?
Solved

Setup VPN (IPSec) with Cisco 836 and Cisco PIX 515E

Posted on 2005-04-07
10
Medium Priority
?
1,587 Views
Last Modified: 2012-08-13

I have to setup a new Cisco 836 router (IOS 12.3) in a remote office (172.20.1.0/24) to connect to a Cisco Pix 515E (v6.1) in our central office (10.72.0.0/16) via VPN. The Cisco 836 will connect to internet via DSL (dyn. ip address), but for doing some tests before implementing, I would like to use the ISDN interface.

There should be no "direct" internet access for the remote office workstations; they all should go via central office (VPN) when surfing the internet.

Can anyone see why the VPN fails in the router config below?
Connecting to internet works fine, but the ISAKMP seems to have some problems (see debug at bottom).
Do I need to configure NAT in the router, if all traffic should use the VPN tunnel without NAT?

Any comments are welcome.

maeb3

!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TEST
!
enable secret 5 xxxxx
!
username xxxxx secret 5 xxxxx
no aaa new-model
no ip subnet-zero
no ip source-route
no ip domain lookup
ip name-server 145.253.2.11
ip name-server 10.72.2.1
ip name-server 194.25.0.68
ip dhcp excluded-address 172.20.1.1
!
ip dhcp pool DHCP_POOL_TEST
   network 172.20.1.0 255.255.255.0
   default-router 172.20.1.1
   dns-server 10.72.2.1 10.72.2.6
   lease 3
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
isdn switch-type basic-net3
!
crypto isakmp policy 10
 authentication pre-share
 group 2
 lifetime 5000
crypto isakmp key 0 xxxxxxxxxx address 217.x.x.x
!
!
crypto ipsec transform-set VPNsettings esp-des esp-sha-hmac
!
crypto map VPN_Tunnel 10 ipsec-isakmp
 description VPN Tunnel
 set peer 217.x.x.x
 set transform-set VPNsettings
 match address 110
!
interface Ethernet0
 description LAN Interface
 ip address 172.20.1.1 255.255.255.0
! ip nat inside ???
 no ip proxy-arp
 no cdp enable
!
interface BRI0
 no ip address
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3
 no cdp enable
 ppp authentication chap callin
!
interface ATM0
 description DSL NOT USED DURING TESTING
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
 no ip mroute-cache
 load-interval 30
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 description ISDN-DialIn
 ip address negotiated
 no ip proxy-arp
! ip nat outside ???
 encapsulation ppp
 dialer pool 1
 dialer wait-for-carrier-time 10
 dialer string 06102xxxxxx
 dialer hold-queue 10
 dialer redial interval 5 attempts 5
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxxx
 ppp chap password 7 xxxxxxx
 crypto map VPN_Tunnel
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 110 permit ip 172.20.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
line con 0
 exec-timeout 15 0
 logging synchronous
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 120 0
 password 7 xxxx
 login local
 length 0
!
scheduler max-task-time 5000
no rcapi server
!
end





Debugging shows something like:
...
00:06:135310971284: IPSEC(sa_find_addr): null IP address specified on SADB lookup
00:06:133189296253: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
00:06:31: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 212.144.60.209, remote= 217.x.x.x,
    local_proxy= 172.20.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0xE6867E18(3867573784), conn_id= 0, keysize= 0, flags= 0x400A
00:06:31: ISAKMP: received ke message (1/1)
00:06:31: ISAKMP (0:0): SA request profile is (NULL)
00:06:31: ISAKMP: local port 500, remote port 500
00:06:31: ISAKMP: set new node 0 to QM_IDLE      
00:06:31: ISAKMP: insert sa successfully sa = 8171F908
00:06:31: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
00:06:31: ISAKMP: Looking for a matching key for 217.x.x.x in default : success
00:06:31: ISAKMP (0:1): found peer pre-shared key matching 217.x.x.x
00:06:31: ISAKMP (0:1): constructed NAT-T vendor-03 ID
00:06:31: ISAKMP (0:1): constructed NAT-T vendor-02 ID
00:06:31: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
00:06:31: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1
00:06:31: ISAKMP (0:1): beginning Main Mode exchange
00:06:31: ISAKMP (0:1): sending packet to 217.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
00:06:41: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:06:41: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:06:41: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
00:06:41: ISAKMP (0:1): sending packet to 217.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
00:06:51: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:06:51: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:06:51: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
00:06:51: ISAKMP (0:1): sending packet to 217.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
00:07:01: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 212.144.60.209, remote= 217.x.x.x,
    local_proxy= 172.20.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
00:07:01: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 212.144.60.209, remote= 217.x.x.x,
    local_proxy= 172.20.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x2407EF74(604499828), conn_id= 0, keysize= 0, flags= 0x400A
00:07:01: ISAKMP: received ke message (1/1)
00:07:01: ISAKMP: set new node 0 to QM_IDLE      
00:07:01: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 212.144.60.209, remote 217.x.x.x)
00:07:01: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:07:01: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:07:01: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
00:07:01: ISAKMP (0:1): sending packet to 217.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
00:07:04: IPSEC(crypto_ipsec_isakmp_sa_initiate): Sending bogus packet to dialer for classification
00:07:04: IPSEC(crypto_ipsec_isakmp_sa_initiate): Sending bogus packet to dialer for classification
00:07:04: IPSEC(crypto_ipsec_isakmp_sa_initiate): Sending bogus packet to dialer for classification
00:07:11: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:07:11: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:07:11: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
.....


The central office (Cisco PIX, 217.x.x.x) doesn't receive any requests on port 500.
0
Comment
Question by:maeb3
  • 5
  • 4
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13725768
>access-list 110 permit ip 172.20.1.0 0.0.0.255 any
Are you sure you want ALL traffic going through the VPN tunnel?
No Internet access for this office?

Have you verified the crypto key at both ends to match?
If you remove the crypto map from the dialer interface, and add the "ip nat outside" command, will you get Internet access? Can you then ping the remote 217.x.x.x PIX IP address?
You need to establish that you can directly communicate public IP to public IP before you apply the crypto map..

0
 
LVL 1

Expert Comment

by:jamespickering
ID: 13725829
Can you try the configuration:
cypto ipsec nat-transparency udp-encapsulation
0
 
LVL 4

Author Comment

by:maeb3
ID: 13726409
@lrmoore

Yes, all traffic should use the VPN tunnel, since internet access is done via a proxy server in the central office.

The crypto key is the same at both ends, but I think it doesn't even come to the point where the keys are exchanged, since the hit count on the Cisco PIX (217.x.x.x) shows "0" for port 500.

When deleting the crypto statement and adding the "ip nat inside", "ip nat outside", "ip nat inside source ... overload" statements, I have direct internet access via ISDN. (I can't ping the PIX since ICMP is blocked before).

@jamespickering
I will try that tonight.

maeb3
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 13726489
>since the hit count on the Cisco PIX (217.x.x.x) shows "0" for port 500.
Don't you have "sysopt connection permit-ipsec"

>I can't ping the PIX since ICMP is blocked before
Where is icmp blocked? Is UDP 500 also blocked, perchance?

Can you post your pix config?
0
 
LVL 4

Author Comment

by:maeb3
ID: 13726699
The "sysopt connection permit-ipsec" statement exists.

The ping is blocked in the internet facing router. I don't think UDP 500 is blocked in there, but I will check that.

The PIX config looks like

PIX Version 6.1(4)
....
names
name 217.x.x.100  Outside_IP
name 217.x.x.101  Outside_DSL
! 217.x.x.101 is the internet facing DSL router
name 217.x.x.102  Outside_Mail
name 217.x.x.106  Outside_Internet
access-list Internet permit icmp any any
access-list Internet permit tcp any host Outside_Mail eq smtp
access-list Internet permit udp any host Outside_IP eq isakmp
access-list Internet permit udp any host Outside_Internet eq isakmp
access-list VPN_1 permit ip any 172.20.1.0 255.255.255.0
access-list NoNAT permit ip 10.0.0.0  255.0.0.0  172.20.0.0  255.255.0.0
...
ip address outside Outside_IP 255.255.255.0      
ip address inside 192.168.1.2 255.255.255.0
ip address inside2 10.72.2.50  255.255.0.0
ip audit info action alarm
ip audit attack action alarm      
pdm history enable
arp timeout 14400      
global (outside) 1 Outside_Internet netmask 255.255.255.0
global (outside) 2 Outside_Mail netmask 255.255.255.0
nat (inside) 0 access-list NoNAT
nat (inside)  1  0.0.0.0  0.0.0.0  0  0      
nat (inside2)  2  0.0.0.0  0.0.0.0  0  0
static (inside2,outside) tcp Outside_Mail smtp 10.72.2.3 smtp netmask 255.255.255.255 0 0
access-group Internet in interface outside       Access-Listen zuweisen
access-group Mailbypass in interface inside2       
route outside 0.0.0.0 0.0.0.0 Outside_DSL 1
route inside2 10.0.0.0 255.0.0.0 10.72.1.1 1
...
floodguard enable
sysopt connection permit-ipsec       
no sysopt route dnat
crypto ipsec transform-set VPNsettings2 esp-des esp-sha-hmac            
crypto dynamic-map dynMap1 10 match address VPN_1
crypto dynamic-map dynMap1 10 set transform-set VPNsettings2
crypto dynamic-map dynMap1 10 set pfs group2
crypto map NWT 100 ipsec-isakmp dynamic dynMap1
crypto map NWT interface outside
isakmp enable outside
isakmp key  **************  address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 5000
...


I know I probably have some routing issues to solve within the local network, before everything works fine, but the first thing is to get the VPN connection working.

maeb3
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13729213
> but the first thing is to get the VPN connection working.
It may not work that way. Since the VPN tunnel is dynamic, it will not complete the connection unless and until there is 2-way communication on that link.

>route inside2 10.0.0.0 255.0.0.0 10.72.1.1 1
Does the router 10.72.1.1 have a route statement for the 172.20.1.0 subnet pointing to the PIX?

On your router, you may need to include the encryption statement

>crypto isakmp policy 10
 authentication pre-share
 encryption des  <== add this statement
 group 2
 lifetime 5000
0
 
LVL 4

Author Comment

by:maeb3
ID: 13735147
@jamespickering
the "crypto ipsec nat-transparency udp-encapsulation" statement is the default for my router, so this statement is already there.

@lrmoore
same  for the "encryption des". It's the default and therefore not displayed in the config.

I already asked for the static route entry in the 10.72.1.1 (this router is managed by an external service provider). It should be done during the next days. But I think at least the isakmp key exchange should work between the dyn. ip of the router and the static ip of the PIX.

My new "prime suspect" is the isdn internet provider not allowing VPNs, since this is just a small "internet by call" provider. I will check that this weekend and maybe try another ISP where I definitely know that VPNs are allowed.

Question: do I have to use the static ip address of the PIX outside interface (217.x.x.100) or may I use a seperate (global) ip address for VPN connections like 217.x.x.103? (> name 217.x.x.103 Outside_VPN).

maeb3
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13735225
>It should be done during the next days. But I think at least the isakmp key exchange should work between the dyn.
You might get a QM_IDLE state, but no packets. "sho cry is sa", then it will go away because there is no traffic to require it

>do I have to use the static ip address of the PIX outside interface (217.x.x.100)
Yes. Global addresses serve internal hosts. Unless you want to establish the VPN with an internal host, you have no choice but to use the outside interface IP of the PIX

0
 
LVL 4

Author Comment

by:maeb3
ID: 13772438
Still no success.
I'm quite sure now that the PIX is the problem.

When using my router config without the crypto statement on the dialer interface I can access the internet and also ping the PIX on the central office (I permitted ICMP on the PIX outside interface). When adding the crypto statement, I can ping the PIX outside interface from the router itself (CLI), but not from the remote clients. So, the router tries to route the client traffic in the (non-existing) VPN tunnel, which is fine (if the VPN tunnel would exist ;-).

From the debug information I can see that the router tries to start an isakmp connection to the PIX:
...
00:34:54: ISAKMP (0:2): Can not start Aggressive mode, trying Main mode.
00:34:54: ISAKMP: Looking for a matching key for 217.x.x.100 in default : success
00:34:54: ISAKMP (0:2): found peer pre-shared key matching 217.x.x.100
00:34:54: ISAKMP (0:2): constructed NAT-T vendor-03 ID
00:34:54: ISAKMP (0:2): constructed NAT-T vendor-02 ID
00:34:54: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
00:34:54: ISAKMP (0:2): Old State = IKE_READY  New State = IKE_I_MM1
00:34:54: ISAKMP (0:2): beginning Main Mode exchange
00:34:54: ISAKMP: Main Mode packet contents (flags 0, len 120):
00:34:54:           SA payload
00:34:54:             PROPOSAL
00:34:54:               TRANSFORM
00:34:54:           VENDOR payload
00:34:54:           VENDOR payload
00:34:54: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:04: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...
00:35:04: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:35:04: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE
00:35:04: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:14: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...
00:35:14: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:35:14: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE
00:35:14: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:24: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 217.246.181.154, remote= 217.x.x.100,
    local_proxy= 172.20.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
...

But on the PIX I can see a hitcount of 0 on the outside interface for udp port 500 (access-list Internet permit udp any host Outside_IP eq isakmp).

Why can I ping the interface, but the ISAKMP doesn't seem to find it?
Any ideas?

The complete setup looks like:

         172.20.1.x    172.20.1.1  dynIP                                     217.x.x.101   217.x.x.100      10.x.x.x
                   |                |         |                                                   |                |(102/106)   |
RemoteClient---------------Router------I N T E R N E T------DSL-Router---------------PIX-Firewall---Corp-network
                                                                                                                                        |
                                                                                                                                  192.168.x.x
maeb3
0
 
LVL 4

Author Comment

by:maeb3
ID: 13823260
Like in most cases when the problem seems to be unsolvable, it was a combination of several errors here.

I changed the outside interface address of the pix, I upgraded to version 6.3, we did some changes on the internet access router managed by the ISP, ... and some more things.

Thank you,
maeb3
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Make the most of your online learning experience.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question