y2k_rinser
asked on
VPN tunnel between CISCO 837 & CISCO PIX 501
At work we have a cisco pix 501 firewall which has VPN setup. I've bought a cisco 837 modem/router at home and would like to connect to the server at work to create a vpn tunnel. When I use the VPN client on XP it just connects without an y problem.
For some reason the an old copy of Netscape navigator web browser doesn't work anymore and so I need to configure my 837 via the CLI. Can anyone help with the correct sequence of command to get this setup.
For some reason the an old copy of Netscape navigator web browser doesn't work anymore and so I need to configure my 837 via the CLI. Can anyone help with the correct sequence of command to get this setup.
ASKER
I do have a static IP at home and the link above is asking for a username and password to access the content:-(
Oh you don't have a CCO account, then try this link;
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml
It is the same link except that it won't ask for a userid/password.
Cheers,
Rajesh
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml
It is the same link except that it won't ask for a userid/password.
Cheers,
Rajesh
ASKER
Thanks Rajesh, but how do I activate the connections. I've followed the instructions (changing IPs as required) but when I do "show crypto engine connections active" the output is blank as below.
ID Interface IP-Address State Algorithm Encrypt Decrypt
If it halps I've included my "show version & show running"
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3SY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:03 by ealyon
Image text-base: 0x800131E8, data-base: 0x80CCB8C0
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3SY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
uptime is 43 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3sy6-mz.123
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
CISCO C837 (MPC857DSL) processor (revision 0x500) with 44237K/4915K bytes of memory.
Processor board ID AMB08310B15 (1991376029), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
==========================
Current configuration : 3751 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HOSTNAME
!
no logging buffered
no logging console
enable secret 5 $1$fulV$j3iEGdn05676YzAd2i
enable password 7 091E160878334AED5F5B57
!
username USERNAME password 7 PASSWORD
no aaa new-model
ip subnet-zero
ip domain name DOMAIN.COM
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.151 10.10.10.254
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 194.74.65.68 194.72.9.38
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key 0 *************** address A.B.C.D
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
set peer A.B.C.D
set transform-set pix-set
match address 101
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname DSL-USERNAME
ppp chap password 7 DSL-PASSWORD
ppp pap sent-username DSL-USERNAME password 7 DSL-PASSWORD
ppp ipcp dns request
ppp ipcp wins request
crypto map pix
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 10.10.10.250 3389 interface Dialer1 3389
ip nat inside source static tcp 10.10.10.250 1723 interface Dialer1 1723
ip nat inside source static tcp 10.10.10.250 47 interface Dialer1 47
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
match ip address 110
!
banner login ^C Access is prohibited ^C
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
transport input ssh
!
scheduler max-task-time 5000
!
end
ID Interface IP-Address State Algorithm Encrypt Decrypt
If it halps I've included my "show version & show running"
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3SY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:03 by ealyon
Image text-base: 0x800131E8, data-base: 0x80CCB8C0
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3SY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
uptime is 43 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3sy6-mz.123
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
CISCO C837 (MPC857DSL) processor (revision 0x500) with 44237K/4915K bytes of memory.
Processor board ID AMB08310B15 (1991376029), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
==========================
Current configuration : 3751 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HOSTNAME
!
no logging buffered
no logging console
enable secret 5 $1$fulV$j3iEGdn05676YzAd2i
enable password 7 091E160878334AED5F5B57
!
username USERNAME password 7 PASSWORD
no aaa new-model
ip subnet-zero
ip domain name DOMAIN.COM
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.151 10.10.10.254
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 194.74.65.68 194.72.9.38
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key 0 *************** address A.B.C.D
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
set peer A.B.C.D
set transform-set pix-set
match address 101
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname DSL-USERNAME
ppp chap password 7 DSL-PASSWORD
ppp pap sent-username DSL-USERNAME password 7 DSL-PASSWORD
ppp ipcp dns request
ppp ipcp wins request
crypto map pix
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 10.10.10.250 3389 interface Dialer1 3389
ip nat inside source static tcp 10.10.10.250 1723 interface Dialer1 1723
ip nat inside source static tcp 10.10.10.250 47 interface Dialer1 47
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
match ip address 110
!
banner login ^C Access is prohibited ^C
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
transport input ssh
!
scheduler max-task-time 5000
!
end
Have you also configured on the PIX for site-to-site VPN?
If so, try pinging from your network to the corporate network (Don't worry even it makes through) then on the pix do 'show crypto isakmp sa' and post it here.
Cheers,
Rajesh
If so, try pinging from your network to the corporate network (Don't worry even it makes through) then on the pix do 'show crypto isakmp sa' and post it here.
Cheers,
Rajesh
ASKER
The PIX is already setup to accept VPN connections. I can connect to it using the VPNClient software on win XP. I would however like to setup a tunnel between my home network & work.
Y2k_rinser,
VPN Configuration on PIX for vpn client and site-to-site needs to be configured separately. I mean, you cannot connect your router to the existing configuration.
Take a look at this documentation where in it describes Pix-to-Pix vpn + VPN Client access.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml
Cheers,
Rajesh
VPN Configuration on PIX for vpn client and site-to-site needs to be configured separately. I mean, you cannot connect your router to the existing configuration.
Take a look at this documentation where in it describes Pix-to-Pix vpn + VPN Client access.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml
Cheers,
Rajesh
ASKER
Thanks Rajesh, It looks like I can't do what I want. I need to do some work on the PIX first :-(
Yes, Client VPN is something which comes and goes. But when we are talking about site-to-site vpn that is something which always stays up.
Now if you want something like easyvpn, then also take a look at this link;
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml#intro
Cheers,
Rajesh
Now if you want something like easyvpn, then also take a look at this link;
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml#intro
Cheers,
Rajesh
ASKER
Rajesh
I've followed those instructions and seem to have something working. Not really sure however that the VPN connection is up. Here's the outputs
=== OUTPUT FROM PIX ===
# show crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
# show crypto ipsec sa
interface: outside
Crypto map tag: VPN, local addr. W.X.Y.Z
== OUTPUT FROM 837 Router ===
#show crypto isakmp sa
dst src state conn-id slot
W.X.Y.Z A.B.C.D AG_INIT_EXCH 13 0
W.X.Y.Z A.B.C.D MM_NO_STATE 12 0 (deleted)
#show crypto ipsec sa
No SAs found
I've followed those instructions and seem to have something working. Not really sure however that the VPN connection is up. Here's the outputs
=== OUTPUT FROM PIX ===
# show crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
# show crypto ipsec sa
interface: outside
Crypto map tag: VPN, local addr. W.X.Y.Z
== OUTPUT FROM 837 Router ===
#show crypto isakmp sa
dst src state conn-id slot
W.X.Y.Z A.B.C.D AG_INIT_EXCH 13 0
W.X.Y.Z A.B.C.D MM_NO_STATE 12 0 (deleted)
#show crypto ipsec sa
No SAs found
That is good. we want the MM_NO_STATE to go away and get QM_IDLE state and that happens when the VPN Connection is built.
MM_NO_STATE happens for multiple reasons. Now, closely check your configuration and make sure that everything matches (transform-set, access-lists etc). Also your home internal ip addresses are different than the company's right? If not reconfigure.
Keep the ping in an infinte loop. After you have done checking; then we can start debug and see what is wrong.
On your router, openup 'debug crypto isakmp' or 'debug crypto ipsec' and post it here.
Cheers,
Rajesh
MM_NO_STATE happens for multiple reasons. Now, closely check your configuration and make sure that everything matches (transform-set, access-lists etc). Also your home internal ip addresses are different than the company's right? If not reconfigure.
Keep the ping in an infinte loop. After you have done checking; then we can start debug and see what is wrong.
On your router, openup 'debug crypto isakmp' or 'debug crypto ipsec' and post it here.
Cheers,
Rajesh
ASKER
Hey Rajesh, I think it's worked. Here's the outputs
=== ROUTER OUTPUT ===
parkroad#sh crypto isakmp sa
dst src state conn-id slot
W.X.Y.Z A.B.C.D QM_IDLE 6 0
--------------------------
parkroad#sh crypto ipsec sa
interface: Dialer1
Crypto map tag: Dialer1-head-0, local addr. A.B.C.D
protected vrf:
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: W.X.Y.Z:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
path mtu 1500, media mtu 1500
current outbound spi: C6FD9CEB
inbound esp sas:
spi: 0x822F700E(2184146958)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, flow_id: 1, crypto map: Dialer1-head-0
sa timing: remaining key lifetime (k/sec): (4489955/27179)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC6FD9CEB(3338509547)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 21, flow_id: 2, crypto map: Dialer1-head-0
sa timing: remaining key lifetime (k/sec): (4489947/27179)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: Dialer1-head-0, local addr. A.B.C.D
protected vrf:
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: W.X.Y.Z:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
path mtu 1500, media mtu 1500
current outbound spi: C6FD9CEB
inbound esp sas:
spi: 0x822F700E(2184146958)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, flow_id: 1, crypto map: Dialer1-head-0
sa timing: remaining key lifetime (k/sec): (4489955/27178)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC6FD9CEB(3338509547)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 21, flow_id: 2, crypto map: Dialer1-head-0
sa timing: remaining key lifetime (k/sec): (4489947/27178)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
--------------------------
parkroad#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : helios
Inside interface list: Ethernet0,
Outside interface: Dialer1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Split Tunnel List: 1
Address : 192.168.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
parkroad#
--------------------------
=== PIX OUTPUT ===
helios# sh crypto isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
W.X.Y.Z A.B.C.D QM_IDLE 0 1
W.X.Y.Z A.B.C.D QM_IDLE 0 1
helios#
helios# sh crypto ipsec sa
interface: outside
Crypto map tag: parkroad, local addr. W.X.Y.Z
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.2
current_peer: A.B.C.D:4500
dynamic allocated peer ip: 192.168.2.1
PERMIT, flags={transport_parent,}
#pkts encaps: 142, #pkts encrypt: 142, #pkts digest 142
#pkts decaps: 123, #pkts decrypt: 123, #pkts verify 134
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 22
local crypto endpt.: W.X.Y.Z, remote crypto endpt.: A.B.C.D
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: f3cab3d2
inbound esp sas:
spi: 0x910b8ed9(2433453785)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 3, crypto map: parkroad
sa timing: remaining key lifetime (k/sec): (4607983/27568)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xf3cab3d2(4090147794)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 4, crypto map: parkroad
sa timing: remaining key lifetime (k/sec): (4607979/27559)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/
current_peer: A.B.C.D:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 56, #pkts decrypt: 56, #pkts verify 67
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 22
local crypto endpt.: W.X.Y.Z, remote crypto endpt.: A.B.C.D
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 822f700e
inbound esp sas:
spi: 0xc6fd9ceb(3338509547)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: parkroad
sa timing: remaining key lifetime (k/sec): (4607992/27082)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x822f700e(2184146958)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: parkroad
sa timing: remaining key lifetime (k/sec): (4608000/27082)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Thanks
Rinser
=== ROUTER OUTPUT ===
parkroad#sh crypto isakmp sa
dst src state conn-id slot
W.X.Y.Z A.B.C.D QM_IDLE 6 0
--------------------------
parkroad#sh crypto ipsec sa
interface: Dialer1
Crypto map tag: Dialer1-head-0, local addr. A.B.C.D
protected vrf:
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: W.X.Y.Z:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
path mtu 1500, media mtu 1500
current outbound spi: C6FD9CEB
inbound esp sas:
spi: 0x822F700E(2184146958)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, flow_id: 1, crypto map: Dialer1-head-0
sa timing: remaining key lifetime (k/sec): (4489955/27179)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC6FD9CEB(3338509547)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 21, flow_id: 2, crypto map: Dialer1-head-0
sa timing: remaining key lifetime (k/sec): (4489947/27179)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: Dialer1-head-0, local addr. A.B.C.D
protected vrf:
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: W.X.Y.Z:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
path mtu 1500, media mtu 1500
current outbound spi: C6FD9CEB
inbound esp sas:
spi: 0x822F700E(2184146958)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, flow_id: 1, crypto map: Dialer1-head-0
sa timing: remaining key lifetime (k/sec): (4489955/27178)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC6FD9CEB(3338509547)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 21, flow_id: 2, crypto map: Dialer1-head-0
sa timing: remaining key lifetime (k/sec): (4489947/27178)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
--------------------------
parkroad#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : helios
Inside interface list: Ethernet0,
Outside interface: Dialer1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Split Tunnel List: 1
Address : 192.168.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
parkroad#
--------------------------
=== PIX OUTPUT ===
helios# sh crypto isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
W.X.Y.Z A.B.C.D QM_IDLE 0 1
W.X.Y.Z A.B.C.D QM_IDLE 0 1
helios#
helios# sh crypto ipsec sa
interface: outside
Crypto map tag: parkroad, local addr. W.X.Y.Z
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.2
current_peer: A.B.C.D:4500
dynamic allocated peer ip: 192.168.2.1
PERMIT, flags={transport_parent,}
#pkts encaps: 142, #pkts encrypt: 142, #pkts digest 142
#pkts decaps: 123, #pkts decrypt: 123, #pkts verify 134
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 22
local crypto endpt.: W.X.Y.Z, remote crypto endpt.: A.B.C.D
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: f3cab3d2
inbound esp sas:
spi: 0x910b8ed9(2433453785)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 3, crypto map: parkroad
sa timing: remaining key lifetime (k/sec): (4607983/27568)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xf3cab3d2(4090147794)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 4, crypto map: parkroad
sa timing: remaining key lifetime (k/sec): (4607979/27559)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/
current_peer: A.B.C.D:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 56, #pkts decrypt: 56, #pkts verify 67
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 22
local crypto endpt.: W.X.Y.Z, remote crypto endpt.: A.B.C.D
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 822f700e
inbound esp sas:
spi: 0xc6fd9ceb(3338509547)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: parkroad
sa timing: remaining key lifetime (k/sec): (4607992/27082)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x822f700e(2184146958)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: parkroad
sa timing: remaining key lifetime (k/sec): (4608000/27082)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Thanks
Rinser
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Rajesh for all the help. I can't ping but I can see from the syslogs that it's because of my access list.
Cheers
Rinser
Cheers
Rinser
Perfect. As long as you can communicate thatz all what matters :-)
Glad you got it working. Happy VPNing..
Cheers,
Rajesh
Glad you got it working. Happy VPNing..
Cheers,
Rajesh
http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml
Cheers,
Rajesh