colj_west
asked on
Unable to establish ISAKMP exchange between two Cisco PIX 515E Firewalls
Hello,
Hopefully you experts can assist me in what is becoming a hair pulling out problem!!!!
I have 2 Cisco 515E Pix firewalls, PIX 1 is the core firewall with PIX 2 being in a remote site.
The following is the ISAKMP config and crypto map config for PIX 1:
crypto ipsec transform-set remote esp-aes-256 esp-sha-hmac
crypto map remote 10 ipsec-isakmp
crypto map remote 10 match address remote
crypto map remote 10 set pfs group2
crypto map remote 10 set peer 192.168.1.2
crypto map remote 10 set transform-set outside
crypto map remote interface outside
The isakmp is configured as:
sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
The following is the crypto config of PIX 2:
crypto ipsec transform-set core esp-aes-256 esp-sha-hmac
crypto map core 10 ipsec-isakmp
crypto map core 10 match address core
crypto map core 10 set pfs group2
crypto map core 10 set peer 192.168.1.1
crypto map core 10 set transform-set core
crypto map core interface outside
The following is the isakmp:
sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
When I use debug crypto isakmp on PIX 2 the output is:
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xe23f1c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0
It looks like the ISAKMP is established until i get the VPN Peer ******** /500 not found - peers:0.
The whole process then starts again. When I view the isakmp sa it says the main mode is setup:
PIX2# sh isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
192.168.1.2 192.168.1.1 MM_SA_SETUP 0 0
When I debug PIX 1 I get the following:
pix1(config)# debug crypto isakmp
pix1(config)#
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xff8a74, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for DISRPTPIX001/500 not found - peers:0
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xff8a74, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 192.168.1.2/500 not found - peers:0
ISAKMP (0): beginning Main Mode exchange
This then goes around in the same cycle.
When I view the isakmp sa, I get the following:
PIX1
pix1(config)# sh isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
192.168.1.2 192.168.1.1 MM_NO_STATE 0 0
To me it looks like PIX 2 sees PIX 1 but not vice versa. The connections work fine in clear so I don't understand why this won't establish. I have allowed the access-lists on the crypto map on both PIXs to all IP any any.
I have allowed explicit access from both IP addresses to both the peers outside interfaces in the normal ACL's on the PIXs.
NAT is disabled on both outside interfaces. Apart from that it is a basic pix bulid on both pieces of hardware.
If you need any more of my config please let me know.
Many tks
Colj_West
Hopefully you experts can assist me in what is becoming a hair pulling out problem!!!!
I have 2 Cisco 515E Pix firewalls, PIX 1 is the core firewall with PIX 2 being in a remote site.
The following is the ISAKMP config and crypto map config for PIX 1:
crypto ipsec transform-set remote esp-aes-256 esp-sha-hmac
crypto map remote 10 ipsec-isakmp
crypto map remote 10 match address remote
crypto map remote 10 set pfs group2
crypto map remote 10 set peer 192.168.1.2
crypto map remote 10 set transform-set outside
crypto map remote interface outside
The isakmp is configured as:
sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
The following is the crypto config of PIX 2:
crypto ipsec transform-set core esp-aes-256 esp-sha-hmac
crypto map core 10 ipsec-isakmp
crypto map core 10 match address core
crypto map core 10 set pfs group2
crypto map core 10 set peer 192.168.1.1
crypto map core 10 set transform-set core
crypto map core interface outside
The following is the isakmp:
sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
When I use debug crypto isakmp on PIX 2 the output is:
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xe23f1c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0
It looks like the ISAKMP is established until i get the VPN Peer ******** /500 not found - peers:0.
The whole process then starts again. When I view the isakmp sa it says the main mode is setup:
PIX2# sh isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
192.168.1.2 192.168.1.1 MM_SA_SETUP 0 0
When I debug PIX 1 I get the following:
pix1(config)# debug crypto isakmp
pix1(config)#
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xff8a74, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for DISRPTPIX001/500 not found - peers:0
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xff8a74, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 192.168.1.2/500 not found - peers:0
ISAKMP (0): beginning Main Mode exchange
This then goes around in the same cycle.
When I view the isakmp sa, I get the following:
PIX1
pix1(config)# sh isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
192.168.1.2 192.168.1.1 MM_NO_STATE 0 0
To me it looks like PIX 2 sees PIX 1 but not vice versa. The connections work fine in clear so I don't understand why this won't establish. I have allowed the access-lists on the crypto map on both PIXs to all IP any any.
I have allowed explicit access from both IP addresses to both the peers outside interfaces in the normal ACL's on the PIXs.
NAT is disabled on both outside interfaces. Apart from that it is a basic pix bulid on both pieces of hardware.
If you need any more of my config please let me know.
Many tks
Colj_West
plemieux72
Are you are trying to establish a VPN tunnel over a private WAN leased line or over the Internet between your two sites?
ASKER
Hello plemieux72
It is over a private WAN leased line. It is over a GRE tunnel using 2 Cisco 2600 routers. Everything works in clear, so all the connectivity is fine from that point of view.
Tks Colj_West
It is over a private WAN leased line. It is over a GRE tunnel using 2 Cisco 2600 routers. Everything works in clear, so all the connectivity is fine from that point of view.
Tks Colj_West
>I have allowed the access-lists on the crypto map on both PIXs to all IP any any.
Change this to the actual ip ranges you are wanting to go into the tunnel. If 192.168.10.0/24 is on one side and the other is 192.168.20.0/24, then use the acls:
access-list tunnel_vpn permit ip 192.168.10.0 255.255.255.0 192.160.20.0 255.255.255.0
and
access-list tunnel_vpn permit ip 192.168.20.0 255.255.255.0 192.160.10.0 255.255.255.0
It should work better than (any any) for allowing other traffic between the pixes to flow..
Change this to the actual ip ranges you are wanting to go into the tunnel. If 192.168.10.0/24 is on one side and the other is 192.168.20.0/24, then use the acls:
access-list tunnel_vpn permit ip 192.168.10.0 255.255.255.0 192.160.20.0 255.255.255.0
and
access-list tunnel_vpn permit ip 192.168.20.0 255.255.255.0 192.160.10.0 255.255.255.0
It should work better than (any any) for allowing other traffic between the pixes to flow..
ASKER
Hello minmei
Thankyou for your advice, unfortunately i am still having the same probs.
I have ACLs on the pix firewalls, I have allowed udp port 500 through from the peers. Is there anything else I need to open up, I have allowed the whole ip suite through but to no avail!!!!!
Rgds,
Colj_West
Thankyou for your advice, unfortunately i am still having the same probs.
I have ACLs on the pix firewalls, I have allowed udp port 500 through from the peers. Is there anything else I need to open up, I have allowed the whole ip suite through but to no avail!!!!!
Rgds,
Colj_West
Your sysopt command allows what you need. No other commands are required on the inbound ACL.
Post whole configs, minus the important numbers (public addresses and passwords) and I'll see what I can find.
ASKER
Hello minmei,
Thankyou for your time, however, I have solved the problem. It was to do with the GRE configuration, the data would work in clear because it was using a route not coverted by the GRE tunnel. I have modifed the GRE routers config and now the VPN is establishing with no problems. I will now ask for this call to be closed. Many tks for your help and support.
Colj_West
Thankyou for your time, however, I have solved the problem. It was to do with the GRE configuration, the data would work in clear because it was using a route not coverted by the GRE tunnel. I have modifed the GRE routers config and now the VPN is establishing with no problems. I will now ask for this call to be closed. Many tks for your help and support.
Colj_West
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.