Solved

L2L VPN error

Posted on 2008-09-30
7
3,641 Views
Last Modified: 2009-01-10
I have this pix 515E, which have some remote VPN, but when I add L2L vpn on it, the reomote Lan can`t log in. I looked everywhere, the log is saying :  Duplicate Phase 1 packet detected snd IKE  DECODE RESENDING  Message ...

The crypto values are the same on both sides ... Here is the config on the Pix 515 E :

vestpix1# wr t
: Saved
:
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
 shutdown
 nameif DMZ
 security-level 30
 ip address 172.16.1.1 255.255.255.0
!
enable password jTq0IF3WRrCBEoV1 encrypted
passwd jTq0IF3WRrCBEoV1 encrypted
hostname vestpix1
domain-name vestadm.com
boot system flash:/pix701.bin
ftp mode passive
access-list UDEFRA extended permit icmp any any echo-reply
access-list UDEFRA extended permit icmp any any time-exceeded
access-list UDEFRA extended permit tcp host xx.xx.xxx.242 host 192.168.1.2 eq ssh
access-list UDEFRA extended permit tcp any host 192.168.1.2 eq smtp
access-list UDEFRA extended permit tcp any host 192.168.1.2 eq www
access-list UDEFRA extended permit ip 192.168.250.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list UDEFRA extended deny ip any any
access-list ingen-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list ingen-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list VPN_L2L extended permit ip 192.168.2.0 255.255.255.0 192.168.31.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip audit name ATTACK-IDS attack action alarm reset
ip audit name INFO-IDS info action alarm
ip audit name test-jkn-ids1 info action alarm
ip audit interface outside INFO-IDS
ip audit interface outside ATTACK-IDS
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2005 disable
ip local pool hjemme-bruger 192.168.250.11-192.168.250.254
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 172.16.1.3 netmask 255.255.255.255
nat (inside) 0 access-list ingen-nat
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.2.9 smtp netmask 255.255.255.255
static (DMZ,outside) tcp interface www 172.16.1.10 www netmask 255.255.255.255
access-group UDEFRA in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy vestadmvpn3 internal
group-policy vestadmvpn3 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn2 internal
group-policy vestadmvpn2 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn1 internal
group-policy vestadmvpn1 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn6 internal
group-policy vestadmvpn6 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn5 internal
group-policy vestadmvpn5 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn4 internal
group-policy vestadmvpn4 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
username vestadm1 password 5Txo9H0OZ/4l9Wmd encrypted
username vestadm password PhZteHhIIOZlnaBP encrypted
username unisys password o5i8GEabDlDtfjTe encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.9 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set VPN-hjemme esp-3des esp-md5-hmac
crypto ipsec transform-set L2L esp-3des esp-md5-hmac
crypto dynamic-map dyn-VPN-West 10 set transform-set VPN-hjemme
crypto map VPN-West 50 match address VPN_L2L
crypto map VPN-West 50 set peer x.x.x.x
crypto map VPN-West 50 set transform-set L2L
crypto map VPN-West 90 ipsec-isakmp dynamic dyn-VPN-West
crypto map VPN-West interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
telnet 192.168.2.9 255.255.255.255 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group vestadmvpn1 type ipsec-ra
tunnel-group vestadmvpn1 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn1
tunnel-group vestadmvpn1 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn2 type ipsec-ra
tunnel-group vestadmvpn2 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn2
tunnel-group vestadmvpn2 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn3 type ipsec-ra
tunnel-group vestadmvpn3 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn3
tunnel-group vestadmvpn3 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn4 type ipsec-ra
tunnel-group vestadmvpn4 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn4
tunnel-group vestadmvpn4 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn5 type ipsec-ra
tunnel-group vestadmvpn5 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn5
tunnel-group vestadmvpn5 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn6 type ipsec-ra
tunnel-group vestadmvpn6 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn6
tunnel-group vestadmvpn6 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
Cryptochecksum:ec56dcba4f43e423f7443d33712ba30a
: end


What are triggering the error ???
Thanx in advaces.
0
Comment
Question by:cisco_gringo
  • 4
  • 2
7 Comments
 

Author Comment

by:cisco_gringo
ID: 22603568
One more thing, the sh log is showiing :

%PIX-6-713905:
%PIX-7-713906:

0
 

Author Comment

by:cisco_gringo
ID: 22604225
The Pix is communicating with a Juniper Device ...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22608981
Your outside IP is a private IP ?
 ip address 192.168.1.2 255.255.255.0

When PIX sends a paket to the Juniper peer, it doesn't know that it is supposed to be coming from the public IP address, so evidently the packet is getting natted elsewhere and the juniper sees a packet from a device that thinks it is 192.168.1.2 and is expecting a packet labled with a public IP that is has labled its peer.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:cisco_gringo
ID: 22611930
I have a ISP router in front of the Pix, and there it`s NAT that doing the job ...  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22613252
Is it DSL router? If yes, it should be in bridge mode so that your PIX gets the actual public IP address.
The problem is the nat on that router.
0
 

Author Comment

by:cisco_gringo
ID: 22718892
Hi guys.

Thanx for your inputs. I removed the ISP router, and put the public IP on the outside interface, and put the right default gateway, and it was running, so the last solution is actually the answer, but when I could run this without the ISP router, I removed it.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now