Solved

L2L VPN error

Posted on 2008-09-30
7
3,653 Views
Last Modified: 2009-01-10
I have this pix 515E, which have some remote VPN, but when I add L2L vpn on it, the reomote Lan can`t log in. I looked everywhere, the log is saying :  Duplicate Phase 1 packet detected snd IKE  DECODE RESENDING  Message ...

The crypto values are the same on both sides ... Here is the config on the Pix 515 E :

vestpix1# wr t
: Saved
:
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
 shutdown
 nameif DMZ
 security-level 30
 ip address 172.16.1.1 255.255.255.0
!
enable password jTq0IF3WRrCBEoV1 encrypted
passwd jTq0IF3WRrCBEoV1 encrypted
hostname vestpix1
domain-name vestadm.com
boot system flash:/pix701.bin
ftp mode passive
access-list UDEFRA extended permit icmp any any echo-reply
access-list UDEFRA extended permit icmp any any time-exceeded
access-list UDEFRA extended permit tcp host xx.xx.xxx.242 host 192.168.1.2 eq ssh
access-list UDEFRA extended permit tcp any host 192.168.1.2 eq smtp
access-list UDEFRA extended permit tcp any host 192.168.1.2 eq www
access-list UDEFRA extended permit ip 192.168.250.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list UDEFRA extended deny ip any any
access-list ingen-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list ingen-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list VPN_L2L extended permit ip 192.168.2.0 255.255.255.0 192.168.31.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip audit name ATTACK-IDS attack action alarm reset
ip audit name INFO-IDS info action alarm
ip audit name test-jkn-ids1 info action alarm
ip audit interface outside INFO-IDS
ip audit interface outside ATTACK-IDS
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2005 disable
ip local pool hjemme-bruger 192.168.250.11-192.168.250.254
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 172.16.1.3 netmask 255.255.255.255
nat (inside) 0 access-list ingen-nat
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.2.9 smtp netmask 255.255.255.255
static (DMZ,outside) tcp interface www 172.16.1.10 www netmask 255.255.255.255
access-group UDEFRA in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy vestadmvpn3 internal
group-policy vestadmvpn3 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn2 internal
group-policy vestadmvpn2 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn1 internal
group-policy vestadmvpn1 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn6 internal
group-policy vestadmvpn6 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn5 internal
group-policy vestadmvpn5 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
group-policy vestadmvpn4 internal
group-policy vestadmvpn4 attributes
 wins-server value 192.168.2.9
 dns-server value 192.168.2.9
 vpn-idle-timeout 30
 default-domain value vestadm.com
username vestadm1 password 5Txo9H0OZ/4l9Wmd encrypted
username vestadm password PhZteHhIIOZlnaBP encrypted
username unisys password o5i8GEabDlDtfjTe encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.9 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set VPN-hjemme esp-3des esp-md5-hmac
crypto ipsec transform-set L2L esp-3des esp-md5-hmac
crypto dynamic-map dyn-VPN-West 10 set transform-set VPN-hjemme
crypto map VPN-West 50 match address VPN_L2L
crypto map VPN-West 50 set peer x.x.x.x
crypto map VPN-West 50 set transform-set L2L
crypto map VPN-West 90 ipsec-isakmp dynamic dyn-VPN-West
crypto map VPN-West interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
telnet 192.168.2.9 255.255.255.255 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group vestadmvpn1 type ipsec-ra
tunnel-group vestadmvpn1 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn1
tunnel-group vestadmvpn1 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn2 type ipsec-ra
tunnel-group vestadmvpn2 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn2
tunnel-group vestadmvpn2 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn3 type ipsec-ra
tunnel-group vestadmvpn3 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn3
tunnel-group vestadmvpn3 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn4 type ipsec-ra
tunnel-group vestadmvpn4 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn4
tunnel-group vestadmvpn4 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn5 type ipsec-ra
tunnel-group vestadmvpn5 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn5
tunnel-group vestadmvpn5 ipsec-attributes
 pre-shared-key *
tunnel-group vestadmvpn6 type ipsec-ra
tunnel-group vestadmvpn6 general-attributes
 address-pool hjemme-bruger
 default-group-policy vestadmvpn6
tunnel-group vestadmvpn6 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
Cryptochecksum:ec56dcba4f43e423f7443d33712ba30a
: end


What are triggering the error ???
Thanx in advaces.
0
Comment
Question by:cisco_gringo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 

Author Comment

by:cisco_gringo
ID: 22603568
One more thing, the sh log is showiing :

%PIX-6-713905:
%PIX-7-713906:

0
 

Author Comment

by:cisco_gringo
ID: 22604225
The Pix is communicating with a Juniper Device ...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22608981
Your outside IP is a private IP ?
 ip address 192.168.1.2 255.255.255.0

When PIX sends a paket to the Juniper peer, it doesn't know that it is supposed to be coming from the public IP address, so evidently the packet is getting natted elsewhere and the juniper sees a packet from a device that thinks it is 192.168.1.2 and is expecting a packet labled with a public IP that is has labled its peer.

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:cisco_gringo
ID: 22611930
I have a ISP router in front of the Pix, and there it`s NAT that doing the job ...  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22613252
Is it DSL router? If yes, it should be in bridge mode so that your PIX gets the actual public IP address.
The problem is the nat on that router.
0
 

Author Comment

by:cisco_gringo
ID: 22718892
Hi guys.

Thanx for your inputs. I removed the ISP router, and put the public IP on the outside interface, and put the right default gateway, and it was running, so the last solution is actually the answer, but when I could run this without the ISP router, I removed it.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question