[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Need help creating 2 VPN tunnels on a Cisco PIX 515E

Posted on 2005-04-14
19
Medium Priority
?
814 Views
Last Modified: 2010-04-12
I am currently in the process of adding a new server into a remote office of ours that previously worked with us through Citrix.  It's a small office and we didn't want to put a server in until after the 1st of the year.  This is our 3rd office and i'd like to connect it to our main office using a VPN tunnel like I did with our other remote office.  Just for clarity -

Site A - Headquarters in San Francisco, Cisco PIX 515E on a Covad T1 line.  Internal IP is 10.20.30.xxx
Site B - Remote office in Los Angeles, Sonicwall Firewall on a Covad ADSL line.  Internal IP is 207.222.138.xxx (don't ask, I didn't set it up like this, it'll be changed when they get new servers in a few months)
Site C - Remote office in Reno, Linksys RV082 Router/VPN/Firewall on a Covad ADSL line.  Internal IP will be 192.168.1.xxx

I currently have Sites A and B connected with a tunnel and it works fine.  I'm am by no means a PIX whiz, fact I know little about it, enough to be dangerous.  Below is the config of my PIX relative to this and what i've already entered in new for Site C

Previously in place and working for Site A to B Tunnel:

access-list pix2LAO permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192
access-list nonat permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192
.
sysopt connection permit-ipsec
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address pix2LAO
crypto map aptmap 10 set peer xx.xxx.xxx.xxx (Internet IP for Site B)
crypto map aptmap 10 set transform-set aptset
crypto map aptmap 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map aptmap interface outside
isakmp enable outside
isakmp key ******** address xx.xxx.xxx.xxx (<-Internet IP for Site B) netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Here's what I added -

access-list pix2reno permit ip 10.0.0.0 255.0.0.0 host 192.168.1.1
.
crypto map aptmap 20 ipsec-isakmp
crypto map aptmap 20 match address pix2reno
crypto map aptmap 20 set peer xx.xxx.xxx.xxx (<-Internet IP for Site C)
crypto map aptmap 20 set transform-set aptset
crypto map aptmap 20 set security-association lifetime seconds 28800 kilobytes 4608000
.
isakmp key ******** address xx.xxx.xxx.xxx (<-Internet IP for Site C) netmask 255.255.255.255


Obviously this isn't working otherwise I wouldn't be asking for help.  :)
Couple things i'm not sure of...

1. The original configuration on the PIX contained "access-list nonat permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192", do I need to add a line similar to this for Site C?  I didn't want to add it in case it replaced the existing one, thus breaking the current tunnel.

2. The original configurtion on the PIX contained "access-list pix2LAO permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192"... the .192 mask is the internal subnet mask for that office.  When I tried to enter in the internal subnet mask for Site C (255.255.255.0) I got an error about it not being paired or something.  I read on another site that I could use 255.255.255.255, I did, it didn't give me an error but now I have that  "host 192.168.1.1" in there and i'm not so sure that's right.

I've configured the Linksys router with the correct info and the preshare but it won't connect.  If anyone needs more info, please let me know i'll be happy to provide it.  I hope this all makes sense.


0
Comment
Question by:Longshot9
  • 10
  • 6
  • 3
19 Comments
 
LVL 7

Assisted Solution

by:minmei
minmei earned 1000 total points
ID: 13786096
Longshot9,

> 1. The original configuration on the PIX contained "access-list nonat
> permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192", do I
> need to add a line similar to this for Site C?  I didn't want to add
> it in case it replaced the existing one, thus breaking the current tunnel.
 
Yes - add this line with 192.168.1.x in it - it specifies that you will not translate this traffic using NAT.

This should be the new acl:

 access-list pix2RNEO permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

Good luck!
0
 

Author Comment

by:Longshot9
ID: 13786234
ok, it was added but i'm still not getting a connection made.  here's the log from the LinkSys Router -

Apr 14 13:20:52 2005 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet to xx.xxx.xxx.xx
Apr 14 13:20:52 2005 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet from xx.xxx.xxx.xx
Apr 14 13:20:53 2005 VPN Log [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet to xx.xxx.xxx.xx
Apr 14 13:20:53 2005 VPN Log Ignoring Vendor ID payload [XAUTH]
Apr 14 13:20:53 2005 VPN Log Received Vendor ID payload [Dead Peer Detection]
Apr 14 13:20:53 2005 VPN Log Ignoring Vendor ID payload [Cisco-Unity]
Apr 14 13:20:53 2005 VPN Log Ignoring Vendor ID payload [1aa6f032f2929774...]
Apr 14 13:20:53 2005 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet from xx.xxx.xxx.xx
Apr 14 13:20:53 2005 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet to xx.xxx.xxx.xx
Apr 14 13:20:53 2005 VPN Log [Tunnel Negotiation Info] <<< Initiator Receive Main Mode 6th packet from xx.xxx.xxx.xx
Apr 14 13:20:53 2005 VPN Log Main mode peer ID is ID_IPV4_ADDR: 'xx.xxx.xxx.xx'
Apr 14 13:20:53 2005 VPN Log [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Apr 14 13:20:53 2005 VPN Log [Tunnel Negotiation Info] Initiator Cookies = 5185 f963 968b c31c
Apr 14 13:20:53 2005 VPN Log [Tunnel Negotiation Info] Responder Cookies = ef61 572f f293 9774
Apr 14 13:20:53 2005 VPN Log initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
Apr 14 13:20:53 2005 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 1st packet to xx.xxx.xxx.xx
Apr 14 13:20:53 2005 VPN Log Received informational payload, type IPSEC_INITIAL_CONTACT
Apr 14 13:20:53 2005 VPN Log Received informational payload, type NO_PROPOSAL_CHOSEN
Apr 14 13:22:03 2005 VPN Log initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #182
Apr 14 13:22:03 2005 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 1st packet to xx.xxx.xxx.xx
Apr 14 13:22:03 2005 VPN Log Received informational payload, type NO_PROPOSAL_CHOSEN
Apr 14 13:22:29 2005 VPN Log received Delete SA payload: deleting ISAKMP State #181

Then it just starts all over again.  If it looks like everything is right in the Pix config then i'll turn attention to the Linksys.  Thanks for the response, more would be appreciated.
0
 
LVL 7

Expert Comment

by:minmei
ID: 13786275
Phase 1 SA established measn the ipsec is good (matches on both sides).

Quick mode is failing - check the setting on the Linksys and the PIX under the IPSec section.

The Pix is currently set (per above) to the following:

3des
md5
lifetime 28800
kb 4608000

Check out the Linksys settings
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 7

Expert Comment

by:minmei
ID: 13786284
sorry - the first line should say the isakmp (phase 1) is good on both sides.
0
 

Author Comment

by:Longshot9
ID: 13786676
Here's what the Linksys has on it's setup page

Local Group Setup
Local Security Gateway Type - IP Only
IP Address - Outside address of the Linksys
Local Security Group Type - Subnet
IP Address - Internal address of the Linksys
Subnet - 255.255.255.0

Remote Group Setup
Remote Security Gateway Type - IP Only
IP Address - Outside address of the PIX
Remote Security Group Type - Subnet
Ip Address - 10.0.0.0
Subnet - 255.0.0.0

IPSec Setup
Keying Mode - IKE with PreShared Key
Phase1 DH Group - Group 2
Phase1 Encryption - 3DES
Phase1 Authentication - MD5
Phase1 SA Lifetime - 28800
Perfect Forward Security - checked
Phase2 DH Group - Group 2
Phase2 Encryption - 3DES
Phase2 Authentication - MD5
Phase2 SA Lifetime - 28800
PreShared Key - same as on PIX.

That's all the setup there is on it.  It has some advanced settings like NetBIOS passing, and keep-alive, but nothing relating any more to IPSec.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1000 total points
ID: 13787103
On the Linksys:
>Perfect Forward Security - checked
Un-check that block...
0
 

Author Comment

by:Longshot9
ID: 13787154
Thanks for the response lrmoore.  Unfortunately i'm still getting the same results in the log on the Linksys.
0
 
LVL 7

Assisted Solution

by:minmei
minmei earned 1000 total points
ID: 13787585
Pull off the kilobytes on the Cisco cryptomap.

Change the local group to the network address on the inside, not the linksys address.

Use 192.168.1.0
0
 

Author Comment

by:Longshot9
ID: 13792426
k i'm feeling like a total moron right now, how do I remove the kilobytes section from the cryptomap??  I could have sworn that all I had to do was type the line I want to remove preceeded with "no" and it would remove it.  I'm pullin what hair I have left out trying to find the answer.  You'd think that 2 books that are supposed to be the "best reference on pix firewalls" would tell you how to remove a command from your config.  Frustrating.
0
 

Author Comment

by:Longshot9
ID: 13792485
minmei - my mistake on the inside address on the local group, I did have it set to 192.168.1.0, not the inside IP of the linksys (192.168.1.1).
0
 

Author Comment

by:Longshot9
ID: 13792692
i finally got the crypto set removed (dependence on the other crypto entries, removed the first one and they all went away).  WHen I re-entered them in, I left off the "kilobytes 4608000" part from that line, and it took it, but when I pulled up the config after that, it automatically entered it in there.  So if it needs to come off i'm gonna need more instruction on how to remove it.
0
 

Author Comment

by:Longshot9
ID: 13792900
just ran a "debug crypto isakmp" and got this in the response...

ISAKMP : Checking IPSec proposal 0

ISAKMP: transform 0, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS

that was the only section that appeared to me to be a problem, dont know if that helps or not.
0
 
LVL 7

Expert Comment

by:minmei
ID: 13793225
Too many different things above - the problem is in the ipsec negotiation, and we need to get the two sides to match.

Please repost current PIX and Linksys configs - ACL's crypto's on pix and what you did earlier on linksys.

There is a mismatch somewhere.
0
 

Author Comment

by:Longshot9
ID: 13793377
Current PIX Config (only what is relevant, I think, if you need other info let me know)

access-list pix2LAO permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192
access-list nonat permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192
access-list nonat permit ip 10.0.0.0 255.0.0.0 host 192.168.1.1
access-list pix2reno permit ip 10.0.0.0 255.0.0.0 host 192.168.1.1
sysopt connection permit-ipsec
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address pix2LAO
crypto map aptmap 10 set peer xx.xxx.xx.194
crypto map aptmap 10 set transform-set aptset
crypto map aptmap 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map aptmap 20 ipsec-isakmp
crypto map aptmap 20 match address pix2reno
crypto map aptmap 20 set peer xx.xxx.xxx.76
crypto map aptmap 20 set transform-set aptset
crypto map aptmap 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map aptmap interface outside
isakmp enable outside
isakmp key ******** address xx.xxx.xx.194 netmask 255.255.255.255
isakmp key ******** address xx.xxx.xxx.76 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Current Linksys -

Local Group Setup
Local Security Gateway Type - IP Only
IP Address - Outside address of the Linksys
Local Security Group Type - Subnet
IP Address - 192.168.1.0
Subnet - 255.255.255.0

Remote Group Setup
Remote Security Gateway Type - IP Only
IP Address - Outside address of the PIX
Remote Security Group Type - Subnet
Ip Address - 10.0.0.0
Subnet - 255.0.0.0

IPSec Setup
Keying Mode - IKE with PreShared Key
Phase1 DH Group - Group 2
Phase1 Encryption - 3DES
Phase1 Authentication - MD5
Phase1 SA Lifetime - 28800
Perfect Forward Security - unchecked
Phase2 DH Group - Group 2
Phase2 Encryption - 3DES
Phase2 Authentication - MD5
Phase2 SA Lifetime - 28800
PreShared Key - same as on PIX.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 13793457
You want your lifetimes to match:
PIX
  crypto ipsec security-association lifetime seconds 86400
  isakmp policy 10 lifetime 86400 <==

Linksys:
  Phase2 SA Lifetime - 28800 <==
  Phase1 SA Lifetime - 28800

Both of these acls need to reference the remote subnet, not just the host
>access-list nonat permit ip 10.0.0.0 255.0.0.0 host 192.168.1.1
> access-list pix2reno permit ip 10.0.0.0 255.0.0.0 host 192.168.1.1

Should be
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list pix2reno permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
0
 

Author Comment

by:Longshot9
ID: 13793891
ok, here's the PIX config now -

access-list pix2LAO permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192
access-list nonat permit ip 10.0.0.0 255.0.0.0 207.222.138.128 255.255.255.192
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list pix2reno permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address pix2LAO
crypto map aptmap 10 set peer 67.100.96.194
crypto map aptmap 10 set transform-set aptset
crypto map aptmap 20 ipsec-isakmp
crypto map aptmap 20 match address pix2reno
crypto map aptmap 20 set peer 67.102.230.76
crypto map aptmap 20 set transform-set aptset
crypto map aptmap interface outside
isakmp enable outside
isakmp key ******** address xx.xxx.xx.194 netmask 255.255.255.255
isakmp key ******** address xx.xxx.xxx.76 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800

when I changed the "crypto ipsec security-association lifetime seconds 86400" to "crypto ipsec security-association lifetime seconds 28800" it removed it from the config and also removed the "crypto map aptmap 20 set security-association lifetime seconds 28800 kilobytes 4608000" lines as well.  I tried to add them back in after that and it didn't do anything.
0
 

Author Comment

by:Longshot9
ID: 13793905
I should have checked the linksys before I posted, that did the trick.  2nd tunnel is now active.  Thanks lrmoore and minmei.  I will split the points.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13793939
Yippee! Good work!
0
 
LVL 7

Expert Comment

by:minmei
ID: 13795836
lrmoore - thanks for the tag! Got too busy this afternoon...

Longshot9 - happy it works. Tell your boss you're a genius and get a raise.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question