?
Solved

Unable to establish ISAKMP exchange between two Cisco PIX 515E Firewalls

Posted on 2005-03-30
8
Medium Priority
?
740 Views
Last Modified: 2010-05-18
Hello,
Hopefully you experts can assist me in what is becoming a hair pulling out problem!!!!
I have 2 Cisco 515E Pix firewalls, PIX 1 is the core firewall with PIX 2 being in a remote site.
The following is the ISAKMP config and crypto map config for PIX 1:

crypto ipsec transform-set remote esp-aes-256 esp-sha-hmac
crypto map remote 10 ipsec-isakmp
crypto map remote 10 match address remote
crypto map remote 10 set pfs group2
crypto map remote 10 set peer 192.168.1.2
crypto map remote 10 set transform-set outside
crypto map remote interface outside

The isakmp is configured as:

sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

The following is the crypto config of PIX 2:

crypto ipsec transform-set core esp-aes-256 esp-sha-hmac
crypto map core 10 ipsec-isakmp
crypto map core 10 match address core
crypto map core 10 set pfs group2
crypto map core 10 set peer 192.168.1.1
crypto map core 10 set transform-set core
crypto map core interface outside

The following is the isakmp:

sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

When I use debug crypto isakmp on PIX 2 the output is:
crypto_isakmp_process_block:src:192.168.1.1, dest:192.168.1.2 spt:500 dpt:500

OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:192.168.1.1, dest:192.168.1.2 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:192.168.1.1, dest:192.168.1.2 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xe23f1c, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 192.168.1.1/500 not found - peers:0

It looks like the ISAKMP is established until i get the VPN Peer ******** /500 not found - peers:0.

The whole process then starts again.  When I view the isakmp sa it says the main mode is setup:
PIX2# sh isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
   192.168.1.2     192.168.1.1    MM_SA_SETUP   0           0

When I debug PIX 1 I get the following:

pix1(config)# debug crypto isakmp
pix1(config)#
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xff8a74, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for DISRPTPIX001/500 not found - peers:0

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 192.168.1.1, dst 192.168.1.2
ISADB: reaper checking SA 0xff8a74, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 192.168.1.2/500 not found - peers:0

ISAKMP (0): beginning Main Mode exchange

This then goes around in the same cycle.
When I view the isakmp sa, I get the following:

PIX1

pix1(config)# sh isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
    192.168.1.2     192.168.1.1    MM_NO_STATE   0           0

To me it looks like PIX 2 sees PIX 1 but not vice versa.  The connections work fine in clear so I don't understand why this won't establish.  I have allowed the access-lists on the crypto map on both PIXs to all IP any any.
I have allowed explicit access from both IP addresses to both the peers outside interfaces in the normal ACL's on the PIXs.
NAT is disabled on both outside interfaces.  Apart from that it is a basic pix bulid on both pieces of hardware.
If you need any more of my config please let me know.
Many tks
Colj_West
0
Comment
Question by:colj_west
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:plemieux72
ID: 13669477
Are you are trying to establish a VPN tunnel over a private WAN leased line or over the Internet between your two sites?

0
 

Author Comment

by:colj_west
ID: 13669562
Hello plemieux72

It is over a private WAN leased line.  It is over a GRE tunnel using 2 Cisco 2600 routers.  Everything works in clear, so all the connectivity is fine from that point of view.
Tks Colj_West
0
 
LVL 7

Expert Comment

by:minmei
ID: 13670690
>I have allowed the access-lists on the crypto map on both PIXs to all IP any any.

Change this to the actual ip ranges you are wanting to go into the tunnel. If 192.168.10.0/24 is on one side and the other is 192.168.20.0/24, then use the acls:

access-list tunnel_vpn permit ip 192.168.10.0 255.255.255.0 192.160.20.0 255.255.255.0

and

access-list tunnel_vpn permit ip 192.168.20.0 255.255.255.0 192.160.10.0 255.255.255.0

It should work better than (any any) for allowing other traffic between the pixes to flow..
0
ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

 

Author Comment

by:colj_west
ID: 13681471
Hello minmei
Thankyou for your advice, unfortunately i am still having the same probs.
I have ACLs on the pix firewalls, I have allowed udp port 500 through from the peers.  Is there anything else I need to open up, I have allowed the whole ip suite through but to no avail!!!!!
Rgds,

Colj_West
0
 
LVL 7

Expert Comment

by:minmei
ID: 13681883

Your sysopt command allows what you need. No other commands are required on the inbound ACL.

Post whole configs, minus the important numbers (public addresses and passwords) and I'll see what I can find.

0
 

Author Comment

by:colj_west
ID: 13714274
Hello minmei,
Thankyou for your time, however, I have solved the problem.  It was to do with the GRE configuration, the data would work in clear because it was using a route not coverted by the GRE tunnel.  I have modifed the GRE routers config and now the VPN is establishing with no problems.  I will now ask for this call to be closed.  Many tks for your help and support.
Colj_West
0
 

Accepted Solution

by:
OzzMod earned 0 total points
ID: 13746157
Closed, 500 points refunded.
OzzMod
Community Support Moderator (Graveyard shift)
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question