?
Solved

Problem with configuring PIX-Router - No route

Posted on 2004-12-01
21
Medium Priority
?
6,801 Views
Last Modified: 2012-05-05
I am getting lots of entries in the PIX log file 'No route to 192.168.2.2 from 192.168.0.4' and there is no attempt to establish the VPN (debug crypto ipsec/isakmp). My configuration is shown below:-

PIX Version 6.3(3)124
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password *********** encrypted
passwd ***************** encrypted
hostname gatekeeper
domain-name xxxxxxxxxxxxxxxx
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host xx.110.126.234 eq ssh
access-list outside_access_in permit tcp any host xx.110.126.235 eq www
access-list outside_access_in permit tcp any host xx.110.126.235 eq https
access-list outside_access_in permit tcp any host xx.110.126.236 eq www
access-list outside_access_in permit tcp any host xx.110.126.236 eq https
access-list outside_access_in permit tcp any host xx.110.126.236 eq smtp
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_access_in permit tcp host 192.168.0.2 any eq www
access-list inside_access_in permit tcp host 192.168.0.2 any eq domain
access-list inside_access_in permit udp host 192.168.0.2 any eq domain
access-list inside_access_in permit tcp host 192.168.0.3 any eq www
access-list inside_access_in permit tcp host 192.168.0.4 any eq www
access-list inside_access_in permit tcp host 192.168.0.4 any eq smtp
access-list inside_access_in permit icmp any 192.168.100.0 255.255.255.0
access-list inside_access_in permit icmp any 192.168.2.0 255.255.255.0
access-list splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list vpnhq permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging on
logging console critical
logging monitor errors
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.110.126.234 255.255.255.248
ip address inside 192.168.0.1 255.255.0.0
ip address dmz 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.1-192.168.100.150
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.3 255.255.255.255 inside
pdm location 192.168.0.4 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.4.0 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xx.110.126.238
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) xx.110.126.235 192.168.0.3 netmask 255.255.255.255 0 0
static (inside,outside) xx.110.126.236 192.168.0.4 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 82.110.126.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.0.2 xxxxxx timeout 5
aaa-server local protocol radius
ntp server 192.168.0.1 source inside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
snmp-server location quest-automotive co-lo
snmp-server contact Matthew Barber
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set lanlan esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map outside_dyn_map 40 set transform-set myset
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address vpnhq
crypto map outside_map 10 set peer xxxx.176.89.171
crypto map outside_map 10 set transform-set lanlan
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxxx.176.89.171 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup groupstaff address-pool vpnpool
vpngroup groupstaff dns-server 192.168.0.2
vpngroup groupstaff wins-server 192.168.0.2
vpngroup groupstaff default-domain dfdsfdsfsdfggggg
vpngroup groupstaff split-tunnel splitTunnelAcl
vpngroup groupstaff idle-time 1800
vpngroup groupstaff password ********
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80

I would have though the line 'crypto map outside_map 10 match address vpnhq' would be sufficient to get it to establish the VPN. I have been working froma Cisco example but I cannot see what is wrong.
0
Comment
Question by:grblades
  • 11
  • 7
  • 2
  • +1
21 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 12721233
Been there, done that.
Check your subnet mask on the inside interface:
 >ip address inside 192.168.0.1 255.255.0.0

You have to be using a class C mask 255.255.255.0

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12721262
Else, with the existing mask, traffic to 192.168.2.x appears to be local traffic, ergo, "no route"
0
 
LVL 36

Author Comment

by:grblades
ID: 12721268
Thanks.

I am now getting the following error :-
IPSEC(sa_initiate): ACL = deny; no sa created
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12721288
Remove this line:
  >access-group inside_access_in in interface inside

Your inside_access_in acl is too restrictive. It won't allow traffic from 192.168.0.x going to 192.168.2.x
0
 
LVL 36

Author Comment

by:grblades
ID: 12721324
I dont want to remove it entirely as it needs to restrict outbound access to the intenet from the servers.
I added the following line but it had no effect:-
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
0
 
LVL 36

Author Comment

by:grblades
ID: 12721356
Just tried removing the access-group to see if it worked but it didn't make any difference.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12721416
Still same error message?
0
 
LVL 36

Author Comment

by:grblades
ID: 12721442
Yes. I did a search for it on google and found this :-
http://content.ix2.net/arc/t-7601.html
0
 
LVL 36

Author Comment

by:grblades
ID: 12721472
Just off to bed now.

Here is the configuration of the router the other end of the VPN incase it has any bearing on the error message:-


version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname mk-gateway
!
logging buffered 51200 warnings
enable secret 5 ***************
!
username admin privilege 15 secret 5 *********************************
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
ip domain name yourdomain.com
ip name-server xxx.152.1.58
ip name-server xxx.152.1.43
ip dhcp excluded-address 192.168.2.1 192.168.2.9
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 158.152.1.58 158.152.1.43
   default-router 192.168.2.1
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key 0 xxxxxxx address xxx.110.126.234
!
!
crypto ipsec transform-set lanlan esp-des esp-md5-hmac
!
crypto map colovpn 10 ipsec-isakmp
 set peer 82.110.126.234
 set transform-set lanlan
 match address 120
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 crypto map colovpn
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address xxx.176.89.171 255.255.255.0
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxx password 7 xxxxxx
!
ip nat inside source route-map nonat interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 130
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12721492
Interesting. I would re-apply the crypto map to the interface, possibly even save/reboot the pix before making any other changes.
6.3(3)124 is very stable release

How about the other end? Are you using an identical mirror-image config?

Gotta run for an hour or so. You need some sleep!

0
 
LVL 36

Author Comment

by:grblades
ID: 12724059
I will give that a go later today

> How about the other end? Are you using an identical mirror-image config?
I posted the config of the router the other end above at about the same time as your reply.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12724361
On your router config, you crypto map is applied to the inside interface (e0), when it should be applied to your external one, dialer0....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12725320
Concur with Tim
0
 
LVL 36

Author Comment

by:grblades
ID: 12726060
A reload of the PIX seems to have got me a bit furthur. I have also changed the config on the router the other end.

Now I am getting :-

gatekeeper# show crypto ipsec sa


interface: outside
    Crypto map tag: outside_map, local addr. 82.110.126.234

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 80.176.89.171:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 67, #recv errors 0

     local crypto endpt.: 82.110.126.234, remote crypto endpt.: 80.176.89.171
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

0
 
LVL 36

Author Comment

by:grblades
ID: 12726084
gatekeeper# debug crypto ipsec
gatekeeper# debug crypto isakmp
gatekeeper# IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 82.110.126.234, remote= 80.176.89.171,
    local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:80.176.89.171, dest:82.110.126.234 spt:500 dpt:500
ISAKMP: malformed payloadIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 82.110.126.234, remote= 80.176.89.171,
    local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 82.110.126.234, dst 80.176.89.171
ISADB: reaper checking SA 0x1057c54, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 80.176.89.171/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 82.110.126.234, remote= 80.176.89.171,
    local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:80.176.89.171, dest:82.110.126.234 spt:500 dpt:500
ISAKMP: malformed payloadIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 82.110.126.234, remote= 80.176.89.171,
    local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4)
0
 
LVL 36

Author Comment

by:grblades
ID: 12726184
Getting this on the router :-

*Mar  6 15:28:39.386: ISAKMP (0:17): Checking ISAKMP transform 1 against priority 65535 policy
*Mar  6 15:28:39.386: ISAKMP:      encryption DES-CBC
*Mar  6 15:28:39.386: ISAKMP:      hash MD5
*Mar  6 15:28:39.386: ISAKMP:      default group 2
*Mar  6 15:28:39.386: ISAKMP:      auth pre-share
*Mar  6 15:28:39.386: ISAKMP:      life type in seconds
*Mar  6 15:28:39.386: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  6 15:28:39.386: ISAKMP (0:17): Hash algorithm offered does not match policy!
*Mar  6 15:28:39.386: ISAKMP (0:17): atts are not acceptable. Next payload is 3
*Mar  6 15:28:39.390: ISAKMP (0:17): Checking ISAKMP transform 2 against priority 65535 policy
*Mar  6 15:28:39.390: ISAKMP:      encryption 3DES-CBC
*Mar  6 15:28:39.390: ISAKMP:      hash MD5
*Mar  6 15:28:39.390: ISAKMP:      default group 2
*Mar  6 15:28:39.390: ISAKMP:      auth pre-share
*Mar  6 15:28:39.390: ISAKMP:      life type in seconds
*Mar  6 15:28:39.390: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  6 15:28:39.390: ISAKMP (0:17): Encryption algorithm offered does not match policy!
*Mar  6 15:28:39.390: ISAKMP (0:17): atts are not acceptable. Next payload is 0
*Mar  6 15:28:39.390: ISAKMP (0:17): no offers accepted!
*Mar  6 15:28:39.390: ISAKMP (0:17): phase 1 SA policy not acceptable! (local 80.176.89.171 remote 82.110.126.234)
*Mar  6 15:28:39.394: ISAKMP (0:17): incrementing error counter on sa: construct_fail_ag_init
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12727522
>*Mar  6 15:28:39.390: ISAKMP (0:17): Encryption algorithm offered does not match policy!

Try adding this to the router:
  crypto isakmp policy 10
   encrypt des

Also, on the router, the remote LAN is .1.0 and your PIX side is .0.0:
  access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
should be:
  access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255


0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 1000 total points
ID: 12728195
Concur with lrmoore - your access lists don't match up, but the main problem is the policies don't match up.

If you do 'show cry isakmp pol' the policies and defaults are listed, which helps in troubleshooting, as at the moment, where you haven't defined the entire policy, there are implied defaults, which might be group 1 and lifetime 3600 on the router (I'm not too sure though...).

To get round this, on the router specify 'group 2' and 'lifetime 86400' in addition to what's already there, then the policies will have no excuse NOT to match up any more...  ;)
0
 
LVL 36

Author Comment

by:grblades
ID: 12728398
Thanks. I did a 'no access-list 120' via the web interface (only access I have) and I seem to have lost contact with it. OOPS :)
Dont know why this happened as I have done it before without problems. I think I will make use of the 'reload in 5' command next time :)
0
 
LVL 36

Author Comment

by:grblades
ID: 12728672
Thanks. The default for the router was des and a lifetime of 86400 but I needed to add 'group 2'.
The VPN is now up but I just need to check that all the traffic they want flows across and the router can initialise the VPN.
0
 
LVL 1

Expert Comment

by:amorrow5
ID: 15145582
lrmoore:
"I would re-apply the crypto map to the interface,..." is exactly what I needed.

What I had done was to change my inside interface to a different subnet for testing.  This got me into the crazy "ACL = deny" error message.  Yes, simply a

no crypto map outside_map interface outside
crypto map outside_map interface outside

Made the problem go away.  Thank you.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month13 days, 22 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question