• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 25871
  • Last Modified:

Pix V7.1 to Pix V6.3 Point to Point VPN tunnel not working, %PIX-4-713903: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, Can't find a valid tunnel group, aborting...!

Ok all:  Here is the setup, any help would be appreciated ......

Local (master) pix is a 515e with V7.1(1)
Remote pix is a 501 with 6.3(5)

Trying to setup a point to point vpn between the both, tried the wizard on each with no luck, and then by hand.  It is boiling down to one issue that I am seeing on the master end.

%PIX-4-713903: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, Can't find a valid tunnel group, aborting...!

From what I can tell, the master can not find a "valid" tunnel group when the remote is asking for the tunnel.  The config with the Wizard seemed to take the default tunnel group store299.  The only real new thing that I see in the V7.1 config is the ipsec-l2l on the tunnel-group.  The other option is ipsec-ra and I am wondering if this is the issue.  The command reference is not much help here.

So, any helph hints would be appreciated.  Different encodings have benn tried.

---------------------------------------------

Here are the good bits from the master config

access-list 0-Fibernet-Internet_cryptomap_60 extended permit ip 172.17.32.0 255.255.224.0 Store299 255.255.255.192

crypto dynamic-map 0-Fibernet-Internet_dyn_map 60 match address 0-Fibernet-Internet_cryptomap_dyn_60
crypto dynamic-map 0-Fibernet-Internet_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map 0-Fibernet-Internet_map 60 match address 0-Fibernet-Internet_cryptomap_60
crypto map 0-Fibernet-Internet_map 60 set peer REMOTEPIXOUTSIDE
crypto map 0-Fibernet-Internet_map 60 set transform-set ESP-3DES-MD5

isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400

tunnel-group Store299 type ipsec-l2l
tunnel-group Store299 ipsec-attributes
 pre-shared-key *

crypto map outside_map 60 set security-association lifetime seconds 3600 kilobytes 4608000


-----------------
Here are the good bits from the remote config


access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.192 172.16.0.0 255.254.0.0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map map2 5 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer MASTERPIXOUTSIDE
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address MASTERPIXOUTSIDE netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

-------------------------------------

here is the debug log from the master

%PIX-7-713236: IP = REMOTEPIXOUTSIDE, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing SA payload
%PIX-7-713906: IP = REMOTEPIXOUTSIDE, Oakley proposal is acceptable
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing VID payload
%PIX-7-715049: IP = REMOTEPIXOUTSIDE, Received NAT-Traversal ver 03 VID
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing VID payload
%PIX-7-715049: IP = REMOTEPIXOUTSIDE, Received NAT-Traversal ver 02 VID
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing IKE SA payload
%PIX-7-715028: IP = REMOTEPIXOUTSIDE, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 4
%PIX-7-715046: IP = REMOTEPIXOUTSIDE, constructing ISAKMP SA payload
%PIX-7-715046: IP = REMOTEPIXOUTSIDE, constructing Fragmentation VID + extended capabilities payload
%PIX-7-713236: IP = REMOTEPIXOUTSIDE, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%PIX-7-713236: IP = REMOTEPIXOUTSIDE, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing ke payload
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing ISA_KE payload
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing nonce payload
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing VID payload
%PIX-7-715049: IP = REMOTEPIXOUTSIDE, Received xauth V6 VID
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing VID payload
%PIX-7-715049: IP = REMOTEPIXOUTSIDE, Received DPD VID
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing VID payload
%PIX-7-715049: IP = REMOTEPIXOUTSIDE, Received Cisco Unity client VID
%PIX-7-715047: IP = REMOTEPIXOUTSIDE, processing VID payload
%PIX-7-715038: IP = REMOTEPIXOUTSIDE, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 000000a5)
%PIX-7-715046: IP = REMOTEPIXOUTSIDE, constructing ke payload
%PIX-7-715046: IP = REMOTEPIXOUTSIDE, constructing nonce payload
%PIX-7-715046: IP = REMOTEPIXOUTSIDE, constructing Cisco Unity VID payload
%PIX-7-715046: IP = REMOTEPIXOUTSIDE, constructing xauth V6 VID payload
%PIX-7-715048: IP = REMOTEPIXOUTSIDE, Send IOS VID
%PIX-7-715038: IP = REMOTEPIXOUTSIDE, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%PIX-7-715046: IP = REMOTEPIXOUTSIDE, constructing VID payload
%PIX-7-715048: IP = REMOTEPIXOUTSIDE, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%PIX-4-713903: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, Can't find a valid tunnel group, aborting...!
%PIX-7-715065: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, IKE MM Responder FSM error history (struct &0x2935930)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY-->MM_BLD_MSG4, EV_DH_KEY_OK
%PIX-7-713906: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, IKE SA MM:fbe96369 terminating:  flags 0x0100c002, refcnt 0, tuncnt 0
%PIX-7-713906: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, sending delete/delete with reason message
%PIX-3-713902: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, Removing peer from peer table failed, no match!
%PIX-4-713903: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, Error: Unable to remove PeerTblEntry
Apr 24 12:35:05 [IKEv1]: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, Can't find a valid tunnel group, aborting...!
Apr 24 12:35:05 [IKEv1]: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, Removing peer from peer table failed, no match!
Apr 24 12:35:05 [IKEv1]: Group = REMOTEPIXOUTSIDE, IP = REMOTEPIXOUTSIDE, Error: Unable to remove PeerTblEntry
%PIX-4-713903: IP = REMOTEPIXOUTSIDE, Header invalid, missing SA payload! (next payload = 4)
%PIX-7-713236: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

-----------------------------------------

Here is the debug out fom the remote.

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:MASTERPIXOUTSIDE, dest:REMOTEPIXOUTSIDE spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:MASTERPIXOUTSIDE, dest:REMOTEPIXOUTSIDE spt:500 dpt:500
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= REMOTEPIXOUTSIDE, remote= MASTERPIXOUTSIDE,
    local_proxy= 192.168.100.0/255.255.255.192/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.254.0.0/0/0 (type=4)

ISAKMP (0): deleting SA: src REMOTEPIXOUTSIDE, dst MASTERPIXOUTSIDE
ISADB: reaper checking SA 0xaf6fdc, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for MASTERPIXOUTSIDE/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= REMOTEPIXOUTSIDE, remote= MASTERPIXOUTSIDE,
    local_proxy= 192.168.100.0/255.255.255.192/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.254.0.0/0/0 (type=4)
0
ort11
Asked:
ort11
  • 2
  • 2
1 Solution
 
stressedout2004Commented:
On PIX 7.x, the tunnel group name plays an important factor on IPSEC negotiation. When using preshared keys for LAN
to LAN tunnel, the tunnel group name should refer to the Peers IP address otherwise it would fail.

Here's a sample config.

crypto map mymap 10 match address 101
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set myset

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

As you can see, the set peer address and the tunnel group name is the same.
So in your case, the tunnel group name should be REMOTEPIXOUTSIDE  instead of Store299
0
 
ort11Author Commented:
Thanks, I will give it a try, but this is what the VPN Wizard came up with (mainly).  I think I see how it did it to.  When you type in the ip address of the remote pix the wizard automatically fills in the remote tunnel name.  I over typed it with something that I thought would make more sense, the name of the remote pix.  Funny.


0
 
ort11Author Commented:
Ok, works great now.  Either there was a name collision and / or the ip address needs to be in the tunnel name for point to point.  Thanks
0
 
stressedout2004Commented:
The tunnel name needs to corresponds to the IP address when using preshared key. Thats for sure.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now