cisco_gringo
asked on
L2L VPN error
I have this pix 515E, which have some remote VPN, but when I add L2L vpn on it, the reomote Lan can`t log in. I looked everywhere, the log is saying : Duplicate Phase 1 packet detected snd IKE DECODE RESENDING Message ...
The crypto values are the same on both sides ... Here is the config on the Pix 515 E :
vestpix1# wr t
: Saved
:
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
shutdown
nameif DMZ
security-level 30
ip address 172.16.1.1 255.255.255.0
!
enable password jTq0IF3WRrCBEoV1 encrypted
passwd jTq0IF3WRrCBEoV1 encrypted
hostname vestpix1
domain-name vestadm.com
boot system flash:/pix701.bin
ftp mode passive
access-list UDEFRA extended permit icmp any any echo-reply
access-list UDEFRA extended permit icmp any any time-exceeded
access-list UDEFRA extended permit tcp host xx.xx.xxx.242 host 192.168.1.2 eq ssh
access-list UDEFRA extended permit tcp any host 192.168.1.2 eq smtp
access-list UDEFRA extended permit tcp any host 192.168.1.2 eq www
access-list UDEFRA extended permit ip 192.168.250.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list UDEFRA extended deny ip any any
access-list ingen-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list ingen-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list VPN_L2L extended permit ip 192.168.2.0 255.255.255.0 192.168.31.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip audit name ATTACK-IDS attack action alarm reset
ip audit name INFO-IDS info action alarm
ip audit name test-jkn-ids1 info action alarm
ip audit interface outside INFO-IDS
ip audit interface outside ATTACK-IDS
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2005 disable
ip local pool hjemme-bruger 192.168.250.11-192.168.250
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 172.16.1.3 netmask 255.255.255.255
nat (inside) 0 access-list ingen-nat
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.2.9 smtp netmask 255.255.255.255
static (DMZ,outside) tcp interface www 172.16.1.10 www netmask 255.255.255.255
access-group UDEFRA in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy vestadmvpn3 internal
group-policy vestadmvpn3 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn2 internal
group-policy vestadmvpn2 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn1 internal
group-policy vestadmvpn1 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn6 internal
group-policy vestadmvpn6 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn5 internal
group-policy vestadmvpn5 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn4 internal
group-policy vestadmvpn4 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
username vestadm1 password 5Txo9H0OZ/4l9Wmd encrypted
username vestadm password PhZteHhIIOZlnaBP encrypted
username unisys password o5i8GEabDlDtfjTe encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.9 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set VPN-hjemme esp-3des esp-md5-hmac
crypto ipsec transform-set L2L esp-3des esp-md5-hmac
crypto dynamic-map dyn-VPN-West 10 set transform-set VPN-hjemme
crypto map VPN-West 50 match address VPN_L2L
crypto map VPN-West 50 set peer x.x.x.x
crypto map VPN-West 50 set transform-set L2L
crypto map VPN-West 90 ipsec-isakmp dynamic dyn-VPN-West
crypto map VPN-West interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
telnet 192.168.2.9 255.255.255.255 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group vestadmvpn1 type ipsec-ra
tunnel-group vestadmvpn1 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn1
tunnel-group vestadmvpn1 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn2 type ipsec-ra
tunnel-group vestadmvpn2 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn2
tunnel-group vestadmvpn2 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn3 type ipsec-ra
tunnel-group vestadmvpn3 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn3
tunnel-group vestadmvpn3 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn4 type ipsec-ra
tunnel-group vestadmvpn4 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn4
tunnel-group vestadmvpn4 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn5 type ipsec-ra
tunnel-group vestadmvpn5 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn5
tunnel-group vestadmvpn5 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn6 type ipsec-ra
tunnel-group vestadmvpn6 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn6
tunnel-group vestadmvpn6 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:ec56dcba4f4
: end
What are triggering the error ???
Thanx in advaces.
The crypto values are the same on both sides ... Here is the config on the Pix 515 E :
vestpix1# wr t
: Saved
:
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
shutdown
nameif DMZ
security-level 30
ip address 172.16.1.1 255.255.255.0
!
enable password jTq0IF3WRrCBEoV1 encrypted
passwd jTq0IF3WRrCBEoV1 encrypted
hostname vestpix1
domain-name vestadm.com
boot system flash:/pix701.bin
ftp mode passive
access-list UDEFRA extended permit icmp any any echo-reply
access-list UDEFRA extended permit icmp any any time-exceeded
access-list UDEFRA extended permit tcp host xx.xx.xxx.242 host 192.168.1.2 eq ssh
access-list UDEFRA extended permit tcp any host 192.168.1.2 eq smtp
access-list UDEFRA extended permit tcp any host 192.168.1.2 eq www
access-list UDEFRA extended permit ip 192.168.250.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list UDEFRA extended deny ip any any
access-list ingen-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list ingen-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list VPN_L2L extended permit ip 192.168.2.0 255.255.255.0 192.168.31.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip audit name ATTACK-IDS attack action alarm reset
ip audit name INFO-IDS info action alarm
ip audit name test-jkn-ids1 info action alarm
ip audit interface outside INFO-IDS
ip audit interface outside ATTACK-IDS
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2005 disable
ip local pool hjemme-bruger 192.168.250.11-192.168.250
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 172.16.1.3 netmask 255.255.255.255
nat (inside) 0 access-list ingen-nat
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.2.9 smtp netmask 255.255.255.255
static (DMZ,outside) tcp interface www 172.16.1.10 www netmask 255.255.255.255
access-group UDEFRA in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy vestadmvpn3 internal
group-policy vestadmvpn3 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn2 internal
group-policy vestadmvpn2 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn1 internal
group-policy vestadmvpn1 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn6 internal
group-policy vestadmvpn6 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn5 internal
group-policy vestadmvpn5 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
group-policy vestadmvpn4 internal
group-policy vestadmvpn4 attributes
wins-server value 192.168.2.9
dns-server value 192.168.2.9
vpn-idle-timeout 30
default-domain value vestadm.com
username vestadm1 password 5Txo9H0OZ/4l9Wmd encrypted
username vestadm password PhZteHhIIOZlnaBP encrypted
username unisys password o5i8GEabDlDtfjTe encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.9 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set VPN-hjemme esp-3des esp-md5-hmac
crypto ipsec transform-set L2L esp-3des esp-md5-hmac
crypto dynamic-map dyn-VPN-West 10 set transform-set VPN-hjemme
crypto map VPN-West 50 match address VPN_L2L
crypto map VPN-West 50 set peer x.x.x.x
crypto map VPN-West 50 set transform-set L2L
crypto map VPN-West 90 ipsec-isakmp dynamic dyn-VPN-West
crypto map VPN-West interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
telnet 192.168.2.9 255.255.255.255 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group vestadmvpn1 type ipsec-ra
tunnel-group vestadmvpn1 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn1
tunnel-group vestadmvpn1 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn2 type ipsec-ra
tunnel-group vestadmvpn2 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn2
tunnel-group vestadmvpn2 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn3 type ipsec-ra
tunnel-group vestadmvpn3 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn3
tunnel-group vestadmvpn3 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn4 type ipsec-ra
tunnel-group vestadmvpn4 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn4
tunnel-group vestadmvpn4 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn5 type ipsec-ra
tunnel-group vestadmvpn5 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn5
tunnel-group vestadmvpn5 ipsec-attributes
pre-shared-key *
tunnel-group vestadmvpn6 type ipsec-ra
tunnel-group vestadmvpn6 general-attributes
address-pool hjemme-bruger
default-group-policy vestadmvpn6
tunnel-group vestadmvpn6 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:ec56dcba4f4
: end
What are triggering the error ???
Thanx in advaces.
ASKER
The Pix is communicating with a Juniper Device ...
Your outside IP is a private IP ?
ip address 192.168.1.2 255.255.255.0
When PIX sends a paket to the Juniper peer, it doesn't know that it is supposed to be coming from the public IP address, so evidently the packet is getting natted elsewhere and the juniper sees a packet from a device that thinks it is 192.168.1.2 and is expecting a packet labled with a public IP that is has labled its peer.
ip address 192.168.1.2 255.255.255.0
When PIX sends a paket to the Juniper peer, it doesn't know that it is supposed to be coming from the public IP address, so evidently the packet is getting natted elsewhere and the juniper sees a packet from a device that thinks it is 192.168.1.2 and is expecting a packet labled with a public IP that is has labled its peer.
ASKER
I have a ISP router in front of the Pix, and there it`s NAT that doing the job ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi guys.
Thanx for your inputs. I removed the ISP router, and put the public IP on the outside interface, and put the right default gateway, and it was running, so the last solution is actually the answer, but when I could run this without the ISP router, I removed it.
Thanx for your inputs. I removed the ISP router, and put the public IP on the outside interface, and put the right default gateway, and it was running, so the last solution is actually the answer, but when I could run this without the ISP router, I removed it.
ASKER
%PIX-6-713905:
%PIX-7-713906: