pix 515 help vpn works adding site to site doesn't work

 Ok  i Currently have a pix 515 with vpn setup on it and it works... now a client want to
connect to us Via Site-to-Site vpn.... i gave it my best shot and could not get it working
  i must be missing something please help .....
   this is what the client requested...

For the site-to-site VPN, I need:
 
Your VPN endpoint IP address (our VPN endpoint is x.x.x.x)
 
Your local subnet(s) that will use the tunnel (you will need to allow 10.33.1.0/24 through)
 
IKE Phase1 and Phase2 algorithms (we normally use SHA1, 3DES and DH-group2 for Phase1; ESP-SHA1, 3DES, Tunnel-mode & DH-group2 for Phase2)
 
Preshared Key we can exchange over the phone.

From that i sent him the following info

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp key <Shared_Key> address x.x.x.x netmask 255.255.255.255
access-list good_tunnel permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0
access-list good_tunnel permit ip 192.168.254.0 255.255.255.0 10.33.1.0 255.255.255.0
crypto ipsec transform-set goodsam esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
crypto map goodsam 20 ipsec-isakmp
crypto map goodsam 20 set peer 199.189.20.2
crypto map goodsam 20 set transform-set goodsam
crypto map goodsam 20 match address good_tunnel
access-list vpn_nonat permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.
access-list vpn_nonat permit ip 192.168.254.0 255.255.255.0 10.33.1.0 255.255.255.
ooo and last but not least our endpoint address is x.x.x.x

And our Pix config is


sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password xxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname GUESTVPNUSER
domain-name pixvpn.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vpn_nonat permit ip 10.1.4.0 255.255.255.0 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 10.1.1.0 255.255.255.0 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 192.168.254.0 255.255.255.0 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 10.1.5.0 255.255.255.0 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 216.65.212.192 255.255.255.224 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0
access-list vpn_nonat permit ip 192.168.254.0 255.255.255.0 10.33.1.0 255.255.255.0
access-list goodsam permit ip host 10.1.1.105 10.1.11.0 255.255.255.128
access-list goodsamtunnel permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0
access-list goodsamtunnel permit ip 192.168.254.0 255.255.255.0 10.33.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap notifications
logging facility 23
logging host inside 10.1.5.97
no logging message 111005
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 10.1.1.251 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.1.11.1-10.1.11.126
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.1.1.100 255.255.255.255 inside
pdm location 10.1.2.0 255.255.255.0 inside
pdm location 10.1.4.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.8.0 255.255.255.0 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 10.1.11.0 255.255.255.0 outside
pdm location 192.168.254.37 255.255.255.255 inside
pdm location 10.1.5.97 255.255.255.255 inside
pdm location 10.1.5.98 255.255.255.255 inside
pdm location 10.1.5.200 255.255.255.255 inside
pdm location 10.33.1.0 255.255.255.0 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list vpn_nonat
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
<--- More --->
               
 route inside 10.1.2.0 255.255.255.0 10.1.1.3 1
route inside 10.1.4.0 255.255.255.0 10.1.1.3 1
route inside 10.1.5.0 255.255.255.0 10.1.1.3 1
route inside 10.1.8.0 255.255.255.0 10.1.1.254 1
route outside 10.1.11.0 255.255.255.0 <vpn client address> 1
route outside 10.33.1.0 255.255.255.0 <Site-to-Site address> 1
route inside 192.168.254.0 255.255.255.0 10.1.1.3 1
route inside <internal public gateway> 255.255.255.224 10.1.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.1.1.100 testonly timeout 10
http server enable
http 10.1.5.200 255.255.255.255 inside
http 10.1.5.97 255.255.255.255 inside
http 192.168.254.37 255.255.255.255 inside
http 10.1.5.98 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
auth-prompt prompt Please type your user name and password
auth-prompt accept Welcome to Guest USCB Network.
auth-prompt reject Please try again!
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set goodsam esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
crypto dynamic-map vpnclient 10 set transform-set vpnset
crypto dynamic-map vpnclient 10 set security-association lifetime seconds 28800 kilobytes

4608000
crypto map vpnmap 10 ipsec-isakmp dynamic vpnclient
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap client authentication AuthInbound
crypto map goodsam 20 ipsec-isakmp
crypto map goodsam 20 match address goodsamtunnel
crypto map goodsam 20 set pfs group2
crypto map goodsam 20 set peer x.x.x.x
crypto map goodsam 20 set transform-set goodsam
crypto map goodsam interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup guestvpnuser address-pool vpnpool
vpngroup guestvpnuser split-tunnel vpn_nonat
vpngroup guestvpnuser idle-time 10800
vpngroup guestvpnuser password ********
vpngroup uscbvpn split-tunnel vpn_nonat
vpngroup uscbvpn idle-time 10800
vpngroup uscbvpn password ********
vpngroup uscbadmin address-pool vpnpool
vpngroup uscbadmin split-tunnel vpn_nonat
vpngroup uscbadmin idle-time 10800
vpngroup uscbadmin password ********
vpngroup uscbdba address-pool vpnpool
vpngroup uscbdba split-tunnel vpn_nonat
vpngroup uscbdba idle-time 10800
vpngroup uscbdba password ********
vpngroup vtobusman address-pool vpnpool
vpngroup vtobusman split-tunnel vpn_nonat
vpngroup vtobusman idle-time 10800
vpngroup vtobusman password ********
vpngroup uscb_vpn idle-time 1800
vpngroup gs_vpn address-pool vpnpool
vpngroup gs_vpn split-tunnel goodsam
vpngroup gs_vpn idle-time 10800
vpngroup gs_vpn password ********
telnet 192.168.254.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.5.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
username xxxxxxx password privilege 15
terminal width 80
Cryptochecksum:xxxxxxxxxx
: end

 GUESTVPNUSER#  


  Sorry for the logn post but i figured the more info you have the more you can help...
   Thanks in advance.....
LVL 5
vtobusmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Can you post result of "show cry is sa"
It looks like you have all the pieces that you need. It could be an issue on their end.
Ask them if they have isakmp keepalives enabed on their end.
0
vtobusmanAuthor Commented:
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
0
lrmooreCommented:
Try removing this line:

>route outside 10.33.1.0 255.255.255.0 <Site-to-Site address> 1

You just want traffic going to 10.33.1.0 to go out your default route. Nothing more.

>route inside <internal public gateway> 255.255.255.224 10.1.1.3
I'm not sure I understand this entry. What is the typical default gateway on local workstations? Do they point to this gateway 10.1.1.3, or to the PIX 10.1.1.251?
If they point to the PIX that's OK.
If they point to the gateway 10.1.1.3 then that router or whatever it is will have to have a static route for the 10.33.1.0/24 subnet and point it to the PIX..
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

vtobusmanAuthor Commented:
i have changed the config a bit

  I have changed th cryto goodsam to vpnmap
   and the vpnmap is the outside interface
   here is the new .....

: Saved
: Written by enable_15 at 13:27:14.667 UTC Fri Apr 14 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7arLy8FqS7tEUIae encrypted
passwd
hostname GUESTVPNUSER
domain-name pixvpn.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25            
 fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vpn_nonat permit ip 10.1.4.0 255.255.255.0 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 10.1.1.0 255.255.255.0 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 192.168.254.0 255.255.255.0 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 10.1.5.0 255.255.255.0 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip x.x.x.192 255.255.255.224 10.1.11.0 255.255.255.128
access-list vpn_nonat permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0
access-list vpn_nonat permit ip 192.168.254.0 255.255.255.0 10.33.1.0 255.255.255.0
access-list goodsam permit ip host 10.1.1.105 10.1.11.0 255.255.255.128
access-list goodsamtunnel permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0
access-list goodsamtunnel permit ip 192.168.254.0 255.255.255.0 10.33.1.0 255.255.255.0
access-list goodsamtunnel permit icmp any any
pager lines 24
logging timestamp
logging buffered debugging
logging trap notifications
logging facility 23
logging host inside 10.1.1.17
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.119 255.255.255.240              
 ip address inside 10.1.1.251 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.1.11.1-10.1.11.126
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.1.1.100 255.255.255.255 inside
pdm location 10.1.2.0 255.255.255.0 inside
pdm location 10.1.4.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.8.0 255.255.255.0 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 10.1.11.0 255.255.255.0 outside
pdm location 192.168.254.37 255.255.255.255 inside
pdm location 10.1.5.97 255.255.255.255 inside
pdm location 10.1.5.98 255.255.255.255 inside
pdm location 10.1.5.200 255.255.255.255 inside
pdm location 10.33.1.0 255.255.255.0 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list vpn_nonat
route outside 0.0.0.0 0.0.0.0 x.x.x.113 1
route inside 10.1.2.0 255.255.255.0 10.1.1.3 1            
 route inside 10.1.4.0 255.255.255.0 10.1.1.3 1
route inside 10.1.5.0 255.255.255.0 10.1.1.3 1
route inside 10.1.8.0 255.255.255.0 10.1.1.254 1
route outside 10.1.11.0 255.255.255.0 x.x.x.113 1
route outside 10.33.1.0 255.255.255.0 x.x.x.113 1
route inside 192.168.254.0 255.255.255.0 10.1.1.3 1
route inside x.x.x.192 255.255.255.224 10.1.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.1.1.100 testonly timeout 10
http server enable
http 10.1.5.97 255.255.255.255 inside
http 192.168.254.37 255.255.255.255 inside
http 10.1.5.98 255.255.255.255 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
 no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
auth-prompt prompt Please type your user name and password
auth-prompt accept Welcome to Guest USCB Network.
auth-prompt reject Please try again!
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set goodsam esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
crypto dynamic-map vpnclient 10 set transform-set vpnset
crypto dynamic-map vpnclient 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map vpnmap 10 ipsec-isakmp dynamic vpnclient
crypto map vpnmap 20 ipsec-isakmp
crypto map vpnmap 20 match address goodsamtunnel
crypto map vpnmap 20 set pfs group2
crypto map vpnmap 20 set peer 199.189.20.2
crypto map vpnmap 20 set transform-set goodsam
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap client authentication AuthInbound
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.2 netmask 255.255.255.255
isakmp identity address
 isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup guestvpnuser address-pool vpnpool
vpngroup guestvpnuser split-tunnel vpn_nonat
vpngroup guestvpnuser idle-time 10800
vpngroup guestvpnuser password ********
vpngroup uscbvpn split-tunnel vpn_nonat
vpngroup uscbvpn idle-time 10800
vpngroup uscbvpn password ********
vpngroup uscbadmin address-pool vpnpool
vpngroup uscbadmin split-tunnel vpn_nonat
vpngroup uscbadmin idle-time 10800
vpngroup uscbadmin password ********
vpngroup uscbdba address-pool vpnpool
vpngroup uscbdba split-tunnel vpn_nonat  
 vpngroup uscbdba idle-time 10800
vpngroup uscbdba password ********
vpngroup vtobusman address-pool vpnpool
vpngroup vtobusman split-tunnel vpn_nonat
vpngroup vtobusman idle-time 10800
vpngroup vtobusman password ********
vpngroup uscb_vpn idle-time 1800
vpngroup gs_vpn address-pool vpnpool
vpngroup gs_vpn split-tunnel goodsam
vpngroup gs_vpn idle-time 10800
vpngroup gs_vpn password ********
telnet 192.168.254.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.5.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
username xxxx password privilege 15
terminal width 80
Cryptochecksum:

 GUESTVPNUSER#
0
vtobusmanAuthor Commented:

   Ok the pix is at our datacenter.... all of our offices are remote connected via point to point t1's   so the statement is needed to route traffic from the datacenter to the offices....

   and i will remove the
>route outside 10.33.1.0 255.255.255.0 <Site-to-Site address> 1
0
lrmooreCommented:
> all of our offices are remote connected via point to point t1's   so the statement is needed to route traffic from the datacenter to the offices....
The T1 router needs a route statement in it
  ip route 10.33.1.0 255.255.255.0 10.1.1.251

0
vtobusmanAuthor Commented:
the sh cry sa is still the same
Total     : 0
Embryonic : 0
        dst               src        state     pending     created

0
vtobusmanAuthor Commented:
it does have this statement....
0
lrmooreCommented:
How about result of
show access-list vpn_nonat
show access-list goodsamtunnel

Look for hitcounters on these entries:
access-list vpn_nonat permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0 (hitcount=  xxx )
access-list goodsamtunnel permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0 (hitcount=  xxx )

Good hitcounts means traffic is being routed properly trying to go out. If counters increase, then we look at other things:


>crypto map vpnmap 20 set pfs group2
Does the other end also have PFS enabled? Typically it is not. You might try removing that line, or having the other end also enable it.

>isakmp policy 20 lifetime 86400
Ask them what their lifetime is set for. Both sides should match. PIX defaults to 86400, some others may default to 28800 or something.

0
vtobusmanAuthor Commented:
Here is the results
  GUESTVPNUSER# show access-list goodsamtunnel
access-list goodsamtunnel; 3 elements
access-list goodsamtunnel line 1 permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.
255.255.0 (hitcnt=0)
access-list goodsamtunnel line 2 permit ip 192.168.254.0 255.255.255.0 10.33.1.0
 255.255.255.0 (hitcnt=0)
access-list goodsamtunnel line 3 permit icmp any any (hitcnt=0)
GUESTVPNUSER# show access-list vpn_nonat
access-list vpn_nonat; 7 elements
access-list vpn_nonat line 1 permit ip 10.1.4.0 255.255.255.0 10.1.11.0 255.255.
255.128 (hitcnt=0)
access-list vpn_nonat line 2 permit ip 10.1.1.0 255.255.255.0 10.1.11.0 255.255.
255.128 (hitcnt=0)
access-list vpn_nonat line 3 permit ip 192.168.254.0 255.255.255.0 10.1.11.0 255
.255.255.128 (hitcnt=0)
access-list vpn_nonat line 4 permit ip 10.1.5.0 255.255.255.0 10.1.11.0 255.255.
255.128 (hitcnt=0)
access-list vpn_nonat line 5 permit ip x.x.x.192 255.255.255.224 10.1.11.0
255.255.255.128 (hitcnt=10)
access-list vpn_nonat line 6 permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.
255.0 (hitcnt=0)
access-list vpn_nonat line 7 permit ip 192.168.254.0 255.255.255.0 10.33.1.0 255
.255.255.0 (hitcnt=0)
GUESTVPNUSER#
0
lrmooreCommented:
>access-list goodsamtunnel line 3 permit icmp any any (hitcnt=0)
>access-list vpn_nonat line 6 permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0 (hitcnt=0)

looks like there is no traffic even trying to go that route. You might try setting up  continuous ping from a WS on your side to some IP on the 10.33.1.x side and keep watching these couters and see if they start increasing.
No actual traffic means no VPN tunnel. The tunnel is dynamic and only if/when traffic is actually flowing.
0
vtobusmanAuthor Commented:
this is the sh command with the ping going

access-list goodsamtunnel; 3 elements
access-list goodsamtunnel line 1 permit ip 10.1.1.0 255.255.255.0 10.33.1.0 255.255.255.0 (hitcnt=8)
access-list goodsamtunnel line 2 permit ip 192.168.254.0 255.255.255.0 10.33.1.0 255.255.255.0 (hitcnt=14)
access-list goodsamtunnel line 3 permit icmp any any (hitcnt=0)
GUESTVPNUSER#
0
vtobusmanAuthor Commented:
  Quick question we have a pix 515 and  i currently dont know what the other end is using
 
    i am working on finding out....

    but if they have a differant device will my config differ much if any ??
0
lrmooreCommented:
Hitcounts are good signs.
Now what is result of "show cry is sa" ?

It shouldn't matter what they have on their end as long as you both agree on the same parameters..
3DES/SHA
PFS yes or no
Phase 1/Phase 2 DH Group 2 <== not pfs group
Lifetimes
secret shared key


0
Pentrix2Commented:
Depending on what the other endpoint is it could be different.  But if it's Cisco router to PIX then no, it's pretty much the same on your end.

Pentrix2
0
vtobusmanAuthor Commented:
this is what i have now

GUESTVPNUSER# sh cry is sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
    199.189.20.2   216.65.212.119    MM_NO_STATE   1           0
0
Pentrix2Commented:
Doesn't look good, needs to be Qidle.
0
lrmooreCommented:
Something doesn't match up...
Phase 1 complete would give you QM_IDLE state
Can you ping their peer IP from the PIX?
Are they configured and ready? Do they have ISAKMP keepalives enabled? The the PFS settings both ends.


0
vtobusmanAuthor Commented:
I am trying to get info from the client that is trying to connect to us....
 
   appearently their IT Dept.. gets to go home.... so i will take the weekend off... will pick up again Monday Morning...

i am still at this point for the record...

GUESTVPNUSER# sh cry is sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
    x.x.x.2   x.x.x.119    MM_NO_STATE   1           0
GUESTVPNUSER#
 
0
rsivanandanCommented:
MM_NO_STATE  could indicate so many things mismatch => transform set, access-list and so on. If you could get the other side PIX config, it would be much better to look at?

Cheers,
Rajesh
0
vtobusmanAuthor Commented:
 the other side is using a checkpoint box
   still working on getting the config

0
vtobusmanAuthor Commented:
I turned on Debugging and it looks like its trying to get a user name and password ....
   what is the XAUTH

0
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.2, dest:x.x.x.119 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.2, dest:x.x.x.119 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24576 protocol 1
        spi 0, message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE

ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
0
vtobusmanAuthor Commented:
and here is the sh cry is sa

GUESTVPNUSER# sh cry is sa
Total     : 1
Embryonic : 0
        dst        src              state           pending     created
    x.x.x.2   x.x.x.119    OAK_CONF_XAUTH   2           0
0
vtobusmanAuthor Commented:
and with no data

GUESTVPNUSER# sh cry is sa
Total     : 1
Embryonic : 0
        dst         src            state          pending     created
  x.x.x.2   x.x.x.119    OAK_CONF_ADDR   0           0
0
lrmooreCommented:
change this line:
 >isakmp key ******** address x.x.x.2 netmask 255.255.255.255

to this:
 >isakmp key ******** address x.x.x.2 netmask 255.255.255.255 no-xauth
0
vtobusmanAuthor Commented:
ok did that
now the sh cry is sa  =
GUESTVPNUSER# sh cry is sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
    xxx.xxx.xxx.2   xx.xx.xx.119    OAK_CONF_ADDR   1           0

and debug is

GUESTVPNUSER# IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= x.x.x.119, remote= x.x.x.2,
    local_proxy= 192.168.254.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.33.1.0/255.255.255.0/0/0 (type=4)

ISADB: reaper checking SA 0xe943cc, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.x.2/500 Ref cnt decremented to:0 Total VPN Pe
ers:1
VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.2/500 Total VPN peers:0IPSEC(key_e
ngine): request timer fired: count = 1,
  (identity) local= x.x.x.119, remote= x.x.x.2,
    local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.33.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:x.x.x.2, dest:x.x.x.119 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.2, dest:x.x.x.119 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.2, dest:x.x.x.119 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24576 protocol 1
        spi 0, message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0:0): Need config/address
ISAKMP (0:0): initiating peer config to x.x.x.2. ID = 9848799 (0x9647df)mod
ecfg: sa: e943cc, new mess id= 9647df

0
vtobusmanAuthor Commented:
Both us and the client get this error

ISADB: reaper checking SA 0xe943cc, conn_id = 0  DELETE IT!

  What is it ???
0
vtobusmanAuthor Commented:
I also get this error ...

 ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
0
lrmooreCommented:
That's a phase 2 issue..
Try removing this line
>crypto map vpnmap 20 set pfs group2

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
then re-apply the crypto map to the interface
0
vtobusmanAuthor Commented:
 THis is now done and still same state...

GUESTVPNUSER# sh cry is sa
Total     : 1
Embryonic : 0
        dst                   state     pending     created
    x.x.x.2   x.x.x.119    OAK_CONF_ADDR   1           0
GUESTVPNUSER#

   The other end is going to do an update on their checkpoint box... appearently it has issues with its crypto maps......
 
   that should be done this morning i will let you know the result....

   ooohh and we switch the ssa to md5 so now it looks like this

crypto ipsec transform-set goodsam esp-3des esp-md5-hmac
isakmp policy 20 hash md5

   While we were trying to figure this out....
0
vtobusmanAuthor Commented:
Ok No Luck :-(
 
   Here what we are going to do now....

   change the config to match this one
http://www.cisco.com/warp/public/110/cp-p.html

   and see what we get....
    I will let you know the status.....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.