• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 922
  • Last Modified:

Routing for PIX to VPN 3000 Concentrator

I have a PIX that I'm using as a primary Gateway for my 172.17.x.x network and am trying to get it to connect via VPN to another agencies VPN 3000 concentrator.

Currently I'm having trouble trying to figure out how to tell the PIX that any traffic on my machine (172.17.4.100) bound for a 10.0.0.0 network needs to go through the VPN tunnel that has been established. The remote site can initiate the tunnel but I cannot, as the PIX is not allowing my pings to the 10.x.x.x network leave our network.

0
th1rd3y3
Asked:
th1rd3y3
  • 11
  • 10
  • 7
  • +1
1 Solution
 
naveedbCommented:
How have you defined interesting traffic? Can you post your PIX configuration?
0
 
th1rd3y3Author Commented:
As you can see, I have 3 other existing site-to-site vpns running to cisco 806 routers that are working fine. I didn't configure this from scratch I'm just adding to what was already here when I started.

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 10baset
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password encrypted
passwd encrypted
hostname pix
domain-name agency
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 172.17.2.249 TerminalServer
name 172.20.2.0 DayTreatment
name 172.19.2.0 ShelterCare
name 172.16.2.0 LockHaven
name 172.17.2.231 JoinderMail
object-group service TerminalServer tcp
  port-object range 3389 3389
object-group service Exchange tcp
  description SMTP,HTTP,SSL, POP3
  port-object range smtp smtp
  port-object eq pop3
access-list inside_nat0_outbound permit ip 172.17.0.0 255.255.0.0 172.16.2.0 255.255.255.0
access-list inside_nat0_outbound permit ip 172.17.0.0 255.255.0.0 172.19.2.0 255.255.255.0
access-list inside_nat0_outbound permit ip 172.17.0.0 255.255.0.0 172.20.2.0 255.255.255.0
access-list inside_nat0_outbound permit ip 172.17.0.0 255.255.0.0 172.20.2.192 255.255.255.192
access-list inside_nat0_outbound permit ip 172.17.0.0 255.255.0.0 172.21.2.96 255.255.255.224
access-list inside_nat0_outbound permit ip 172.17.4.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list outside_cryptomap_20 permit ip 172.17.0.0 255.255.0.0 172.16.2.0 255.255.255.0
access-list outside_access_in permit tcp any host 209.23.225.153 object-group TerminalServer
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 209.23.225.154 eq smtp
access-list outside_access_in permit tcp any host 209.23.225.154 eq www
access-list outside_access_in permit tcp any host 209.23.225.154 eq https
access-list outside_cryptomap_21 permit ip 172.17.0.0 255.255.0.0 172.19.2.0 255.255.255.0
access-list outside_cryptomap_22 permit ip 172.17.0.0 255.255.0.0 172.20.2.0 255.255.255.0
access-list Joinder_splitTunnelAcl permit ip 172.17.0.0 255.255.0.0 any
access-list outside_cryptomap_dyn_40 permit ip any 172.21.2.96 255.255.255.224
access-list outside_cryptomap_42 permit ip 172.17.4.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap notifications
logging history notifications
icmp permit any outside
mtu outside 1240
mtu inside 1500
mtu DMZ 1500
ip address outside 209.23.255.69 255.255.255.192
ip address inside 172.17.20.252 255.255.0.0
ip address DMZ 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop
ip local pool Mobile 172.21.2.100-172.21.2.125
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 172.17.0.0 255.255.0.0 outside
pdm location 172.17.2.44 255.255.255.255 inside
pdm location 172.17.20.1 255.255.255.255 inside
pdm location 172.16.2.0 255.255.255.0 outside
pdm location 172.17.2.249 255.255.255.255 inside
pdm location 172.19.2.0 255.255.255.0 outside
pdm location 172.20.2.0 255.255.255.0 outside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location 172.16.0.0 255.255.0.0 outside
pdm location 209.23.225.153 255.255.255.255 outside
pdm location 172.20.2.192 255.255.255.192 outside
pdm location 172.17.2.231 255.255.255.255 inside
pdm location 172.17.2.39 255.255.255.255 inside
pdm location 172.17.4.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 outside
pdm location 10.0.0.0 255.0.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.0.0 255.255.0.0 0 0
static (inside,outside) tcp 209.23.225.154 smtp 172.17.2.231 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.23.225.154 https 172.17.2.231 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 209.23.225.154 www 172.17.2.231 www netmask 255.255.255.255 0 0
static (inside,outside) 209.23.225.153 172.17.2.249 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.23.255.65 1
route outside 10.0.0.0 255.0.0.0 209.23.225.146 1
route outside 209.23.225.153 255.255.255.255 209.23.225.152 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 172.17.2.44 timeout 5 protocol UDP version 4
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 207.46.130.100 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.17.0.0 255.255.0.0 inside
snmp-server location Sharwell
snmp-server contact David Walter
snmp-server community private
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 68.67.28.54
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 21600 kilobytes 4608000
crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21
crypto map outside_map 21 set peer 209.23.224.12
crypto map outside_map 21 set transform-set ESP-3DES-MD5
crypto map outside_map 21 set security-association lifetime seconds 21600 kilobytes 4608000
crypto map outside_map 22 ipsec-isakmp
crypto map outside_map 22 match address outside_cryptomap_22
crypto map outside_map 22 set peer 209.23.224.11
crypto map outside_map 22 set transform-set ESP-3DES-MD5
crypto map outside_map 22 set security-association lifetime seconds 21600 kilobytes 4608000
crypto map outside_map 42 ipsec-isakmp
crypto map outside_map 42 match address outside_cryptomap_42
crypto map outside_map 42 set peer 209.23.225.146
crypto map outside_map 42 set transform-set ESP-AES-256-MD5
crypto map outside_map 42 set security-association lifetime seconds 21600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 209.23.224.11 netmask 255.255.255.255
isakmp key ******** address 209.23.224.12 netmask 255.255.255.255
isakmp key ******** address 68.67.28.54 netmask 255.255.255.255
isakmp key ******** address 209.23.225.146 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Joinder address-pool Mobile
vpngroup Joinder dns-server 172.17.2.1
vpngroup Joinder wins-server 172.17.2.1
vpngroup Joinder default-domain joinder.local
vpngroup Joinder split-tunnel Joinder_splitTunnelAcl
vpngroup Joinder idle-time 1800
vpngroup Joinder password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 172.17.0.0 255.255.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access outside
console timeout 0
username administrator password encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:2f06aed97ab6737a2bf904e1b52677f5
: end
0
 
stressedout2004Commented:
Why did you put this route for?

route outside 10.0.0.0 255.0.0.0 209.23.225.146

Normally, if it is over VPN, you don't have to specify a route.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
th1rd3y3Author Commented:
I just put it there to see if it would help, which it didn't so you can ignore that.
0
 
stressedout2004Commented:
So the PIX serves as the default gateway for the rest of your internal network? Can you do a route print on the PC you
are using to test the VPN connection and see if there is any persistent route that points to 10.0.0.0 network. After you have confirm that the routes on the PC is clean, then turn the following logging on the PIX:

debug icmp trace
term mon

then try to see if the PIX is getting the packet.
0
 
naveedbCommented:
Take out the route from ther PIX with no command.

Which crypto map is for the 10.0.0.0 network? Did you setup the other site-to-site tunnels yourself or via PDM?
0
 
Freya28Commented:
weird, but i do not see an isakmp policy for AES-256 paired with MD5.  the only time that i have seen that one end of a tunnel cannot initiate is when when one side does not have a static ip (dynamic). but both of these things do not matter if the other side can initiate the tunnel.  Plus i do not  see how the tunnel can activate when your isakmp's dont have AES.  also your network statement for _cryptomap_42 only allows the 172.16.4.x network.  not 172.16.x.x
0
 
th1rd3y3Author Commented:
Yes the PIX serves as our local gateway and connects to 3 remote offices via site-to-site using Cisco 806 routers there.

I made sure there was no routes pointing to the 10.x.x.x network on my machine (172.17.4.100) but pinging is still not possible and the debug info just says it's unreachable.

crypto map outside_map 42 ipsec-isakmp
crypto map outside_map 42 match address outside_cryptomap_42
crypto map outside_map 42 set peer 209.23.225.146
crypto map outside_map 42 set transform-set ESP-AES-256-MD5
crypto map outside_map 42 set security-association lifetime seconds 21600 kilobytes 4608000

^^That is for the 10.x.x.x network

I didn't set the other VPNs up because there were here when I got here. I'd ask the guy who set them up (consultant) but I'd like to know how it's done so if I ever need to do it again, I can, and he's not very willing to give information.
0
 
th1rd3y3Author Commented:
The reason it's set to AES-256 is because the other side can match that perfectly, we wanted to make sure that encryption wasn't the problem, which it may still be.

I only want a select few (14) users to access the resource on the remote network, so that's why I restriced it to just 172.17.4.x

0
 
Freya28Commented:
the vpn on a pix are extremely simple to set up. the code is very easy

all you need is the access-lists, and nat0 accesslist, crypto statements.  isakmp key statement, isakmp policy

the crypto and isakmp key have the peer address that you are connecting to. your sysopt permit ipsec statement and just make sure that you apply the crypto to your interface and the enable iskamp outside/inside command.
0
 
th1rd3y3Author Commented:
Ok, to me it seems like I have all this stuff. I'm not very familiar with the PIX so I was hoping someone could point out what is wrong. I've been over almost everything I can find and I know no one who is fluent with the PIX, so I turned here.
0
 
Freya28Commented:
why dont you have the isakmp policy for AES?  actually the tunnel shouldnt establish itself at all if this doesnt exist.
0
 
stressedout2004Commented:
A couple of questions:

1) You said that the other side can initiate the connection to you. Does that mean that once the tunnel is initiated from the other side that the VPN tunnel works fine meaing traffic passes both ways? Or is there a problem with the tunnel regardless of who initiated it.

2) The other VPN that is working fine, is using 172.17.0.0 255.255.0.0 as their local network. The VPN in question is using 172.17.4.0 255.255.255.0. Is this by design? On the VPN3000 side, do they have 172.17.4.0/24 as a remote network or do they have 172.17.0.0/16 specified instead?

0
 
stressedout2004Commented:
The IPSEC policy and ISAKMP policy doesn necessarily have to use the same protocol. The only thing that matters is that both sides uses the exact same policy regarldess of the combinations used.
0
 
Freya28Commented:
it is best to have the isakmp policy configured on the pix.  i would at least add this

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption AES-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
 
th1rd3y3Author Commented:
I just added an isakmp policy for AES and it seemed to sort of clear things up but pinging is still not possible.

As for the tunnel working, it seems that when the remote site tries to ping me, they hit the PIX and then it's rejected, so no traffic is even flowing. Whereas when I ping, I don't even believe my pings are leaving the PIX.

The other engineer that I'm working with should have the 172.17.4.0/24 as the remote network. She's quite knowledgeable with the IOS just not with PIX so she hasn't been able to afford a lot of help on my side.
0
 
Freya28Commented:
if you want to ping then what you can do is add an access-list to allow icmp and apply it to you inside interface

access-list acl_inside permit icmp any any

access-group acl_inside in interface inside
0
 
Freya28Commented:
sorry ,  if you apply an access-list to the inside interface you have to always end the access-list with

access-list acl_inside permit ip any any

for traffic to flow
0
 
stressedout2004Commented:
When you do "sh crypto isa sa" does it show QM idle for the VPN connection in question? How about when you do "sh crypto ipsec sa" does it show any decrypt or even encrypts on the PIX?


0
 
stressedout2004Commented:
By default, all outbound traffic is permitted on the PIX, so no access-list is needed. Also for VPN traffic, with the presence
of sysopt connection permit ipsec, all access-rule check is bypass on the outside interface.
0
 
Freya28Commented:
yes all outbound traffic from inside a pix accepted, but icmp works a little different and sometimes needs the access-list,  I have a lot of experience on cisco pix's and have been in this situation before.

you might also want to check the other side of the tunnel to see if they are denying icmp packets
0
 
stressedout2004Commented:
That is correct that icmp needs to be implicitly permitted on an access-rule to be allowed in the PIX but only if you have
1) an access-rule on the inside interface
or
2) an access-rule on the outside interface (**for clear traffic only)
But since he doesn't have any access-rule applied on the inside interface and traffic is over VPN tunnel then there's no need for such.

However, try it and see if it helps you out.
0
 
Freya28Commented:
sounds like maybe the other side might be denying it.  check that also either way
0
 
naveedbCommented:
can you post your output from following:

show log
show crypto ipsec sa
0
 
th1rd3y3Author Commented:
No the VPN does not show up in the list of VPNs when I run "show crypto isa sa" It will if the other side initiates it though.

I already have an access list allowing ICMP traffic any any

Output from show log/show crypto ipsec sa:

cy-wmpt-hq-pix# sh log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 879611 messages logged
    Trap logging: level notifications, 127926 messages logged
    History logging: level notifications, 127926 messages logged
    Device ID: disabled
3 to inside:172.17.2.58/1140 duration 0:01:29 bytes 111355 TCP Reset-I
302014: Teardown TCP connection 248263 for outside:164.156.7.207/443 to inside:1
72.17.2.58/1131 duration 0:04:20 bytes 566593 TCP Reset-I
305011: Built dynamic TCP translation from inside:172.17.2.156/1871 to outside:2
09.23.255.69/8952
302013: Built outbound TCP connection 249333 for outside:64.4.17.250/80 (64.4.17
.250/80) to inside:172.17.2.156/1871 (209.23.255.69/8952)
304001: 172.17.2.156 Accessed URL 64.4.17.250:/cgi-bin/hmhome?&curmbox=00000000%
2d0000%2d0000%2d0000%2d000000000001&a=fdc439ba9f4fee75346a4be321b68506a76d2a0806
04df9974e3720107f1ee4a
304006: URL Server 172.17.2.44 not responding
710005: UDP request discarded from 10.250.8.1/67 to outside:255.255.255.255/boot
pc
302014: Teardown TCP connection 249333 for outside:64.4.17.250/80 to inside:172.
17.2.156/1871 duration 0:00:01 bytes 8191 TCP FINs
305011: Built dynamic TCP translation from inside:172.17.2.156/1872 to outside:2
09.23.255.69/8953
302013: Built outbound TCP connection 249334 for outside:207.46.216.59/80 (207.4
6.216.59/80) to inside:172.17.2.156/1872 (209.23.255.69/8953)
305011: Built dynamic TCP translation from inside:172.17.2.156/1873 to outside:2
09.23.255.69/8954
302013: Built outbound TCP connection 249335 for outside:207.46.216.59/80 (207.4
6.216.59/80) to inside:172.17.2.156/1873 (209.23.255.69/8954)
304001: 172.17.2.156 Accessed URL 207.46.216.59:/c.gif?RF=&PI=44364&DI=7474&PS=9
0133
304001: 172.17.2.156 Accessed URL 207.46.216.59:/c.gif?RF=&PI=44364&DI=7474&PS=8
313
3ection 249361 for outside:66.109.229.5/53 (66.109.229.5/53) to inside:172.17.2.
1/4309 (209.23.255.69/1024)
302016: Teardown UDP connection 249361 for outside:66.109.229.5/53 to inside:172
.17.2.1/4309 duration 0:00:01 bytes 260
302016: Teardown UDP connection 249360 for outside:66.109.229.5/53 to inside:172
.17.2.1/4309 duration 0:00:01 bytes 53
302015: Built outbound UDP connection 249362 for outside:66.109.229.5/53 (66.109
.229.5/53) to inside:172.17.2.1/4309 (209.23.255.69/1024)
302015: Built outbound UDP connection 249363 for outside:66.109.229.5/53 (66.109
.229.5/53) to inside:172.17.2.1/4309 (209.23.255.69/1024)
305012: Teardown dynamic TCP translation from inside:172.17.2.28/1490 to outside
:209.23.255.69/8913 duration 0:00:37
302016: Teardown UDP connection 249363 for outside:66.109.229.5/53 to inside:172
.17.2.1/4309 duration 0:00:01 bytes 260
302016: Teardown UDP connection 249362 for outside:66.109.229.5/53 to inside:172
.17.2.1/4309 duration 0:00:01 bytes 106
302015: Built outbound UDP connection 249364 for outside:66.109.229.5/53 (66.109
.229.5/53) to inside:172.17.2.1/4309 (209.23.255.69/1024)
302016: Teardown UDP connection 249364 for outside:66.109.229.5/53 to inside:172
.17.2.1/4309 duration 0:00:01 bytes 335
609001: Built local-host inside:172.17.2.173
305011: Built dynamic TCP translation from inside:172.17.2.173/1182 to outside:2
09.23.255.69/8974
302013: Built outbound TCP connection 249365 for outside:213.254.238.69/80 (213.
254.238.69/80) to inside:172.17.2.173/1182 (209.23.255.69/8974)
302015: Built outbound UDP connection 249366 for outside:66.109.229.5/53 (66.109
.229.5/53) to inside:172.17.2.1/4309 (209.23.255.69/1024)
302016: Teardown UDP connection 249366 for outside:66.109.229.5/53 to inside:172
.17.2.1/4309 duration 0:00:01 bytes 130
305011: Built dynamic TCP translation from inside:172.17.2.65/1307 to outside:20
9.23.255.69/8975
302013: Built outbound TCP connection 249367 for outside:207.242.93.22/80 (207.2
42.93.22/80) to inside:172.17.2.65/1307 (209.23.255.69/8975)
304001: 172.17.2.65 Accessed URL 207.242.93.22:/forecast.asp?zipcode=17701&partn
er=accuweather
710005: UDP request discarded from 10.250.8.1/67 to outside:255.255.255.255/boot
pc
710005: UDP request discarded from 10.250.8.1/67 to outside:255.255.255.255/boot
pc
305012: Teardown dynamic TCP translation from inside:172.17.2.116/1336 to outsid
e:209.23.255.69/8926 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:172.17.2.167/1337 to outsid
e:209.23.255.69/8816 duration 0:01:35
cy-wmpt-hq-pix# show crypto ipsec sa


interface: outside
    Crypto map tag: outside_map, local addr. 209.23.255.69

   local  ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
   current_peer: 68.67.28.54:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 82232, #pkts encrypt: 82232, #pkts digest 82232
    #pkts decaps: 78652, #pkts decrypt: 78946, #pkts verify 78946
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 209.23.255.69, remote crypto endpt.: 68.67.28.54
     path mtu 1240, ipsec overhead 56, media mtu 1240
     current outbound spi: 3d562ce9

     inbound esp sas:
      spi: 0x240e7f23(604929827)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607834/3330)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x3d562ce9(1029057769)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 7, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607764/3329)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.19.2.0/255.255.255.0/0/0)
   current_peer: 209.23.224.12:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 42786, #pkts encrypt: 42786, #pkts digest 42786
    #pkts decaps: 49721, #pkts decrypt: 49931, #pkts verify 49931
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 209.23.255.69, remote crypto endpt.: 209.23.224.12
     path mtu 1240, ipsec overhead 56, media mtu 1240
     current outbound spi: 10f1665f

     inbound esp sas:
      spi: 0x35717358(896627544)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4606967/157)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x10f1665f(284255839)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4606373/157)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.20.2.0/255.255.255.0/0/0)
   current_peer: 209.23.224.11:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1990, #pkts encrypt: 1990, #pkts digest 1990
    #pkts decaps: 2152, #pkts decrypt: 2164, #pkts verify 2164
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 209.23.255.69, remote crypto endpt.: 209.23.224.11
     path mtu 1240, ipsec overhead 56, media mtu 1240
     current outbound spi: 752a7f0

     inbound esp sas:
      spi: 0x697a61ae(1769628078)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 12, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607616/2996)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x752a7f0(122857456)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 11, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607373/2996)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (172.17.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   current_peer: 209.23.225.146:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 55, #recv errors 0

     local crypto endpt.: 209.23.255.69, remote crypto endpt.: 209.23.225.146
     path mtu 1240, ipsec overhead 0, media mtu 1240
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:
0
 
naveedbCommented:
The tunnel is not established at all, you will need to debug why it is not connected.

Before we do that, can you verify the remote end settings, IP address, phase 1 settings (isakmp) and phase 2 settings (transform set), lifetimes and pre-shared key? Post your findings from other engineer so we can verify them.

0
 
th1rd3y3Author Commented:
When the other engineer pings my computer (172.17.4.100) the tunnel comes up:
cy-wmpt-hq-pix# show crypto isakmp sa
Total     : 4
Embryonic : 0
        dst               src        state     pending     created
   209.23.224.11    209.23.255.69    QM_IDLE         0           8
     68.67.28.54    209.23.255.69    QM_IDLE         0          19
   209.23.255.69   209.23.225.146    QM_IDLE         0           0
   209.23.255.69    209.23.224.12    QM_IDLE         0          19

But I'm getting this in the isakmp debug output:

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:209.23.225.146, dest:209.23.255.69 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:209.23.225.146, dest:209.23.255.69 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing keep alive: proposal=32767/32767 sec., actual=10/3 sec.
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Peer ip:209.23.225.146/500 Ref cnt incremented to:2 Total VPN
Peers:4
crypto_isakmp_process_block:src:209.23.225.146, dest:209.23.255.69 spt:500 dpt:5
00
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 143313508

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
ISADB: reaper checking SA 0x10537ac, conn_id = 0
ISADB: reaper checking SA 0x107bdbc, conn_id = 0
ISADB: reaper checking SA 0x10950cc, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:209.23.225.146/500 Ref cnt decremented to:1 Total VPN
Peers:4
ISADB: reaper checking SA 0x10537ac, conn_id = 0
ISADB: reaper checking SA 0x107bdbc, conn_id = 0
ISADB: reaper checking SA 0x10ad4c4, conn_id = 0
ISADB: reaper checking SA 0x1053024, conn_id = 0
0
 
naveedbCommented:
After it is connected, can you post output from 'show crypto ipsec sa'
0
 
th1rd3y3Author Commented:
This is what it looks like after it is established.

   local  ident (addr/mask/prot/port): (172.17.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   current_peer: 209.23.225.146:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 55, #recv errors 0

     local crypto endpt.: 209.23.255.69, remote crypto endpt.: 209.23.225.146
     path mtu 1240, ipsec overhead 0, media mtu 1240
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:
0
 
naveedbCommented:
It is not established, only phase one is. Both phase 1 IKE and phase two need to be completed before tunnel is established and traffic and pass.

Again, verify your settings with remote peer why phase two is not working.
0
 
th1rd3y3Author Commented:
Ok I've verified settings with the remote she had the remote network part of the IPSec policy looking at a group of IPs and not just one. I had her narrow it down to one 10.3.0.0 and changed my access-list to look for the same network. I'm still getting this via debug crypto isakmp when the pipe tries to come up:

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
0
 
naveedbCommented:
There is still a setting that is different on the concentrator and on PIX. We can do detailed debugging but it will be more time consuming. Will also need her side of logs.

After you made changes, did you cleared crypt maps? Try rebooting botht the conentrator and pix and see if you are still getting the same messages OR if she is aware how to reset the tunnels, have her reset them. On your end you will need to clear the crypto maps.

If it is still not working, remove all settings and start from scratch. Use the following link and have her configure her end with same settings except for Networks to be secured and peer addresses, and do the same at your end.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

0
 
Freya28Commented:
i would have to agree with removing the tunnel and starting form scratch.  the config should only take 5 minutes tops.  you can write everythiong out in a text file so you can remove the current tunnel and build the new one with a quick cut and paste.  if you need the pix side config let me know and i will put it in my next response
0
 
th1rd3y3Author Commented:
Well we got everything working. After checking and double checking setups, it turned out that there was a wrong subnet mask on her end.
0
 
Freya28Commented:
nice.  it happens to all of us.  glad to hearit has been solved
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 11
  • 10
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now