• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 358
  • Last Modified:

One VPN link works, one doesn't, can't see why, have looked at for a LONG time. Cisco 1811 to 5510 isn't working, VPN from 1811 to 505 isn't working

I have a VPN configuration problem, the VPN to 11.11.11.11 is working, the VPN to 22.22.22.22 is NOT working. I cannot see why. Maybe I've looked at it too long:
- - - - - -

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Sec001! address 11.11.11.11 no-xauth
crypto isakmp key Sec002# address 22.22.22.22
!
crypto ipsec transform-set tunnel esp-aes esp-sha-hmac
crypto ipsec transform-set california esp-3des esp-sha-hmac
!
crypto map AKM_CMAP_1 1 ipsec-isakmp
 description Tunnel to11.11.11.11
 set peer 11.11.11.11
 set transform-set tunnel
 match address 104
crypto map AKM_CMAP_1 2 ipsec-isakmp
 description Tunnel to22.22.22.22
 set peer 22.22.22.22
 set transform-set california
 match address 105
crypto map AKM_CMAP_1 65535 ipsec-isakmp dynamic AKM_DYNMAP_1
!
!
interface FastEthernet0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 33.33.33.33 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect AKM_MEDIUM out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map AKM_CMAP_1
 service-policy input arkmapfwp2p_AKM_MEDIUM
 service-policy output arkmapfwp2p_AKM_MEDIUM
!
interface FastEthernet1
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map AKM_RMAP_1 interface FastEthernet0 overload
!
no cdp run
!
route-map AKM_RMAP_1 permit 1
 match ip address 103
!
control-plane
!
- - - - - - - - -

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 08-Dec-06 13:16 by kellythw

ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
0
ldorazio
Asked:
ldorazio
  • 4
  • 3
1 Solution
 
lrmooreCommented:
You need to post the rest of the config file
especially all your acls
0
 
ldorazioAuthor Commented:
Here's the WHOLE thing, I tried to make sure to take out the "real" private information, I think I got it all without messing it up too much:

The "keys" and "passwords" and IPs are all modified to fake ones.
- - - - - - - -
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname mainfw
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret 5 $18e3$C77xxx043234wehyyccdFg3.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ark_link_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ark_link_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool internal
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 11.XX.156.1 11.XX.157.1
   domain-name compdomain.com
   default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name compdomain.com
ip name-server 11.XX.156.1
ip name-server 11.XX.157.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name ARK_MEDIUM appfw ARK_MEDIUM
ip inspect name ARK_MEDIUM cuseeme
ip inspect name ARK_MEDIUM dns
ip inspect name ARK_MEDIUM ftp
ip inspect name ARK_MEDIUM h323
ip inspect name ARK_MEDIUM https
ip inspect name ARK_MEDIUM icmp
ip inspect name ARK_MEDIUM imap reset
ip inspect name ARK_MEDIUM pop3 reset
ip inspect name ARK_MEDIUM netshow
ip inspect name ARK_MEDIUM rcmd
ip inspect name ARK_MEDIUM realaudio
ip inspect name ARK_MEDIUM rtsp
ip inspect name ARK_MEDIUM esmtp
ip inspect name ARK_MEDIUM sqlnet
ip inspect name ARK_MEDIUM streamworks
ip inspect name ARK_MEDIUM tftp
ip inspect name ARK_MEDIUM tcp
ip inspect name ARK_MEDIUM udp
ip inspect name ARK_MEDIUM vdolive
ip inspect name ARK_MEDIUM gdoi
ip inspect name ARK_MEDIUM isakmp
ip inspect name ARK_MEDIUM ipsec-msft
ip inspect name ARK_MEDIUM ssp
!
appfw policy-name ARK_MEDIUM
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse isplinking action allow alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name messenger.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-3859220574
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3859220574
 revocation-check none
 rsakeypair TP-self-signed-3859220574
!
!
crypto pki certificate chain TP-self-signed-3859220574
 certificate self-signed 01
  23232246 35435556F A2346600 03457778 300D34534 2347775A6 F97644D 056765740
  EDITED OUT ALL THE CERTIFICATE DETAILS......
  833838386 324534 054334F2 FA3453453F AE2345345 234534513 8347779 18657651C
  E54765465 6546547 45654666
  quit
username AKMaster privilege 15 secret 5 $1$J8TT$dtMl6fiuAFv66w4FN6e4v/
!
!
class-map match-any ARK_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any ARK_p2p_edonkey
 match protocol edonkey
class-map match-any ARK_p2p_gnutella
 match protocol gnutella
class-map match-any ARK_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map arkmaafwp2p_ARK_MEDIUM
 class ARK_p2p_gnutella
 class ARK_p2p_bittorrent
 class ARK_p2p_edonkey
 class ARK_p2p_kazaa
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key PASS11! address 22.222.212.156 no-xauth
crypto isakmp key PASS22# address 11.11.XXX.20
!
crypto isakmp client configuration group Ops
 key KEYKEYKEYkey
 pool ARKgroup11
 acl 102
 split-dns compdomain.com
 netmask 255.255.255.0
!
!
crypto ipsec transform-set vpnintoc esp-aes esp-sha-hmac
crypto ipsec transform-set isplink esp-aes esp-sha-hmac
crypto ipsec transform-set california esp-3des esp-sha-hmac
!
crypto dynamic-map ARKdynam11 1
 set security-association idle-time 86400
 set transform-set vpnintoc
 reverse-route
 qos pre-classify
!
!
crypto map ARKcomap11 client authentication list ark_link_xauth_ml_1
crypto map ARKcomap11 isakmp authorization list ark_link_group_ml_1
crypto map ARKcomap11 client configuration address respond
crypto map ARKcomap11 1 ipsec-isakmp
 description isplink to22.222.212.156
 set peer 22.222.212.156
 set transform-set isplink
 match address 104
crypto map ARKcomap11 2 ipsec-isakmp
 description isplink to11.11.XXX.20
 set peer 11.11.XXX.20
 set transform-set california
 match address 105
crypto map ARKcomap11 65535 ipsec-isakmp dynamic ARKdynam11
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 22.222.9.249 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect ARK_MEDIUM out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map ARKcomap11
 service-policy input arkmaafwp2p_ARK_MEDIUM
 service-policy output arkmaafwp2p_ARK_MEDIUM
!
interface FastEthernet1
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
!
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
!
ip local pool ARKgroup11 192.168.2.8 192.168.2.31
ip route 0.0.0.0 0.0.0.0 22.222.9.254
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map ARK_RMAP_1 interface FastEthernet0 overload
!
logging trap errors
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark ARK_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark ARK_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark ARK_ACL Category=1
access-list 100 deny   ip 22.222.9.248 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark ARK_ACL Category=1
access-list 101 permit ip 172.20.66.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 172.20.67.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.20.66.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 11.11.XXX.20 host 22.222.9.249 eq non500-isakmp
access-list 101 permit udp host 11.11.XXX.20 host 22.222.9.249 eq isakmp
access-list 101 permit esp host 11.11.XXX.20 host 22.222.9.249
access-list 101 permit ahp host 11.11.XXX.20 host 22.222.9.249
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 22.222.212.156 host 22.222.9.249 eq non500-isakmp
access-list 101 permit udp host 22.222.212.156 host 22.222.9.249 eq isakmp
access-list 101 permit esp host 22.222.212.156 host 22.222.9.249
access-list 101 permit ahp host 22.222.212.156 host 22.222.9.249
access-list 101 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.11 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.12 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.13 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.14 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.15 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.16 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.17 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.18 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.19 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.20 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.21 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.22 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.23 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.24 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.25 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.26 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.27 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.28 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.29 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.30 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.31 192.168.1.0 0.0.0.255
access-list 101 permit udp any host 22.222.9.249 eq non500-isakmp
access-list 101 permit udp any host 22.222.9.249 eq isakmp
access-list 101 permit esp any host 22.222.9.249
access-list 101 permit ahp any host 22.222.9.249
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 22.222.9.249 echo-reply
access-list 101 permit icmp any host 22.222.9.249 time-exceeded
access-list 101 permit icmp any host 22.222.9.249 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 22.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 101 remark IPSec Rule
access-list 102 remark ARK_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark ARK_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.1.0 0.0.0.255 172.20.66.0 0.0.0.255
access-list 103 deny   ip 192.168.1.0 0.0.0.255 172.20.67.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.1.0 0.0.0.255 172.20.66.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.11
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.12
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.13
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.14
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.15
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.16
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.17
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.18
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.19
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.20
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.21
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.22
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.23
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.24
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.25
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.26
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.27
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.28
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.29
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.30
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.31
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 remark ARK_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 172.20.67.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 172.20.66.0 0.0.0.255
access-list 105 remark IPSec Rule
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map ARK_RMAP_1 permit 1
 match ip address 103
!
!
!
!
control-plane
!
banner login ^CThis is for authorized access
 If you are not an authorized user, leave!^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp peer 11.222.95.91
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

0
 
lrmooreCommented:
>crypto isakmp key PASS11! address 22.222.212.156 no-xauth
>crypto isakmp key PASS22# address 11.11.XXX.20
If one is working and the other not, make sure they are both the same, with or without the no-xauth

Can you post result of "show cry is sa" and "show cry ip sa"
Else, we might need to see the config on the other endpoint that is not working. Could be a problem on that end and not yours.

0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
ldorazioAuthor Commented:
crypto isakmp key PASS11! address 22.222.212.156
no-xauth
crypto isakmp key PASS22# address 11.11.XXX.20
no-xauth


fw1#sho cry is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id
slot status
33.33.13.249    33.176.78.52    QM_IDLE           2266
  0 ACTIVE
22.222.212.156  33.33.13.249    QM_IDLE           2264
  0 ACTIVE

IPv6 Crypto ISAKMP SA


fw1#sho cry map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
       Description: Tunnel to22.222.212.156
       Peer = 22.222.212.156
       Extended IP access list 104
           access-list 104 permit ip 192.168.1.0
0.0.0.255 192.168.100.0 0.0.0.255
       Current peer: 22.222.212.156
       Security association lifetime: 4608000
kilobytes/3600 seconds
       PFS (Y/N): N
       Transform sets={
               tunnel,
       }

Crypto Map "SDM_CMAP_1" 2 ipsec-isakmp
       Description: Tunnel to11.11.XXX.20
       Peer = 11.11.XXX.20
       Extended IP access list 105
           access-list 105 permit ip 192.168.1.0
0.0.0.255 44.144.67.0 0.0.0.255
           access-list 105 permit ip 192.168.1.0
0.0.0.255 44.144.66.0 0.0.0.255
       Current peer: 11.11.XXX.20
       Security association lifetime: 4608000
kilobytes/3600 seconds
       PFS (Y/N): N
       Transform sets={
               canada,
       }

Crypto Map "SDM_CMAP_1" 65535 ipsec-isakmp
       Dynamic map template tag: SDM_DYNMAP_1

Crypto Map "SDM_CMAP_1" 65536 ipsec-isakmp
       Peer = 33.176.78.52
       Extended IP access list
           access-list  permit ip any host
192.168.2.11
           dynamic (created from dynamic map
SDM_DYNMAP_1/1)
       Current peer: 33.176.78.52
       Security association lifetime: 4608000
kilobytes/3600 seconds
       Security association idletime: 86400 seconds
       PFS (Y/N): N
       Transform sets={
               vpnclient,
       }
       QOS pre-classification
       Reverse Route Injection Enabled
       Interfaces using crypto map SDM_CMAP_1:
               FastEthernet0


Interface: FastEthernet0
Session status: UP-ACTIVE
Peer: 22.222.212.156 port 500
 IKE SA: local 33.33.13.249/500 remote
22.222.212.156/500 Active
 IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0
192.168.100.0/255.255.255.0
       Active SAs: 2, origin: crypto map

Interface: FastEthernet0
Session status: DOWN
Peer: 11.11.XXX.20 port 500
 IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0
44.144.66.0/255.255.255.0
       Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0
44.144.67.0/255.255.255.0
       Active SAs: 0, origin: crypto map

Interface: FastEthernet0
Session status: UP-ACTIVE
Peer: 33.176.78.52 port 4500
 IKE SA: local 33.33.13.249/4500 remote
33.176.78.52/4500 Active
 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host
192.168.2.11
       Active SAs: 2, origin: dynamic crypto map










fw1#sho cry is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id
slot status
33.33.13.249    33.176.78.52    QM_IDLE           2266
  0 ACTIVE
22.222.212.156  33.33.13.249    QM_IDLE           2264
  0 ACTIVE

IPv6 Crypto ISAKMP SA

fw1#



fw1#sho cry ip sa

interface: FastEthernet0
   Crypto map tag: SDM_CMAP_1, local addr
33.33.13.249

  protected vrf: (none)
  local  ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port):
(192.168.100.0/255.255.255.0/0/0)
  current_peer 22.222.212.156 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 679485, #pkts encrypt: 679485, #pkts
digest: 679485
   #pkts decaps: 629726, #pkts decrypt: 629726, #pkts
verify: 629726
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress
failed: 0
   #send errors 19, #recv errors 0

    local crypto endpt.: 33.33.13.249, remote crypto
endpt.: 22.222.212.156
    path mtu 1500, ip mtu 1500
    current outbound spi: 0xA6FBA0CC(2801508556)

    inbound esp sas:
     spi: 0x290F6EF0(688877296)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel, }
       conn id: 95, flow_id: Motorola SEC 2.0:95,
crypto map: SDM_CMAP_1
       sa timing: remaining key lifetime (k/sec):
(4428465/2173)
       IV size: 16 bytes
       replay detection support: Y
       Status: ACTIVE

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
     spi: 0xA6FBA0CC(2801508556)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel, }
       conn id: 96, flow_id: Motorola SEC 2.0:96,
crypto map: SDM_CMAP_1
       sa timing: remaining key lifetime (k/sec):
(4428486/2170)
       IV size: 16 bytes
       replay detection support: Y
       Status: ACTIVE

    outbound ah sas:

    outbound pcp sas:

  protected vrf: (none)
  local  ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port):
(44.144.66.0/255.255.255.0/0/0)
  current_peer 11.11.XXX.20 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress
failed: 0
   #send errors 1222, #recv errors 0

    local crypto endpt.: 33.33.13.249, remote crypto
endpt.: 11.11.XXX.20
    path mtu 1500, ip mtu 1500
    current outbound spi: 0x0(0)

    inbound esp sas:

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:

    outbound ah sas:

    outbound pcp sas:

  protected vrf: (none)
  local  ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port):
(44.144.67.0/255.255.255.0/0/0)
  current_peer 11.11.XXX.20 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress
failed: 0
   #send errors 0, #recv errors 0

    local crypto endpt.: 33.33.13.249, remote crypto
endpt.: 11.11.XXX.20
    path mtu 1500, ip mtu 1500
    current outbound spi: 0x0(0)

    inbound esp sas:

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:

    outbound ah sas:

    outbound pcp sas:

  protected vrf: (none)
  local  ident (addr/mask/prot/port):
(0.0.0.0/0.0.0.0/0/0)
  remote ident (addr/mask/prot/port):
(192.168.2.11/255.255.255.255/0/0)
  current_peer 33.176.78.52 port 4500
    PERMIT, flags={}
   #pkts encaps: 708, #pkts encrypt: 708, #pkts
digest: 708
   #pkts decaps: 833, #pkts decrypt: 833, #pkts
verify: 833
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress
failed: 0
   #send errors 0, #recv errors 0

    local crypto endpt.: 33.33.13.249, remote crypto
endpt.: 33.176.78.52
    path mtu 1500, ip mtu 1500
    current outbound spi: 0x587E9343(1484690243)

    inbound esp sas:
     spi: 0xE69B371F(3868931871)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel UDP-Encaps, }
       conn id: 97, flow_id: Motorola SEC 2.0:97,
crypto map: SDM_CMAP_1
       sa timing: remaining key lifetime (k/sec):
(4394412/3064)
       IV size: 16 bytes
       replay detection support: Y
       Status: ACTIVE

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
     spi: 0x587E9343(1484690243)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel UDP-Encaps, }
       conn id: 98, flow_id: Motorola SEC 2.0:98,
crypto map: SDM_CMAP_1
       sa timing: remaining key lifetime (k/sec):
(4394417/3064)
       IV size: 16 bytes
       replay detection support: Y
       Status: ACTIVE

    outbound ah sas:

    outbound pcp sas:
fw1#
0
 
lrmooreCommented:
>access-list 105 permit ip 192.168.1.0 0.0.0.255 172.20.67.0 0.0.0.255
>access-list 105 permit ip 192.168.1.0 0.0.0.255 172.20.66.0 0.0.0.255

These don't match at all what your cypto map is seeing, unless you substited numbers just to confuse us

Crypto Map "SDM_CMAP_1" 2 ipsec-isakmp
       Description: Tunnel to11.11.XXX.20
       Peer = 11.11.XXX.20
       Extended IP access list 105
           access-list 105 permit ip 192.168.1.0 0.0.0.255 44.144.67.0 0.0.0.255 <=???
           access-list 105 permit ip 192.168.1.0 0.0.0.255 44.144.66.0 0.0.0.255 <=???

>#send errors 1222,

I don't see QM_IDLE for remote 11.11.x.x
This indicates that phase 1 is not completing.
I'd have to see the config for the other end to see if everything matches.
Check the policy, transform set and preshared key. Make sure every thing matches on both ends

0
 
ldorazioAuthor Commented:
"both the same, with or without the no-xauth" helped a LOT. There were several things, the remote end wasn't what it was "supposed" to be and what I was told it was, I didn't have access to it, but the no-xauth had one major thing to do with getting it working.
0
 
lrmooreCommented:
Glad you got it sorted! Thanks for the update.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now