Solved

3 site VPN  PIX-->PIX<--PIX

Posted on 2007-11-13
10
336 Views
Last Modified: 2013-11-16
I'm desperate for help on this one, every time I do a pix vpn it seems to yield different results - even though I use the VPN wizard and follow the same principle every time.

I have 3 sites:

nick name / peer IP / network address
carcity / aaaa / 172.17.1.0
scooter / bbbb / 192.168.11.0
airport / cccc / 172.31.1.0

The 'carcity' site is the central site, the other two sites only need to communicate with it - not with each other. I did exactly the same procedure on all pix's using vpn wizard - carcity and airport are apparently connected according the the active tunnels in PDM, although I cant ping from inside hot to inside host.  

All three have static IPs, with c.c.c.c and b.b.b.b are assigned by dhcp from modem . All three PIX outside interfaces have public IPs also - not behind nat.

Here are the three configs, if it is easier to scrub the vpn parts from the configs and someone comes up with the CLI to put it then fine.

scooter

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1235ksc4oEdlq8dF encrypted
passwd 1235ksc4oEdlq8dF encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.1.0 car_city
access-list inside_outbound_nat0_acl permit ip 192.168.11.0 255.255.255.0 car_city 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.11.0 255.255.255.0 car_city 255.255.255.0
access-list acl100 permit tcp any host b.b.b.b eq telnet
access-list acl100 permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 0.0.0.0 inside
pdm location car_city 255.255.255.0 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl100 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer a.a.a.a
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address a.a.a.a netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.11.2-192.168.11.32 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:8e1d1a68ba2daebb7d8aad6cf63587a4
: end

Carcity

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OLEBGgbA08XeMd5D encrypted
passwd OLEBGgbA08XeMd5D encrypted
hostname xxxxx
domain-name xxxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.31.1.0 airport
access-list 101 permit tcp any host a.a.a.a eq ftp-data
access-list 101 permit tcp any host a.a.a.a eq ftp
access-list 101 permit tcp any host a.a.a.a eq 10000
access-list 101 permit tcp any host a.a.a.a eq 747
access-list 101 permit tcp any host a.a.a.a eq 5900
access-list 101 permit udp any host a.a.a.a eq 10000
access-list 101 permit udp any host a.a.a.a eq 747
access-list 101 permit udp any host a.a.a.a eq 5900
access-list 101 permit icmp any any
access-list 101 permit tcp any host a.a.a.a eq telnet
access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 airport 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.17.1.0 255.255.255.0 airport 255.255.255.0
access-list outside_cryptomap_30 permit ip 172.17.1.0 255.255.255.0 192.168.11.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.a.a.a 255.255.255.252
ip address inside 172.17.1.152 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.17.1.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 747 172.17.1.30 747 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 10000 172.17.1.30 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 172.17.1.30 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 172.17.1.30 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 172.17.1.30 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 747 172.17.1.30 747 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 10000 172.17.1.30 10000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5900 172.17.1.30 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 172.17.1.30 telnet netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 ISPGATEWAYIP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
http server enable
http 172.17.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set mytranset esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer c.c.c.c
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer b.b.b.b
crypto map outside_map 30 set transform-set mytranset
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address c.c.c.c netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address b.b.b.b netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 172.17.1.0 255.255.255.0 inside
telnet b.b.b.b 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.17.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn username test password *********
vpdn enable outside
terminal width 80
Cryptochecksum:84fa0676d311e8bc6d7f97b99411f664
: end
[OK]



airport


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OLEBGgbA08XeMd5D encrypted
passwd OLEBGgbA08XeMd5D encrypted
hostname xxxxx
domain-name xxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.1.0 carcity
access-list 109 permit icmp any any
access-list 109 permit tcp any interface outside eq 9100
access-list 109 permit tcp any interface outside eq https
access-list inside_outbound_nat0_acl permit ip 172.31.1.0 255.255.255.0 carcity 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.31.1.0 255.255.255.0 carcity 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.31.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.31.1.14 255.255.255.255 inside
pdm location 172.31.1.61 255.255.255.255 inside
pdm location carcity 255.255.255.0 outside
pdm location 172.31.1.26 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 9100 172.31.1.61 9100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.31.1.26 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.31.1.26 https netmask 255.255.255.255 0 0
access-group 109 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
http server enable
http 172.31.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer a.a.a.a
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address a.a.a.a netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 172.31.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.31.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 172.31.1.2-172.31.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:c53bc1c83963a4e99da81a577f0ebce7
: end
[OK]



Again, I can wipe these and start from scratch if required - if someone can give me the cli to put in on the three configs

thanks in advance




0
Comment
Question by:ma77smith
  • 6
  • 4
10 Comments
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
I would try changing the DH group from 2 to 1...

no isakmp policy 20 group 2
isakmp policy 20 group 1

Do this on all 3 firewalls and see what you get...
0
 

Author Comment

by:ma77smith
Comment Utility
Still no good, the car city site which should show up with two tunnels is just:

xxxxxxxxxxxx(config)# show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
c.c.c.c   a.a.a.a    QM_IDLE         0           4
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Post the output of the commands:

debug crypto isakmp
debug crypto ipsec
debug crypto engine

It looks like phase 1 isn't finishing its negotiation...
0
 

Author Comment

by:ma77smith
Comment Utility
The commands only switch debugging on?, how to I capture the results ?
thanks
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
If you're in a console session, the output will be displayed while the tunnel is trying to establish...you just have to cut and paste the output.

If you're in a telnet/ssh session, then issue the command:

term mon

and the debug output will be displayed.  Again, cut and paste the output...
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:ma77smith
Comment Utility
for example, on the one firewall I just get :

xxx(config)# term mon
xxx(config)# debug crypto isakmp
xxx(config)# debug crypto ipsec
xxx(config)# debug crypto engine
xxx(config)#
ISADB: reaper checking SA 0xf86acc, conn_id = 0


shouldn't there be more?
0
 

Author Comment

by:ma77smith
Comment Utility
oh, and I'm using putty SSH
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
Try this from config mode:

clear crypto is sa
clear crypto ip sa

Then, generate some interesting traffic to get the firewall to try and bring the tunnel back up.  For example, try pinging a host on the scooter network from carcity.  You should then see lots of debug output while it's trying to establish the tunnel.
0
 

Author Comment

by:ma77smith
Comment Utility
cool, i did what you said and tried to ping a host in scooter from carcity:


ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:b.b.b.b, dest:a.a.a.a spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:b.b.b.b, dest:a.a.a.a spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:b.b.b.b, dest:a.a.a.a spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1346952984:afb720e8IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x1353572(20264306) for SA
        from b.b.b.b to  a.a.a.a for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:b.b.b.b/500 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:b.b.b.b/500 Ref cnt incremented to:1 Total VPN Peers:2
crypto_isakmp_process_block:src:b.b.b.b, dest:a.a.a.a spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 707546839
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with b.b.b.b

return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:b.b.b.b, dest:a.a.a.a spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2948014312

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= b.b.b.b, src= a.a.a.a,
    dest_proxy= 192.168.11.0/255.255.255.0/0/0 (type=4),
    src_proxy= 172.17.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 2948014312

ISAKMP (0): processing ID payload. message ID = 2948014312
ISAKMP (0): processing ID payload. message ID = 2948014312map_alloc_entry: allocating entry 3
map_alloc_entry: allocating entry 4

ISAKMP (0): Creating IPSec SAs
        inbound SA from b.b.b.b to  a.a.a.a (proxy    192.168.11.0 to      172.17.1.0)
        has spi 20264306 and conn_id 3 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
        outbound SA from  a.a.a.a to b.b.b.b (proxy      172.17.1.0 to    192.168.11.0)
        has spi 714287050 and conn_id 4 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= a.a.a.a, src= b.b.b.b,
    dest_proxy= 172.17.1.0/255.255.255.0/0/0 (type=4),
    src_proxy= 192.168.11.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0x1353572(20264306), conn_id= 3, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= a.a.a.a, dest= b.b.b.b,
    src_proxy= 172.17.1.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 192.168.11.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0x2a9327ca(714287050), conn_id= 4, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:b.b.b.b/500 Ref cnt incremented to:2 Total VPN Peers:2
VPN Peer: IPSEC: Peer ip:b.b.b.b/500 Ref cnt incremented to:3 Total VPN Peers:2
return status is IKMP_NO_ERROR
0
 

Author Comment

by:ma77smith
Comment Utility
Hi, is this enough logging info ?
thx
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now