• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3728
  • Last Modified:

L2L VPN error

I have this pix 515E, which have some remote VPN, but when I add L2L vpn on it, the reomote Lan can`t log in. I looked everywhere, the log is saying :  Duplicate Phase 1 packet detected snd IKE  DECODE RESENDING  Message ...

The crypto values are the same on both sides ... Here is the config on the Pix 515 E :

vestpix1# wr t
: Saved
PIX Version 7.0(1)
interface Ethernet0
 nameif outside
 security-level 0
 ip address
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 nameif DMZ
 security-level 30
 ip address
enable password jTq0IF3WRrCBEoV1 encrypted
passwd jTq0IF3WRrCBEoV1 encrypted
hostname vestpix1
domain-name vestadm.com
boot system flash:/pix701.bin
ftp mode passive
access-list UDEFRA extended permit icmp any any echo-reply
access-list UDEFRA extended permit icmp any any time-exceeded
access-list UDEFRA extended permit tcp host xx.xx.xxx.242 host eq ssh
access-list UDEFRA extended permit tcp any host eq smtp
access-list UDEFRA extended permit tcp any host eq www
access-list UDEFRA extended permit ip
access-list UDEFRA extended deny ip any any
access-list ingen-nat extended permit ip
access-list ingen-nat extended permit ip
access-list VPN_L2L extended permit ip
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip audit name ATTACK-IDS attack action alarm reset
ip audit name INFO-IDS info action alarm
ip audit name test-jkn-ids1 info action alarm
ip audit interface outside INFO-IDS
ip audit interface outside ATTACK-IDS
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2005 disable
ip local pool hjemme-bruger
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 netmask
nat (inside) 0 access-list ingen-nat
nat (inside) 1
static (inside,outside) tcp interface smtp smtp netmask
static (DMZ,outside) tcp interface www www netmask
access-group UDEFRA in interface outside
rip inside passive version 1
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy vestadmvpn3 internal
group-policy vestadmvpn3 attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn2 internal
group-policy vestadmvpn2 attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn1 internal
group-policy vestadmvpn1 attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn6 internal
group-policy vestadmvpn6 attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn5 internal
group-policy vestadmvpn5 attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn4 internal
group-policy vestadmvpn4 attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 default-domain value vestadm.com
username vestadm1 password 5Txo9H0OZ/4l9Wmd encrypted
username vestadm password PhZteHhIIOZlnaBP encrypted
username unisys password o5i8GEabDlDtfjTe encrypted
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set VPN-hjemme esp-3des esp-md5-hmac
crypto ipsec transform-set L2L esp-3des esp-md5-hmac
crypto dynamic-map dyn-VPN-West 10 set transform-set VPN-hjemme
crypto map VPN-West 50 match address VPN_L2L
crypto map VPN-West 50 set peer x.x.x.x
crypto map VPN-West 50 set transform-set L2L
crypto map VPN-West 90 ipsec-isakmp dynamic dyn-VPN-West
crypto map VPN-West interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
telnet inside
telnet timeout 5
ssh x.x.x.x outside
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group vestadmvpn1 type ipsec-ra
tunnel-group vestadmvpn1 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn1
tunnel-group vestadmvpn1 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn2 type ipsec-ra
tunnel-group vestadmvpn2 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn2
tunnel-group vestadmvpn2 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn3 type ipsec-ra
tunnel-group vestadmvpn3 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn3
tunnel-group vestadmvpn3 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn4 type ipsec-ra
tunnel-group vestadmvpn4 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn4
tunnel-group vestadmvpn4 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn5 type ipsec-ra
tunnel-group vestadmvpn5 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn5
tunnel-group vestadmvpn5 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn6 type ipsec-ra
tunnel-group vestadmvpn6 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn6
tunnel-group vestadmvpn6 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
service-policy global_policy global
: end

What are triggering the error ???
Thanx in advaces.
  • 4
  • 2
1 Solution
cisco_gringoAuthor Commented:
One more thing, the sh log is showiing :


cisco_gringoAuthor Commented:
The Pix is communicating with a Juniper Device ...
Your outside IP is a private IP ?
 ip address

When PIX sends a paket to the Juniper peer, it doesn't know that it is supposed to be coming from the public IP address, so evidently the packet is getting natted elsewhere and the juniper sees a packet from a device that thinks it is and is expecting a packet labled with a public IP that is has labled its peer.

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

cisco_gringoAuthor Commented:
I have a ISP router in front of the Pix, and there it`s NAT that doing the job ...  
Is it DSL router? If yes, it should be in bridge mode so that your PIX gets the actual public IP address.
The problem is the nat on that router.
cisco_gringoAuthor Commented:
Hi guys.

Thanx for your inputs. I removed the ISP router, and put the public IP on the outside interface, and put the right default gateway, and it was running, so the last solution is actually the answer, but when I could run this without the ISP router, I removed it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now