
domain-name ****.com
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service as400 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq telnet
port-object eq https
port-object eq www
port-object range 8477 8480
port-object range 449 449
port-object range 5555 5555
port-object range 5010 5010
port-object range 397 397
port-object range 2001 2001
port-object range 8470 8476
port-object range 446 447
port-object range 24 24
object-group service Domain tcp
port-object eq ftp
port-object range 3333 3333
port-object eq https
port-object eq www
port-object eq smtp
object-group service Dave tcp
port-object range 3389 3389
port-object eq ftp
port-object eq ftp-data
access-list outside_access_in permit tcp any host **.239.225.195 object-group Domain
access-list outside_access_in permit tcp any host **.239.225.194 object-group as400
access-list outside_access_in permit tcp any host **.239.225.198 object-group Domain
access-list outside_access_in permit tcp any interface outside object-group Dave
access-list outside_cryptomap_20 permit ip **.239.225.0 255.255.255.0 192.168.16.0 255.255.255.0
pager lines 24
logging on
logging console alerts
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside **.239.225.200 255.255.255.0
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool doyles 192.168.15.250-192.168.15.
pdm location ***.255.199.0 255.255.255.0 outside
pdm location ***.255.199.79 255.255.255.255 outside
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location **.32.35.0 255.255.255.0 outside
pdm location 192.168.15.10 255.255.255.255 inside
pdm location 192.168.15.2 255.255.255.255 inside
pdm location 192.168.15.5 255.255.255.255 inside
pdm location 192.168.1.153 255.255.255.255 inside
pdm location 192.168.15.153 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.15.153 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.15.153 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.15.153 3389 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.194 192.168.15.10 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.195 192.168.15.2 netmask 255.255.255.255 0 0
static (inside,outside) **.239.225.198 192.168.15.5 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 **.239.225.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http ***.255.199.0 255.255.255.0 outside
http **.32.35.0 255.255.255.0 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer **.101.107.75
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address **.101.107.75 netmask 255.255.255.255 no-xauth no-config-mode
isakmp client configuration address-pool local doyles outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet ***.255.199.0 255.255.255.0 outside
telnet 192.168.15.0 255.255.255.0 inside
telnet timeout 30
ssh ***.255.199.79 255.255.255.255 outside
ssh timeout 15
console timeout 0
username ***** password ******** encrypted privilege 15
terminal width 80
Cryptochecksum:173fcd9e9fc
debug crypto ipsec 1
debug crypto isakmp 1 show's
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 35
ISAKMP (0): Total payload length: 39
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -110**131**15:be11c5**1IPS
IPSEC(spi_response): getting spi 0xeb970417(3952542743) for SA
from **.101.107.75 to ****.239.225.200 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:**.101.107.75/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:**.101.107.75/500 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xbe11c5**1IPSEC(key_engin
(identity) local= ****.239.225.200, remote= **.101.107.75,
local_proxy= ****.239.225.0/255.255.255
remote_proxy= 192.1**8.1**.0/255.255.255
ISAKMP (0): beginning Quick Mode exchange, M-ID of -172**053**:f5b58fd8IPSEC(
IPSEC(spi_response): getting spi 0xb4817fcd(3028385741) for SA
from **.101.107.75 to ****.239.225.200 for prot 3
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xbe11c5**1
ISAKMP (0): retransmitting phase 2 (0/2)... mess_id 0xf5b58fd8
ISAKMP (0): retransmitting phase 2 (2/3)... mess_id 0xbe11c5**1IPSEC(key_engin
(identity) local= ****.239.225.200, remote= **.101.107.75,
local_proxy= ****.239.225.0/255.255.255
remote_proxy= 192.1**8.1**.0/255.255.255
ISAKMP (0): retransmitting phase 2 (1/4)... mess_id 0xf5b58fd8
ISAKMP (0): retransmitting phase 2 (3/5)... mess_id 0xbe11c5**1
ISAKMP (0): deleting SA: src ****.239.225.200, dst **.101.107.75
ISADB: reaper checking SA 0xae**c9c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:**.101.107.75/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:**.101.107.75/500 Total VPN peers:0
I know this is easy for the folks with the super cisco brains. :)
XJ
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you make any changes on the Netscreen side? It should have a setting for remote LAN that you would have to change..
ASKER
Yeah i changed all the netscreen stuff to mirror the pix. Seems to be working... Thanks for your help as usual.
XJ
XJ
ASKER
: Saved
: Written by enable_15 at 03:35:04.666 UTC Thu Sep 30 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****encrypted
passwd *****encrypted
hostname pixfirewall
domain-name *****
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service as400 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq telnet
port-object eq https
port-object eq www
port-object range 8477 8480
port-object range 449 449
port-object range 5555 5555
port-object range 5010 5010
port-object range 397 397
port-object range 2001 2001
port-object range 8470 8476
port-object range 446 447
port-object range 24 24
object-group service Domain tcp
port-object eq ftp
port-object range 3333 3333
port-object eq https
port-object eq www
port-object eq smtp
port-object range 5900 5900
object-group service Dave tcp
port-object range 3389 3389
port-object eq ftp
port-object eq ftp-data
access-list outside_access_in permit tcp any host *.239.225.195 object-group Domain
access-list outside_access_in permit tcp any host *.239.225.194 object-group as400
access-list outside_access_in permit tcp any host *.239.225.198 object-group Domain
access-list outside_access_in permit tcp any interface outside object-group Dave
access-list outside_access_in permit tcp any host *.239.225.196 object-group Domain
access-list outside_cryptomap_20 permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
pager lines 24
logging on
logging console alerts
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside *.239.225.200 255.255.255.0
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool doyles 192.168.15.250-192.168.15.
pdm location *.255.199.0 255.255.255.0 outside
pdm location *.255.199.79 255.255.255.255 outside
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location *.32.35.0 255.255.255.0 outside
pdm location 192.168.15.10 255.255.255.255 inside
pdm location 192.168.15.2 255.255.255.255 inside
pdm location 192.168.15.5 255.255.255.255 inside
pdm location 192.168.1.153 255.255.255.255 inside
pdm location 192.168.15.153 255.255.255.255 inside
pdm location 192.168.15.3 255.255.255.255 inside
pdm location 192.168.15.11 255.255.255.255 inside
pdm location *.101.107.0 255.255.255.0 inside
pdm location *.101.107.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.15.153 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.15.153 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.15.153 3389 netmask 255.255.255.255 0 0
static (inside,outside) *.239.225.194 192.168.15.10 netmask 255.255.255.255 0 0
static (inside,outside) *.239.225.195 192.168.15.2 netmask 255.255.255.255 0 0
static (inside,outside) *.239.225.198 192.168.15.5 netmask 255.255.255.255 0 0
static (inside,outside) *.239.225.196 192.168.15.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.239.225.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http *.255.199.0 255.255.255.0 outside
http *.32.35.0 255.255.255.0 outside
http *.101.107.0 255.255.255.0 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer *.101.107.75
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address *.101.107.75 netmask 255.255.255.255 no-xauth no-config-mode
isakmp client configuration address-pool local doyles outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet *.255.199.0 255.255.255.0 outside
telnet *.101.107.0 255.255.255.0 outside
telnet 192.168.15.0 255.255.255.0 inside
telnet timeout 30
ssh *.255.199.79 255.255.255.255 outside
ssh *.101.107.0 255.255.255.0 outside
ssh timeout 15
console timeout 0
username *** password ****** encrypted privilege 15
terminal width 80
Cryptochecksum:f4d74aae95a
Now for the debug:
ISADB: reaper checking SA 0xaebebc, conn_id = 0
ISADB: reaper checking SA 0xade7e4, conn_id = 0
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 35
ISAKMP (0): Total payload length: 39
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Peer ip:*.101.107.75/500 Ref cnt incremented to:5 Total VPN Peers:1
crypto_isakmp_process_bloc
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 1959652789
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_e
IPSEC(key_engine_delete_sa
IPSEC(key_engine_delete_sa
VPN Peer: IPSEC: Peer ip:*.101.107.75/500 Decrementing Ref cnt to:4 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:*.101.107.75/500 Decrementing Ref cnt to:3 Total VPN Peers:1
ISAKMP (0): deleting SA: src *.101.107.75, dst *.239.225.200
ISAKMP (0): deleting SA: src *.239.225.200, dst *.101.107.75
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xae4274, conn_id = 0
ISADB: reaper checking SA 0xaebebc, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:*.101.107.75/500 Ref cnt decremented to:2 Total VPN Peers:1
ISADB: reaper checking SA 0xae4274, conn_id = 0
ISADB: reaper checking SA 0xade7e4, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:*.101.107.75/500 Ref cnt decremented to:1 Total VPN Peers:1
ISADB: reaper checking SA 0xae4274, conn_id = 0
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1309968770:4e148982IPSEC(k
IPSEC(spi_response): getting spi 0x59057003(1493528579) for SA
from *.101.107.75 to *.239.225.200 for prot 3
crypto_isakmp_process_bloc
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1309968770
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-MD5
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_
(key eng. msg.) dest= *.239.225.200, src= *.101.107.75,
dest_proxy= 192.168.16.0/255.255.255.0
src_proxy= 192.168.15.0/255.255.255.0
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_p
IPSEC(validate_proposal_re
(key eng. msg.) dest= *.239.225.200, src= *.101.107.75,
dest_proxy= 192.168.15.0/255.255.255.0
src_proxy= 192.168.16.0/255.255.255.0
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
ISAKMP (0): processing NONCE payload. message ID = 1309968770
ISAKMP (0): processing KE payload. message ID = 1309968770
ISAKMP (0): processing ID payload. message ID = 1309968770
ISAKMP (0): processing ID payload. message ID = 1309968770
ISAKMP (0): processing NOTIFY payload 24576 protocol 3
spi 1087708709, message ID = 1309968770
ISAKMP (0): processing responder lifetime
ISAKMP (0): responder lifetime of 3600s
ISAKMP (0): responder lifetime of 0kb
ISAKMP (0): Creating IPSec SAs
inbound SA from *.101.107.75 to *.239.225.200 (proxy 192.168.16.0 to 192.168.15.0)
has spi 1493528579 and conn_id 4 and flags 25
lifetime of 3600 seconds
outbound SA from *.239.225.200 to *.101.107.75 (proxy 192.168.15.0 to 192.168.16.0)
has spi 1087708709 and conn_id 3 and flags 25
lifetime of 3600 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= *.239.225.200, src= *.101.107.75,
dest_proxy= 192.168.15.0/255.255.255.0
src_proxy= 192.168.16.0/255.255.255.0
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 0kb,
spi= 0x59057003(1493528579), conn_id= 4, keysize= 0, flags= 0x25
IPSEC(initialize_sas): ,
(key eng. msg.) src= *.239.225.200, dest= 65.101.107.75,
src_proxy= 192.168.15.0/255.255.255.0
dest_proxy= 192.168.16.0/255.255.255.0
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 0kb,
spi= 0x40d51e25(1087708709), conn_id= 3, keysize= 0, flags= 0x25
VPN Peer: IPSEC: Peer ip:*.101.107.75/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:*.101.107.75/500 Ref cnt incremented to:3 Total VPN Peers:1
Lets see what i did wrong this time :)