VPN tunnel with preshare key

Hi All,

I trying to do a bit of learning on pixes and have tried to create a vpn tunnel between my home pix 501 and my companies pix 515e. I want to have 192.168.1.0 to access 192.168.10.0 and vica versa. i see in my logs that my pix trys to transmit the isakmp key, after 3 - 4 retries, it says  exchange started, but it never seems to transmits as it tries transmission again. I have posted the confs of both pixes.

Thanks in advance
Hugh

Home pix: 501
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname 501
domain-name Walsh
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.3 hugh
name 192.168.10.0 lan-munich
name 192.168.1.0 lan-hugh
access-list outbound permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
access-list outbound permit tcp host hugh any eq ftp
access-list outbound permit tcp any any range 6346 6349
access-list outbound permit tcp host hugh any eq 8080
access-list outbound permit tcp host hugh any eq 8180
access-list outbound permit tcp host hugh any eq 8880
access-list outbound permit tcp any any eq 6241
access-list outbound permit tcp host hugh any eq 5100
access-list outbound permit tcp any any eq 3690
access-list outbound permit tcp host hugh any eq 11999
access-list outbound permit udp host hugh any eq 27415
access-list outbound permit udp host hugh any eq 22999
access-list outbound permit udp host hugh any eq 2213
access-list outbound permit udp host hugh any eq 2231
access-list outbound permit udp any any eq 15561
access-list outbound permit udp any any eq 14567
access-list outbound permit udp any any eq 23000
access-list outbound permit udp any any eq 6666
access-list outbound permit tcp host hugh any eq 28900
access-list outbound permit icmp any any echo
access-list outbound permit udp any any eq 2213
access-list outbound permit udp any any eq 4500
access-list outbound permit udp any any eq isakmp
access-list outbound permit tcp host hugh any eq ssh
access-list outbound permit tcp any any eq 81
access-list outbound permit tcp any any eq 6881
access-list outbound permit tcp any any eq https
access-list outbound permit tcp any any eq www
access-list outbound permit udp any any eq domain
access-list outbound deny ip any any
access-list inbound permit udp any host 217.91.63.36 eq isakmp
access-list inbound permit udp any host 217.91.63.36 eq 4500
access-list inbound permit udp any any eq 6346
access-list inbound permit udp any any eq 14567
access-list inbound permit tcp any any eq 5100
access-list inbound permit icmp any any echo-reply
access-list inbound deny icmp interface outside any
access-list inbound deny ip any any
access-list nonat permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
pager lines 50
logging on
logging timestamp
logging monitor debugging
logging trap debugging
logging queue 0
logging host inside hugh
mtu outside 1456
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
access-group outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http lan-hugh 255.255.255.0 inside
snmp-server location Germany
snmp-server contact Hugh walsh
snmp-server community walsh
no snmp-server enable traps
tftp-server inside hugh tftp-root
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map BavarianNordicVPN 30 ipsec-isakmp
crypto map BavarianNordicVPN 30 match address nonat
crypto map BavarianNordicVPN 30 set peer 81.135.xx.xxx
crypto map BavarianNordicVPN 30 set transform-set strong
crypto map BavarianNordicVPN interface outside
isakmp enable outside
isakmp key ******** address 81.135.xx.xxx netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 82.135.xx.xxx 255.255.255.240 outside
ssh lan-hugh 255.255.255.0 inside
ssh timeout 15
console timeout 0
vpdn group t-online request dialout pppoe
vpdn group t-online localname feste-ip/xxxxxxx@t-online-com.de
vpdn group t-online ppp authentication pap
vpdn username feste-ip/xxxxxxxx8@t-online-com.de password ********
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username hugh password xxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:78aaa2279e5da3f9aa773613c31e0e62
501(config)# exit

Cmpany pix: 515e:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz-vpn security80
nameif ethernet3 dmz-acs security60
nameif ethernet4 wireless security5
nameif ethernet5 intf5 security10
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname munich
domain-name xxxxx-xxxx.de
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.13 video-intern
name 192.168.10.0 lan-munich
name 192.168.2.0 lan-berlin
name 192.168.100.0 lan-kvistgaard
name 192.168.10.238 Marc
name 192.168.10.239 Hugh
name 192.168.10.240 eg-switch
name 192.168.10.241 firstog-switch
name 192.168.10.242 secondog-switch
name 192.168.10.243 libary-switch
name 192.168.10.244 thirdog-switch
name 192.168.10.245 backbone-switch
name 192.168.10.246 spare-switch
name 192.168.10.15 BN-APS01
name 192.168.10.19 BN-DC02
name 192.168.10.237 Circular
name 192.168.5.2 Munich-ACS
name 192.168.5.18 Kvistgaard-ACS
name 192.168.5.26 Kvistgaard-VPN
name 192.168.5.10 Munich-VPN
name 192.168.10.10 webmail-intern
name xxx.xxx.xxx.xxx vpn-extern
name xxx.xxx.xxx.xxx acs-extern
name xxx.xxx.xxx.xxx webmail-smtp
name xxx.xxx.xxx.xxx Video-Extern
name 192.168.10.201 lab-machine1
name 192.168.10.202 lab-machine2
name 192.168.10.203 lab-machine3
name 192.168.10.204 lab-machine4
name 192.168.10.205 lab-machine5
name 192.168.10.206 lab-machine6
name 192.168.10.207 lab-machine7
name 192.168.10.208 lab-machine8
name 192.168.10.209 lab-machine9
name 192.168.10.210 lab-machine10
name 192.168.1.0 lan-hugh
object-group network admins
  network-object host Marc
  network-object host Hugh
  network-object host Circular
object-group network internal-switches
  network-object host eg-switch
  network-object host firstog-switch
  network-object host secondog-switch
  network-object host libary-switch
  network-object host thirdog-switch
  network-object host spare-switch
  network-object host backbone-switch
object-group network acsserver
  network-object host Munich-ACS
  network-object host Kvistgaard-ACS
object-group network lab-Machines
  network-object host lab-machine1
  network-object host lab-machine2
  network-object host lab-machine3
  network-object host lab-machine4
  network-object host lab-machine5
  network-object host lab-machine6
  network-object host lab-machine7
  network-object host lab-machine8
  network-object host lab-machine9
  network-object host lab-machine10
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq www
access-list wireless permit udp 192.168.7.0 255.255.255.0 host xxx.xxx.xxx.xxx eq domain
access-list wireless permit udp 192.168.7.0 255.255.255.0 host xxx.xxx.xxx.xxx eq domain
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq isakmp
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq 10000
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq 4500
access-list wireless deny ip any host xxx.xxx.xxx.xxx
access-list wireless deny ip any 192.168.0.0 255.255.0.0
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq https
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq pop3
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq smtp
access-list wireless permit udp 192.168.7.0 255.255.255.0 any eq isakmp
access-list wireless permit udp 192.168.7.0 255.255.255.0 any eq 4500
access-list vpnberlin permit ip 192.168.6.0 255.255.255.128 lan-berlin 255.255.255.0
access-list vpnberlin permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 192.168.5.16 255.255.255.240
access-list nonat permit ip lan-munich 255.255.255.0 192.168.6.0 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit ip object-group lab-Machines lan-berlin 255.255.255.0
access-list inside permit ip object-group lab-Machines lan-kvistgaard 255.255.255.0
access-list inside deny ip object-group lab-Machines any
access-list inside permit tcp host video-intern any eq h323
access-list inside permit udp host video-intern any range 2702 2707
access-list inside permit tcp host BN-APS01 host xxx.xxx.xxx.xxx eq ssh
access-list inside permit icmp object-group admins any echo
access-list inside permit tcp host Circular host xxx.xxx.xxx.xxx eq telnet
access-list inside permit tcp object-group admins host xxx.xxx.xxx.xxx eq telnet
access-list inside permit tcp object-group admins host xxx.xxx.xxx.xxx eq telnet
access-list inside permit tcp object-group admins any eq ftp
access-list inside permit icmp object-group admins any
access-list inside permit tcp object-group admins host Kvistgaard-ACS eq netbios-ssn
access-list inside permit udp object-group admins any range 5555 5556
access-list inside permit tcp object-group admins any range 5555 5556
access-list inside permit tcp object-group admins any eq 6129
access-list inside permit tcp object-group admins host Munich-ACS eq netbios-ssn
access-list inside permit tcp object-group admins host Kvistgaard-ACS range 2002 2010
access-list inside permit tcp object-group admins any eq 3389
access-list inside permit tcp object-group admins host Kvistgaard-VPN eq ssh
access-list inside permit tcp object-group admins host Kvistgaard-VPN eq https
access-list inside permit tcp object-group admins host Munich-VPN eq https
access-list inside permit tcp object-group admins host Munich-VPN eq ssh
access-list inside permit tcp host Hugh any eq ssh
access-list inside permit tcp object-group admins host xxx.xxx.xxx.xxx eq ssh
access-list inside permit tcp object-group admins host xxx.xxx.xxx.xxx eq ssh
access-list inside permit tcp object-group admins host Munich-ACS range 2002 2010
access-list inside permit tcp object-group internal-switches object-group acsserver eq tacacs
access-list inside permit tcp any any eq 8000
access-list inside permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq 8082
access-list inside permit tcp any any eq www
access-list inside permit tcp any any eq 3128
access-list inside permit udp any any eq 4500
access-list inside permit udp any any eq isakmp
access-list inside permit udp any any eq domain
access-list inside permit tcp host 192.168.10.5 host Munich-ACS eq 445
access-list inside permit tcp host 192.168.10.5 host Munich-ACS range 136 netbios-ssn
access-list inside permit udp host 192.168.10.5 host Munich-ACS range 136 139
access-list inside deny ip any 192.168.5.0 255.255.255.224
access-list inside permit tcp host webmail-intern any eq smtp
access-list inside permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list inside permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit udp host BN-DC02 any eq ntp
access-list inside permit tcp host BN-APS01 any eq 3101
access-list inside permit tcp any host xxx.xxx.xxx.xxx eq 8383
access-list inside permit tcp any host 131.159.4.193 eq ssh
access-list inside permit tcp host BN-APS01 host xxx.xxx.xxx.xxx eq ssh
access-list inside permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list inside deny ip any any
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 192.168.6.128 255.255.255.128
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 192.168.5.16 255.255.255.240
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 lan-kvistgaard 255.255.255.0
access-list outside permit udp any host Video-Extern range 2702 2707
access-list outside permit tcp any host Video-Extern eq h323
access-list outside permit tcp any any eq 8000
access-list outside permit icmp any host xxx.xxx.xxx.xxx echo-reply
access-list outside permit udp any host vpn-extern eq isakmp
access-list outside permit udp any host vpn-extern eq 4500
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp any host webmail-smtp eq https
access-list outside permit tcp any host webmail-smtp eq www
access-list outside permit tcp any host webmail-smtp eq smtp
access-list vpnkvistgaard permit ip 192.168.6.0 255.255.255.128 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip 192.168.6.0 255.255.255.128 lan-kvistgaard 255.255.255.0
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 192.168.6.128 255.255.255.128
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 192.168.6.128 255.255.255.128
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 lan-kvistgaard 255.255.255.0
access-list wirelessnonat permit ip 192.168.7.0 255.255.255.0 host Munich-VPN
access-list dmz-acs permit udp any any eq domain
access-list dmz-acs permit udp host Munich-ACS host BN-DC02 eq domain
access-list dmz-acs permit udp host Munich-ACS host 192.168.100.14 eq domain
access-list dmz-acs permit ip host Munich-ACS host 192.168.10.5
access-list dmz-acs permit ip host Munich-ACS host Kvistgaard-ACS
access-list dmz-vpn permit udp host Munich-VPN host Hugh eq tftp
access-list dmz-vpn permit udp host Munich-VPN host Kvistgaard-ACS eq radius-acct
access-list dmz-vpn permit udp host Munich-VPN host Kvistgaard-ACS eq radius
access-list dmz-vpn permit udp host Munich-VPN host Munich-ACS eq radius
access-list dmz-vpn permit udp host Munich-VPN host Munich-ACS eq radius-acct
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-munich 255.255.255.0
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-berlin 255.255.255.0
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.224
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 lan-berlin 255.255.255.0
access-list vpnnonat permit ip 192.168.5.8 255.255.255.248 192.168.5.16 255.255.255.248
access-list vpnnonat permit ip 192.168.5.8 255.255.255.248 192.168.6.128 255.255.255.128
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 192.168.5.16 255.255.255.240
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnhugh permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
pager lines 600
logging on
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging host inside Hugh
mtu outside 1500
mtu inside 1500
mtu dmz-vpn 1500
mtu dmz-acs 1500
mtu wireless 1500
mtu intf5 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.xxx
ip address inside 192.168.10.3 255.255.255.0
ip address dmz-vpn 192.168.5.9 255.255.255.248
ip address dmz-acs 192.168.5.1 255.255.255.248
ip address wireless 192.168.7.1 255.255.255.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 3
failover ip address outside xxx.xxx.xxx.xxx
failover ip address inside 192.168.10.9
failover ip address dmz-vpn 192.168.5.11
failover ip address dmz-acs 192.168.5.3
failover ip address wireless 192.168.7.10
no failover ip address intf5
failover link inside
pdm location webmail-intern 255.255.255.255 inside
pdm location 192.168.10.12 255.255.255.255 inside
pdm location video-intern 255.255.255.255 inside
pdm location 192.168.10.14 255.255.255.255 inside
pdm location 192.168.10.17 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.248 outside
pdm location 129.142.27.28 255.255.255.255 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location lan-hugh 255.255.255.0 outside
pdm location lan-berlin 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location lan-kvistgaard 255.255.255.0 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.192 outside
pdm location 192.168.10.18 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz-vpn) 0 access-list vpnnonat
nat (dmz-acs) 0 access-list acsnonat
nat (wireless) 1 192.168.7.0 255.255.255.0 0 0
static (inside,dmz-acs) lan-munich lan-munich netmask 255.255.255.0 0 0
static (inside,dmz-vpn) lan-munich lan-munich netmask 255.255.255.0 0 0
static (dmz-vpn,dmz-acs) 192.168.5.8 192.168.5.8 netmask 255.255.255.248 0 0
static (dmz-vpn,dmz-acs) 192.168.6.0 192.168.6.0 netmask 255.255.255.0 0 0
static (dmz-vpn,wireless) Munich-VPN Munich-VPN netmask 255.255.255.255 0 0
static (dmz-vpn,outside) vpn-extern Munich-VPN netmask 255.255.255.255 0 0
static (dmz-acs,outside) acs-extern Munich-ACS netmask 255.255.255.255 0 0
static (inside,outside) Video-Extern video-intern netmask 255.255.255.255 0 0
static (inside,outside) webmail-smtp webmail-intern netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz-vpn in interface dmz-vpn
access-group dmz-acs in interface dmz-acs
access-group wireless in interface wireless
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route dmz-vpn 192.168.6.0 255.255.255.128 Munich-VPN 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server BN-SEC01 protocol tacacs+
aaa-server BN-SEC01 max-failed-attempts 3
aaa-server BN-SEC01 deadtime 10
aaa-server BN-SEC01 (dmz-acs) host Munich-ACS xxxxx timeout 3
aaa-server BN-SEC01 (outside) host xxx.xxx.xxx.xxx xxxxxx timeout 3
aaa authentication enable console BN-SEC01 LOCAL
aaa authentication serial console BN-SEC01 LOCAL
aaa authentication ssh console BN-SEC01 LOCAL
http server enable
http lan-munich 255.255.255.0 inside
snmp-server location Munich
snmp-server contact Hugh Walsh
snmp-server community Bavarian
no snmp-server enable traps
tftp-server inside Hugh /TFTP-Root
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set verystrong esp-3des esp-sha-hmac
crypto ipsec transform-set sota esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 40 set transform-set strong
crypto map BavarianNordicVPN 20 ipsec-isakmp
crypto map BavarianNordicVPN 20 match address vpnberlin
crypto map BavarianNordicVPN 20 set peer xxx.xxx.xxx.xxx
crypto map BavarianNordicVPN 20 set transform-set verystrong
crypto map BavarianNordicVPN 20 set security-association lifetime seconds 120 kilobytes 4608000
crypto map BavarianNordicVPN 25 ipsec-isakmp
crypto map BavarianNordicVPN 25 match address vpnkvistgaard
crypto map BavarianNordicVPN 25 set peer xxx.xxx.xxx.xxx
crypto map BavarianNordicVPN 25 set transform-set sota
crypto map BavarianNordicVPN 25 set security-association lifetime seconds 120 kilobytes 4608000
crypto map BavarianNordicVPN interface outside
crypto map BavaianNordic 26 ipsec-isakmp
crypto map BavaianNordic 26 match address vpnhugh
crypto map BavaianNordic 26 set peer xxx.xxx.xxx.xxx
crypto map BavaianNordic 26 set transform-set strong
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 14400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 7200
telnet timeout 15
ssh xxx.xxx.xxx.xxx 255.255.255.192 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.248 outside
ssh xxx.xxx.xxx.xxx 255.255.255.248 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh lan-munich 255.255.255.0 inside
ssh 192.168.6.0 255.255.255.0 dmz-vpn
ssh timeout 60
console timeout 0
username bav password xxx.xxx.xxx.xxx encrypted privilege 2
terminal width 160
Cryptochecksum:9c778c32cd3f61830ba73eb092425d1f
: end


LVL 2
huwaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FrabbleCommented:
Haven't checked anything else but you need a matching isakmp policy between the 501 and 515
501 is:

isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400

515 has nothing for 3DES, SHA and GROUP 1:

sakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 14400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 7200

Either add another policy to the 515 or change the 501 to one that is on the 515.
0
huwaAuthor Commented:
OK i have added this to the 501 pix

crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map BavarianNordicVPN 26 ipsec-isakmp
crypto map BavarianNordicVPN 26 match address nonat
crypto map BavarianNordicVPN 26 set peer xxx.xxx.xxx.xxx
crypto map BavarianNordicVPN 26 set transform-set strong
crypto map BavarianNordicVPN interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 14400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400

now syslog reports when i try to connect to a ip address on 515 inside 192.168.10.17 (192.168.1.3 is laptop requesting browsing to 192.168.10.17)

ISAKMP Phase 2 exchange started (local 217.91.63.36 (initiator), remote 82.135.27.158, message-ID 418082032)
sa_request, (key eng. msg.) src= 501 outside ip, dest= 515 outside IP, src_proxy= lan-hugh/255.255.255.0/0/0 (type=4), dest_proxy= lan-munich/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
2006-04-02 05:28:16      Local4.Info      192.168.1.1      Apr 02 2006 04:24:29: %PIX-6-302013: Built outbound TCP connection 332 for outside:192.168.10.17/139 (192.168.10.17/139) to inside:192.168.1.3/4581 (192.168.1.3/4581)
0
calvinetterCommented:
hi Hugh,  there's no point in adding more than 1 isakmp policy to your 501.  All you need is a single policy that matches a policy on the 515e.  The policy numbers on the 501 don't need to match (ie, "policy #", policy numbers are only locally significant), just the parameters, such as encryption type & hash protocol.

Most important question right now is, does your 501 have a static IP?

cheers
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

huwaAuthor Commented:
OK thx for the tip, now that i added the 2 policies in I can leave them there will remove 1 if I get it working.

Yes 501 has a 1 static IP which i have just marked as xxx.xxx.xxx.xxx in the config.

regards
hugh
0
huwaAuthor Commented:
I have also checked the syslogs on the 515e side, I can see that there is contact between the two pixes, but the syslog reports as follows, I didnt have time to look into this yet.

ISAKMP malformed payload received (local xxx.xxx.xxx.xxx(515) (responder), remote xxx.xxx.xxx.xxx (501)
0
huwaAuthor Commented:
OK After some more google the syslogs this is what the pixesx are reporting:

501 : syslog 702205 - Remote peer is not responding.ISAKMP is retransmitting the previous packet.
Recommended action : check network connctivity to remote host (connectivity is there 515 producing syslogs for 501 connections) check Vpn configurations on both devices.

515 : syslog 772206 - ISAKMP recieved an illegal or malformed message. May indicate an out of sync problem with the remote peer, a problem decrypting a message, or a message recieved out of order.
Reccomended action : If using a preshared key, verify local preshare key is configured correctly on local and remote device.( I have done this 3 times on both devices gave password in new just to be sure to be sure)Check local and remote configurationadditional troubleshooting may be required if SA fails come up.

I dont see any SA fails on the 515 logs
I do see SA requests on the 501 logs but no actual fails as below

 ISAKMP Phase 2 exchange started (local 501-IP (initiator), remote 515 IP, message-ID 418082032)
sa_request, (key eng. msg.) src= 501 outside ip, dest= 515 outside IP, src_proxy= lan-hugh/255.255.255.0/0/0 (type=4), dest_proxy= lan-munich/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
0
calvinetterCommented:
Please post the latest config lines from *both* PIXes that begin with "access-list", "isakmp", "crypto", as well as the "nat (inside) 0..." config line.

cheers
0
huwaAuthor Commented:
PIX  501

name 192.168.1.3 hugh
name 192.168.10.0 lan-munich
name 192.168.1.0 lan-hugh
access-list outbound permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
access-list outbound permit tcp host hugh any eq ftp
access-list outbound permit tcp any any range 6346 6349
access-list outbound permit tcp host hugh any eq 8080
access-list outbound permit tcp host hugh any eq 8180
access-list outbound permit tcp host hugh any eq 8880
access-list outbound permit tcp any any eq 6241
access-list outbound permit tcp host hugh any eq 5100
access-list outbound permit tcp any any eq 3690
access-list outbound permit tcp host hugh any eq 11999
access-list outbound permit udp host hugh any eq 27415
access-list outbound permit udp host hugh any eq 22999
access-list outbound permit udp host hugh any eq 2213
access-list outbound permit udp host hugh any eq 2231
access-list outbound permit udp any any eq 15561
access-list outbound permit udp any any eq 14567
access-list outbound permit udp any any eq 23000
access-list outbound permit udp any any eq 6666
access-list outbound permit tcp host hugh any eq 28900
access-list outbound permit icmp any any echo
access-list outbound permit udp any any eq 2213
access-list outbound permit udp any any eq 4500
access-list outbound permit udp any any eq isakmp
access-list outbound permit tcp host hugh any eq ssh
access-list outbound permit tcp any any eq 81
access-list outbound permit tcp any any eq 6881
access-list outbound permit tcp any any eq https
access-list outbound permit tcp any any eq www
access-list outbound permit udp any any eq domain
access-list outbound deny ip any any
access-list inbound permit udp any host 217.91.xxx.xxx eq isakmp
access-list inbound permit udp any host 217.91.xxx.xxx eq 4500
access-list inbound permit udp any any eq 6346
access-list inbound permit udp any any eq 14567
access-list inbound permit tcp any any eq 5100
access-list inbound permit icmp any any echo-reply
access-list inbound deny icmp interface outside any
access-list inbound deny ip any any
access-list nonat permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map BavarianNordicVPN 26 ipsec-isakmp
crypto map BavarianNordicVPN 26 match address nonat
crypto map BavarianNordicVPN 26 set peer 82.135.xxx.xxx
crypto map BavarianNordicVPN 26 set transform-set strong
crypto map BavarianNordicVPN interface outside
isakmp enable outside
isakmp key ******** address 82.135.xxx.xxx netmask 255.255.255.255   (PIX515e)
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 14400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400


PIX 515E
name 192.168.1.0 lan-hugh
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq www
access-list wireless permit udp 192.168.7.0 255.255.255.0 host 212.18.xxx.xxx eq domain
access-list wireless permit udp 192.168.7.0 255.255.255.0 host 212.18.xxx.xxx eq domain
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq isakmp
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq 10000
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq 4500
access-list wireless deny ip any host 129.142.xxx.xxx
access-list wireless deny ip any 192.168.0.0 255.255.0.0
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq https
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq pop3
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq smtp
access-list wireless permit udp 192.168.7.0 255.255.255.0 any eq isakmp
access-list wireless permit udp 192.168.7.0 255.255.255.0 any eq 4500
access-list vpnberlin permit ip 192.168.6.0 255.255.255.128 lan-berlin 255.255.255.0
access-list vpnberlin permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 192.168.5.16 255.255.255.240
access-list nonat permit ip lan-munich 255.255.255.0 192.168.6.0 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit ip object-group lab-Machines lan-berlin 255.255.255.0
access-list inside permit ip object-group lab-Machines lan-kvistgaard 255.255.255.0
access-list inside deny ip object-group lab-Machines any
access-list inside permit tcp host video-intern any eq h323
access-list inside permit udp host video-intern any range 2702 2707
access-list inside permit tcp host BN-APS01 host 141.80.xxx.xxx eq ssh
access-list inside permit icmp object-group admins any echo
access-list inside permit tcp host Circular host 82.135.xxx.xxx eq telnet
access-list inside permit tcp object-group admins host 82.135.xxx.xxx eq telnet
access-list inside permit tcp object-group admins host 82.135.xxx.xxx eq telnet
access-list inside permit tcp object-group admins any eq ftp
access-list inside permit icmp object-group admins any
access-list inside permit tcp object-group admins host Kvistgaard-ACS eq netbios-ssn
access-list inside permit udp object-group admins any range 5555 5556
access-list inside permit tcp object-group admins any range 5555 5556
access-list inside permit tcp object-group admins any eq 6129
access-list inside permit tcp object-group admins host Munich-ACS eq netbios-ssn
access-list inside permit tcp object-group admins host Kvistgaard-ACS range 2002 2010
access-list inside permit tcp object-group admins any eq 3389
access-list inside permit tcp object-group admins host Kvistgaard-VPN eq ssh
access-list inside permit tcp object-group admins host Kvistgaard-VPN eq https
access-list inside permit tcp object-group admins host Munich-VPN eq https
access-list inside permit tcp object-group admins host Munich-VPN eq ssh
access-list inside permit tcp host Hugh any eq ssh
access-list inside permit tcp object-group admins host 141.80.xxx.xxx eq ssh
access-list inside permit tcp object-group admins host 129.142.xxx.xxx eq ssh
access-list inside permit tcp object-group admins host Munich-ACS range 2002 2010
access-list inside permit tcp object-group internal-switches object-group acsserver eq tacacs
access-list inside permit tcp any any eq 8000
access-list inside permit tcp any host 66.xxx.xxx.xxx eq ftp
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq 8082
access-list inside permit tcp any any eq www
access-list inside permit tcp any any eq 3128
access-list inside permit udp any any eq 4500
access-list inside permit udp any any eq isakmp
access-list inside permit udp any any eq domain
access-list inside permit tcp host 192.168.10.5 host Munich-ACS eq 445
access-list inside permit tcp host 192.168.10.5 host Munich-ACS range 136 netbios-ssn
access-list inside permit udp host 192.168.10.5 host Munich-ACS range 136 139
access-list inside deny ip any 192.168.5.0 255.255.255.224
access-list inside permit tcp host webmail-intern any eq smtp
access-list inside permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list inside permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit udp host BN-DC02 any eq ntp
access-list inside permit tcp host BN-APS01 any eq 3101
access-list inside permit tcp any host 212.222.xxx.xxx eq 8383
access-list inside permit tcp any host 131.15x.xxx.xxx eq ssh
access-list inside permit tcp host BN-APS01 host 129.142.xxx.xxx eq ssh
access-list inside permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list inside deny ip any any
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 192.168.6.128 255.255.255.128
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 192.168.5.16 255.255.255.240
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 lan-kvistgaard 255.255.255.0
access-list outside permit udp any host Video-Extern range 2702 2707
access-list outside permit tcp any host Video-Extern eq h323
access-list outside permit tcp any any eq 8000
access-list outside permit icmp any host 82.135.xxx.xxx echo-reply
access-list outside permit udp any host vpn-extern eq isakmp
access-list outside permit udp any host vpn-extern eq 4500
access-list outside permit tcp host 82.135.27.147 host acs-extern eq tacacs
access-list outside permit tcp host 82.135.27.148 host acs-extern eq tacacs
access-list outside permit tcp host 82.135.27.146 host acs-extern eq tacacs
access-list outside permit tcp host 141.80.143.16 host acs-extern eq tacacs
access-list outside permit tcp host 129.142.24.34 host acs-extern eq tacacs
access-list outside permit tcp any host webmail-smtp eq https
access-list outside permit tcp any host webmail-smtp eq www
access-list outside permit tcp any host webmail-smtp eq smtp
access-list vpnkvistgaard permit ip 192.168.6.0 255.255.255.128 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip 192.168.6.0 255.255.255.128 lan-kvistgaard 255.255.255.0
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 192.168.6.128 255.255.255.128
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 192.168.6.128 255.255.255.128
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 lan-kvistgaard 255.255.255.0
access-list wirelessnonat permit ip 192.168.7.0 255.255.255.0 host Munich-VPN
access-list dmz-acs permit udp any any eq domain
access-list dmz-acs permit udp host Munich-ACS host BN-DC02 eq domain
access-list dmz-acs permit udp host Munich-ACS host 192.168.100.14 eq domain
access-list dmz-acs permit ip host Munich-ACS host 192.168.10.5
access-list dmz-acs permit ip host Munich-ACS host Kvistgaard-ACS
access-list dmz-vpn permit udp host Munich-VPN host Hugh eq tftp
access-list dmz-vpn permit udp host Munich-VPN host Kvistgaard-ACS eq radius-acct
access-list dmz-vpn permit udp host Munich-VPN host Kvistgaard-ACS eq radius
access-list dmz-vpn permit udp host Munich-VPN host Munich-ACS eq radius
access-list dmz-vpn permit udp host Munich-VPN host Munich-ACS eq radius-acct
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-munich 255.255.255.0
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-berlin 255.255.255.0
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.224
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 lan-berlin 255.255.255.0
access-list vpnnonat permit ip 192.168.5.8 255.255.255.248 192.168.5.16 255.255.255.248
access-list vpnnonat permit ip 192.168.5.8 255.255.255.248 192.168.6.128 255.255.255.128
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 192.168.5.16 255.255.255.240
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnhugh permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz-vpn) 0 access-list vpnnonat
nat (dmz-acs) 0 access-list acsnonat
nat (wireless) 1 192.168.7.0 255.255.255.0 0
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set verystrong esp-3des esp-sha-hmac
crypto ipsec transform-set sota esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 40 set transform-set strong
crypto map BavarianNordicVPN 20 ipsec-isakmp
crypto map BavarianNordicVPN 20 match address vpnberlin
crypto map BavarianNordicVPN 20 set peer 141.80.xxx.xxx
crypto map BavarianNordicVPN 20 set transform-set verystrong
crypto map BavarianNordicVPN 20 set security-association lifetime seconds 120 kilobytes 4608000
crypto map BavarianNordicVPN 25 ipsec-isakmp
crypto map BavarianNordicVPN 25 match address vpnkvistgaard
crypto map BavarianNordicVPN 25 set peer 129.142.xxx.xxx
crypto map BavarianNordicVPN 25 set transform-set sota
crypto map BavarianNordicVPN 25 set security-association lifetime seconds 120 kilobytes 4608000
crypto map BavarianNordicVPN interface outside
crypto map BavarianNordic 26 ipsec-isakmp
crypto map BavarianNordic 26 match address vpnhugh
crypto map BavarianNordic 26 set peer 217.91.xxx.xxx     (pix 501)
crypto map BavarianNordic 26 set transform-set strong
crypto map BavarianNordic 26 set security-association lifetime seconds 120 kilobytes 4608000
isakmp enable outside
isakmp key ******** address 129.142.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 129.142.xx.xx netmask 255.255.255.255
isakmp key ******** address 141.80.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 217.91.xx.xx netmask 255.255.255.255     (pix 501)
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 14400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 7200


0
calvinetterCommented:
  Run these commands *in this order* on the 501:
clear crypto ipsec sa
clear crypto isakmp sa
no crypto map BavarianNordicVPN interface outside
no crypto map BavarianNordicVPN
no isakmp enable outside
access-list munich_vpn permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
no crypto ipsec transform-set strong
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map BavarianNordicVPN 26 ipsec-isakmp
crypto map BavarianNordicVPN 26 match address munich_vpn
crypto map BavarianNordicVPN 26 set peer 82.135.xxx.xxx
crypto map BavarianNordicVPN 26 set transform-set myset
no isakmp policy 10
isakmp identity address
isakmp nat-traversal
crypto map BavarianNordicVPN interface outside
isakmp enable outside
clear xlate

   Run these commands *in this order* on PIX 515e:
no crypto map BavarianNordic        <- "BavarianNordic" crypto map isn't being used
crypto map BavarianNordicVPN 26 ipsec-isakmp
crypto map BavarianNordicVPN 26 match address vpnhugh
crypto map BavarianNordicVPN 26 set peer 217.91.xxx.xxx
crypto map BavarianNordicVPN 26 set transform-set strong
crypto map BavarianNordicVPN interface outside  <- re-apply crypto map for 'crypto map' changes to take effect

cheers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
huwaAuthor Commented:
Great, thx alot for that worked straight away :) Now I just need to sit down and look at these commands  and see exactly what they are doing.

few little questions, hope you dont mind, I just want the 192.68.10.3 having access to the munich site.  so do i remove  this from the 501

no access-list outbound permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0  --not needed ??
no access-list munich_vpn permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
access-list munich_vpn permit ip 192.168.10.3 255.255.255.0 lan-munich 255.255.255.0

I just want the 192.168.10.239 having access to the home site.  so do i remove  this from the 515

no access-list vpnhugh permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list vpnhugh permit ip 192.168.10.239 255.255.255.0 lan-hugh 255.255.255.0



crypto ipsec transform-set myset esp-des esp-md5-hmac  ---is myset just a name you gave it ??? myset could be donkey also ?? as in just a name you set
crypto map BavarianNordicVPN 26 ipsec-isakmp
crypto map BavarianNordicVPN 26 match address munich_vpn -----Munich_Vpn is the access-list which will be used to control trafic btw the 515 -515e
crypto map BavarianNordicVPN 26 set peer 82.135.xxx.xxx
crypto map BavarianNordicVPN 26 set transform-set myset  ---same as 1st line --1st line states what encryption to us ----this line say use it ?? if this is so i can use myset on many tunnels ??
isakmp identity address --- not sure need to read up on it
isakmp nat-traversal  --not sure need to read up on it

I dont have this line set up on the 501, only on 515
crypto map BavarianNordic 26 set security-association lifetime seconds 120 kilobytes 4608000
I am thinking of removing this line from the 515,(do I need it if i want constant connection) I believe this line just keeps connection alive, I prefer only to have the connection working when I request a ip address from either site, i believe this will make it slower as it only builds the connection then, i can live with this as it is only a test. Plan to remove all the config changes and try it from scratch again, nice to have it working now but so i can use it to check when i try to set this up again. If you can comment on any the above great, if not google time.

Again thanks Very much Calvin, thx to all that participated.


0
huwaAuthor Commented:
duh to my above comment, was so happy mistyped alot


few little questions, hope you dont mind, I just want the 192.68.10.3 having access to the munich site.  so do i remove  this from the 501
should be few little questions, hope you dont mind, I just want the 192.68.1.3 having access to the munich site.  so do i remove  this from the 501

no access-list outbound permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0  --not needed ??
no access-list munich_vpn permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
access-list munich_vpn permit ip 192.168.1.3 255.255.255.0 lan-munich 255.255.255.0
0
calvinetterCommented:
hi huwa, you're welcome!

>I just want the 192.68.1.3 having access to the munich site.
  If you only want the single IP above to be able to reach the munich LAN, & vice versa, run the commands below & modify the 501 first.  NOTE: the Munich LAN will *only* be able to reach the single IP, 192.168.1.3 (& this IP will be able to reach the entire 192.168.10.x subnet).  If this is what you want, proceed:

  On 501, run these commands in this order:
--------------------------------------------------
clear cry ips sa
clear cry isa sa
access-list outbound line 1 permit ip host 192.68.1.3 lan-munich 255.255.255.0
no access-list outbound permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
access-group outbound in interface inside
access-list munich_vpn permit ip host 192.68.1.3 lan-munich 255.255.255.0
access-list nonat permit ip host 192.68.1.3 lan-munich 255.255.255.0
no access-list nonat permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
no access-list munich_vpn permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
clear xlate
crypto map BavarianNordicVPN interface outside

  On PIX 515, run these commands in this order:
------------------------------------------------------
no access-list nonat permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 host 192.68.1.3
access-list vpnhugh permit ip lan-munich 255.255.255.0 host 192.68.1.3
no access-list vpnhugh permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
crypto map BavarianNordicVPN interface outside
clear xlate

If you need further help for the above, please open a new question in the Firewalls topic area.

>crypto ipsec transform-set myset ...  ---is myset just a name you gave it ???
  Yes, you could call it "mickey_mouse" if you wanted. Just make sure you keep track of all references to the transform set on that particular PIX.

>...Munich_Vpn is the access-list which will be used to control trafic btw the 515 -515e
  Correct.  The "munich_vpn" ACL tells the PIX what traffic is supposed to be sent over the site-to-site VPN tunnel to your PIX 515.

>crypto ipsec transform-set myset esp-des esp-md5-hmac
  Yes, this tells the PIX what encryption to use (DES), & what hash protocol to use (MD5).  Your transform-set parameters must match your isakmp policy, & both must have a matching set of parameters on the 515 PIX.

>crypto map BavarianNordicVPN 26 set transform-set myset  ...if this is so i can use myset on many tunnels ??
  Yes, you can use it on as many tunnels as you like, *as long as* the parameters in both the transform-set & isakmp policies match what your IPSec peer device is using for their individual tunnels.

>isakmp identity address --- not sure need to read up on it
  You need this on the 501, since it's configured on the 515.  This tells the PIX to use it's IP address as it's "identity" when establishing an isakmp security association with a VPN peer.  If one has this configured & the other peer doesn't, the initial isakmp negotiation will fail.

>isakmp nat-traversal  --not sure need to read up on it
  This helps when VPN endpoints (ie, PIXes) are behind a NAT device (firewall or router).  For any PIX running 6.3 or above, it's a very good idea to have enabled.

>I dont have this line set up on the 501, only on 515
>crypto map BavarianNordic 26 set security-association lifetime seconds 120 kilobytes 4608000
  Do not add this to your 501. I left this out on purpose.  IF you set a "security-association lifetime" on the 501, you *must* add a similar line to the 515 *only* for the particular crypto map entry that references the 501 tunnel; and the lifetime <seconds> must match exactly on both VPN peer devices, or you'll have problems with the tunnel, since 1 side may timeout the VPN tunnel before the other.
   Please read below for a reference on the "crypto map" command:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1034654

Other good references:
    PIX command reference - PIX 6.3:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/index.htm
    PIX 6.3 documentation (Firewall & VPN Configuration Guide is very good):
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/index.htm

In the future, if you have further questions on a particular scenario after accepting an answer & closing the question, please open a new question in the same topic area, & ask your other questions there.  ;)

cheers
0
huwaAuthor Commented:
Will do and thanks again, will check those links.

Regards
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.