Problem with configuring PIX-Router - No route

I am getting lots of entries in the PIX log file 'No route to 192.168.2.2 from 192.168.0.4' and there is no attempt to establish the VPN (debug crypto ipsec/isakmp). My configuration is shown below:-

PIX Version 6.3(3)124
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password *********** encrypted
passwd ***************** encrypted
hostname gatekeeper
domain-name xxxxxxxxxxxxxxxx
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host xx.110.126.234 eq ssh
access-list outside_access_in permit tcp any host xx.110.126.235 eq www
access-list outside_access_in permit tcp any host xx.110.126.235 eq https
access-list outside_access_in permit tcp any host xx.110.126.236 eq www
access-list outside_access_in permit tcp any host xx.110.126.236 eq https
access-list outside_access_in permit tcp any host xx.110.126.236 eq smtp
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_access_in permit tcp host 192.168.0.2 any eq www
access-list inside_access_in permit tcp host 192.168.0.2 any eq domain
access-list inside_access_in permit udp host 192.168.0.2 any eq domain
access-list inside_access_in permit tcp host 192.168.0.3 any eq www
access-list inside_access_in permit tcp host 192.168.0.4 any eq www
access-list inside_access_in permit tcp host 192.168.0.4 any eq smtp
access-list inside_access_in permit icmp any 192.168.100.0 255.255.255.0
access-list inside_access_in permit icmp any 192.168.2.0 255.255.255.0
access-list splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list vpnhq permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging on
logging console critical
logging monitor errors
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.110.126.234 255.255.255.248
ip address inside 192.168.0.1 255.255.0.0
ip address dmz 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.1-192.168.100.150
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.3 255.255.255.255 inside
pdm location 192.168.0.4 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.4.0 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xx.110.126.238
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) xx.110.126.235 192.168.0.3 netmask 255.255.255.255 0 0
static (inside,outside) xx.110.126.236 192.168.0.4 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 82.110.126.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.0.2 xxxxxx timeout 5
aaa-server local protocol radius
ntp server 192.168.0.1 source inside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
snmp-server location quest-automotive co-lo
snmp-server contact Matthew Barber
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set lanlan esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map outside_dyn_map 40 set transform-set myset
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address vpnhq
crypto map outside_map 10 set peer xxxx.176.89.171
crypto map outside_map 10 set transform-set lanlan
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxxx.176.89.171 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup groupstaff address-pool vpnpool
vpngroup groupstaff dns-server 192.168.0.2
vpngroup groupstaff wins-server 192.168.0.2
vpngroup groupstaff default-domain dfdsfdsfsdfggggg
vpngroup groupstaff split-tunnel splitTunnelAcl
vpngroup groupstaff idle-time 1800
vpngroup groupstaff password ********
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80

I would have though the line 'crypto map outside_map 10 match address vpnhq' would be sufficient to get it to establish the VPN. I have been working froma Cisco example but I cannot see what is wrong.
LVL 36
grbladesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Been there, done that.
Check your subnet mask on the inside interface:
 >ip address inside 192.168.0.1 255.255.0.0

You have to be using a class C mask 255.255.255.0

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Else, with the existing mask, traffic to 192.168.2.x appears to be local traffic, ergo, "no route"
0
grbladesAuthor Commented:
Thanks.

I am now getting the following error :-
IPSEC(sa_initiate): ACL = deny; no sa created
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lrmooreCommented:
Remove this line:
  >access-group inside_access_in in interface inside

Your inside_access_in acl is too restrictive. It won't allow traffic from 192.168.0.x going to 192.168.2.x
0
grbladesAuthor Commented:
I dont want to remove it entirely as it needs to restrict outbound access to the intenet from the servers.
I added the following line but it had no effect:-
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
0
grbladesAuthor Commented:
Just tried removing the access-group to see if it worked but it didn't make any difference.
0
lrmooreCommented:
Still same error message?
0
grbladesAuthor Commented:
Yes. I did a search for it on google and found this :-
http://content.ix2.net/arc/t-7601.html
0
grbladesAuthor Commented:
Just off to bed now.

Here is the configuration of the router the other end of the VPN incase it has any bearing on the error message:-


version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname mk-gateway
!
logging buffered 51200 warnings
enable secret 5 ***************
!
username admin privilege 15 secret 5 *********************************
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
ip domain name yourdomain.com
ip name-server xxx.152.1.58
ip name-server xxx.152.1.43
ip dhcp excluded-address 192.168.2.1 192.168.2.9
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 158.152.1.58 158.152.1.43
   default-router 192.168.2.1
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key 0 xxxxxxx address xxx.110.126.234
!
!
crypto ipsec transform-set lanlan esp-des esp-md5-hmac
!
crypto map colovpn 10 ipsec-isakmp
 set peer 82.110.126.234
 set transform-set lanlan
 match address 120
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 crypto map colovpn
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address xxx.176.89.171 255.255.255.0
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxx password 7 xxxxxx
!
ip nat inside source route-map nonat interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 130
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
0
lrmooreCommented:
Interesting. I would re-apply the crypto map to the interface, possibly even save/reboot the pix before making any other changes.
6.3(3)124 is very stable release

How about the other end? Are you using an identical mirror-image config?

Gotta run for an hour or so. You need some sleep!

0
grbladesAuthor Commented:
I will give that a go later today

> How about the other end? Are you using an identical mirror-image config?
I posted the config of the router the other end above at about the same time as your reply.
0
Tim HolmanCommented:
On your router config, you crypto map is applied to the inside interface (e0), when it should be applied to your external one, dialer0....
0
lrmooreCommented:
Concur with Tim
0
grbladesAuthor Commented:
A reload of the PIX seems to have got me a bit furthur. I have also changed the config on the router the other end.

Now I am getting :-

gatekeeper# show crypto ipsec sa


interface: outside
    Crypto map tag: outside_map, local addr. 82.110.126.234

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 80.176.89.171:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 67, #recv errors 0

     local crypto endpt.: 82.110.126.234, remote crypto endpt.: 80.176.89.171
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

0
grbladesAuthor Commented:
gatekeeper# debug crypto ipsec
gatekeeper# debug crypto isakmp
gatekeeper# IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 82.110.126.234, remote= 80.176.89.171,
    local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:80.176.89.171, dest:82.110.126.234 spt:500 dpt:500
ISAKMP: malformed payloadIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 82.110.126.234, remote= 80.176.89.171,
    local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 82.110.126.234, dst 80.176.89.171
ISADB: reaper checking SA 0x1057c54, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 80.176.89.171/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 82.110.126.234, remote= 80.176.89.171,
    local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:80.176.89.171, dest:82.110.126.234 spt:500 dpt:500
ISAKMP: malformed payloadIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 82.110.126.234, remote= 80.176.89.171,
    local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)
0
grbladesAuthor Commented:
Getting this on the router :-

*Mar  6 15:28:39.386: ISAKMP (0:17): Checking ISAKMP transform 1 against priority 65535 policy
*Mar  6 15:28:39.386: ISAKMP:      encryption DES-CBC
*Mar  6 15:28:39.386: ISAKMP:      hash MD5
*Mar  6 15:28:39.386: ISAKMP:      default group 2
*Mar  6 15:28:39.386: ISAKMP:      auth pre-share
*Mar  6 15:28:39.386: ISAKMP:      life type in seconds
*Mar  6 15:28:39.386: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  6 15:28:39.386: ISAKMP (0:17): Hash algorithm offered does not match policy!
*Mar  6 15:28:39.386: ISAKMP (0:17): atts are not acceptable. Next payload is 3
*Mar  6 15:28:39.390: ISAKMP (0:17): Checking ISAKMP transform 2 against priority 65535 policy
*Mar  6 15:28:39.390: ISAKMP:      encryption 3DES-CBC
*Mar  6 15:28:39.390: ISAKMP:      hash MD5
*Mar  6 15:28:39.390: ISAKMP:      default group 2
*Mar  6 15:28:39.390: ISAKMP:      auth pre-share
*Mar  6 15:28:39.390: ISAKMP:      life type in seconds
*Mar  6 15:28:39.390: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  6 15:28:39.390: ISAKMP (0:17): Encryption algorithm offered does not match policy!
*Mar  6 15:28:39.390: ISAKMP (0:17): atts are not acceptable. Next payload is 0
*Mar  6 15:28:39.390: ISAKMP (0:17): no offers accepted!
*Mar  6 15:28:39.390: ISAKMP (0:17): phase 1 SA policy not acceptable! (local 80.176.89.171 remote 82.110.126.234)
*Mar  6 15:28:39.394: ISAKMP (0:17): incrementing error counter on sa: construct_fail_ag_init
0
lrmooreCommented:
>*Mar  6 15:28:39.390: ISAKMP (0:17): Encryption algorithm offered does not match policy!

Try adding this to the router:
  crypto isakmp policy 10
   encrypt des

Also, on the router, the remote LAN is .1.0 and your PIX side is .0.0:
  access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
should be:
  access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255


0
Tim HolmanCommented:
Concur with lrmoore - your access lists don't match up, but the main problem is the policies don't match up.

If you do 'show cry isakmp pol' the policies and defaults are listed, which helps in troubleshooting, as at the moment, where you haven't defined the entire policy, there are implied defaults, which might be group 1 and lifetime 3600 on the router (I'm not too sure though...).

To get round this, on the router specify 'group 2' and 'lifetime 86400' in addition to what's already there, then the policies will have no excuse NOT to match up any more...  ;)
0
grbladesAuthor Commented:
Thanks. I did a 'no access-list 120' via the web interface (only access I have) and I seem to have lost contact with it. OOPS :)
Dont know why this happened as I have done it before without problems. I think I will make use of the 'reload in 5' command next time :)
0
grbladesAuthor Commented:
Thanks. The default for the router was des and a lifetime of 86400 but I needed to add 'group 2'.
The VPN is now up but I just need to check that all the traffic they want flows across and the router can initialise the VPN.
0
amorrow5Commented:
lrmoore:
"I would re-apply the crypto map to the interface,..." is exactly what I needed.

What I had done was to change my inside interface to a different subnet for testing.  This got me into the crazy "ACL = deny" error message.  Yes, simply a

no crypto map outside_map interface outside
crypto map outside_map interface outside

Made the problem go away.  Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.