Information Technology
asked on
Site-To-Site VPN between Cisco PIX 506e and Sonicwall 2040 not working
Hello,
I am trying to set up a site-to-site vpn tunnel between a Cisco PIX 506e and a Sonicwall 2040. I have the PIX up and running fine but when I try to use the wizrd to create the site-to-site vpn tunnel, I can not get out to the internet and unable to access the remote network. I am posting up my current config. Thanks!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname FCH-MHS
domain-name nvfs1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.252.112.80 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.254 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.252.112.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.173.205.58
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 66.173.205.58 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:b2eac32d842
I am trying to set up a site-to-site vpn tunnel between a Cisco PIX 506e and a Sonicwall 2040. I have the PIX up and running fine but when I try to use the wizrd to create the site-to-site vpn tunnel, I can not get out to the internet and unable to access the remote network. I am posting up my current config. Thanks!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname FCH-MHS
domain-name nvfs1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.252.112.80 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.254 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.252.112.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.173.205.58
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 66.173.205.58 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:b2eac32d842
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have made the changes and now internet out works just fine. But the site-to-site tunnel is not functioning still. When I try and ping from 192.168.0.x to 192.168.1.x, i get destination net unreachable. The reply comes back from the default gateway of the outside interface which is 71.252.112.1. How do I go about fixing this problem? Your help is greatly appreciated.
ASKER
oops. let me clarify. When i get the ping response, it responds with the default gateway of site a (71.252.112.80) not the outside interface of site b.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for you help.
I tried to add in a few lines but the pix would not take them. Here are lines:
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto map outside_map 20 match address outside_cryptomap_20
Here is my current running config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FCH-MHS
domain-name nvfs1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.252.112.80 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.254 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.252.112.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set peer 66.173.205.58
crypto map outside_map 20 set transform-set ESP-3DES-SHA
! Incomplete
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 66.173.205.58 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:7eda5633edc
Here are the results from the debug... (I am new to Cisco, I hope I copied over the correct information)
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP: no pre-shared key for 71.252.114.9
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISAKMP (0): deleting SA: src 71.252.114.9, dst 71.252.112.80
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xfa1574, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:66.173.205.58/500 Ref cnt decremented to:2 Total VPN P
eers:1
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xf1412c, conn_id = 0
ISADB: reaper checking SA 0xdf8e4c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 71.252.114.9/500 not found - peers:1
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xf1412c, conn_id = 0
ISADB: reaper checking SA 0xdf9884, conn_id = 0
crypto_isakmp_process_bloc
0
ISAKMP: sa not found for ike msg
ISAKMP (0): deleting SA: src 71.252.114.9, dst 71.252.112.80
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xf1412c, conn_id = 0
ISADB: reaper checking SA 0xdf9884, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 71.252.114.9/500 not found - peers:1
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xf1412c, conn_id = 0
crypto_isakmp_process_bloc
I tried to add in a few lines but the pix would not take them. Here are lines:
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto map outside_map 20 match address outside_cryptomap_20
Here is my current running config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FCH-MHS
domain-name nvfs1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.252.112.80 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.254 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.252.112.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set peer 66.173.205.58
crypto map outside_map 20 set transform-set ESP-3DES-SHA
! Incomplete
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 66.173.205.58 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:7eda5633edc
Here are the results from the debug... (I am new to Cisco, I hope I copied over the correct information)
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP: no pre-shared key for 71.252.114.9
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISAKMP (0): deleting SA: src 71.252.114.9, dst 71.252.112.80
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xfa1574, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:66.173.205.58/500 Ref cnt decremented to:2 Total VPN P
eers:1
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xf1412c, conn_id = 0
ISADB: reaper checking SA 0xdf8e4c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 71.252.114.9/500 not found - peers:1
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xf1412c, conn_id = 0
ISADB: reaper checking SA 0xdf9884, conn_id = 0
crypto_isakmp_process_bloc
0
ISAKMP: sa not found for ike msg
ISAKMP (0): deleting SA: src 71.252.114.9, dst 71.252.112.80
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xf1412c, conn_id = 0
ISADB: reaper checking SA 0xdf9884, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 71.252.114.9/500 not found - peers:1
ISADB: reaper checking SA 0xfa2694, conn_id = 0
ISADB: reaper checking SA 0xf1412c, conn_id = 0
crypto_isakmp_process_bloc
ASKER
and some more... THANKS!
FCH-MHS# sho crypto ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. 71.252.112.80
FCH-MHS# sho crypto isakmp sa
Total : 4
Embryonic : 2
dst src state pending created
71.252.112.80 66.173.205.58 QM_IDLE 0 0
71.252.112.80 66.173.205.58 QM_IDLE 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# sho crypto ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. 71.252.112.80
FCH-MHS# sho crypto isakmp sa
Total : 4
Embryonic : 2
dst src state pending created
71.252.112.80 66.173.205.58 QM_IDLE 0 0
71.252.112.80 66.173.205.58 QM_IDLE 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is what I get when I try to add nat (inside)
FCH-MHS# nat (inside) 0 access-list inside_outbound_nat0_acl
Type help or '?' for a list of available commands.
Thanks for letting me know the tip on knowing that my tunnel came up.
FCH-MHS# nat (inside) 0 access-list inside_outbound_nat0_acl
Type help or '?' for a list of available commands.
Thanks for letting me know the tip on knowing that my tunnel came up.
ASKER
sorry... I wasnt in config mode... adding it in now.
ASKER
I have made the changes and ran show crypto isakmp again. I ran it multiple times and I get different results each time I run it. Here are the results with my current running config. Thanks again!!!
FCH-MHS# show crypto isakmp sa
Total : 3
Embryonic : 3
dst src state pending created
66.173.205.58 71.252.112.80 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
66.173.205.58 71.252.112.80 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_SA_SETUP 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
66.173.205.58 71.252.112.80 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 3
Embryonic : 1
dst src state pending created
71.252.112.80 66.173.205.58 QM_IDLE 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 3
Embryonic : 2
dst src state pending created
71.252.112.80 66.173.205.58 QM_IDLE 0 0
71.252.112.80 71.252.114.9 MM_SA_SETUP 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
Current Config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FCH-MHS
domain-name nvfs1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.252.112.80 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.254 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.252.112.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.173.205.58
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 66.173.205.58 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:f601f7733dc
FCH-MHS# show crypto isakmp sa
Total : 3
Embryonic : 3
dst src state pending created
66.173.205.58 71.252.112.80 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
66.173.205.58 71.252.112.80 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_SA_SETUP 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 2
Embryonic : 2
dst src state pending created
66.173.205.58 71.252.112.80 MM_KEY_EXCH 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 3
Embryonic : 1
dst src state pending created
71.252.112.80 66.173.205.58 QM_IDLE 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
FCH-MHS# show crypto isakmp sa
Total : 3
Embryonic : 2
dst src state pending created
71.252.112.80 66.173.205.58 QM_IDLE 0 0
71.252.112.80 71.252.114.9 MM_SA_SETUP 0 0
71.252.112.80 71.252.114.9 MM_KEY_EXCH 0 0
Current Config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FCH-MHS
domain-name nvfs1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.252.112.80 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.254 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.252.112.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.173.205.58
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 66.173.205.58 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:f601f7733dc
ASKER
is this thing on? anyone, help?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay. Here are my latest results...
DEBUG ISAKMP RESULTS
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP: no pre-shared key for 71.252.114.9
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 2 (6/4)... mess_id 0xcceee688
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (0/4)... mess_id 0xfdac6d69
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISAKMP (0): retransmitting phase 2 (7/4)... mess_id 0xcceee688
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (1/4)... mess_id 0xfdac6d69
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (8/4)... mess_id 0xcceee688
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (2/4)... mess_id 0xfdac6d69
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): deleting SA: src 71.252.114.9, dst 71.252.112.80
ISADB: reaper checking SA 0xdfc5d4, conn_id = 0
ISADB: reaper checking SA 0xfa5ee4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 71.252.114.9/500 not found - peers:0
ISADB: reaper checking SA 0xdfc5d4, conn_id = 0
ISADB: reaper checking SA 0xf120d4, conn_id = 0
ISAKMP (0): retransmitting phase 2 (9/4)... mess_id 0xcceee688
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (3/4)... mess_id 0xfdac6d69
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (10/4)... mess_id 0xcceee688
ISAKMP (0): retransmitting phase 2 (4/5)... mess_id 0xfdac6d69
ISAKMP (0): deleting SA: src 66.173.205.58, dst 71.252.112.80
ISADB: reaper checking SA 0xdfc5d4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 66.173.205.58/500 not found - peers:0
ISADB: reaper checking SA 0xf120d4, conn_id = 0
crypto_isakmp_process_bloc
0
ISAKMP: sa not found for ike msg
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_bloc
0
DEBUG IPSEC RESULTS:
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x8edf5660(2397001312) for SA
from 66.173.205.58 to 71.252.112.80 for prot 3
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 71.252.112.80, remote= 66.173.205.58,
local_proxy= 192.168.0.0/255.255.255.0/
remote_proxy= 192.168.1.0/255.255.255.0/
SHOW IPSEC SA RESULTS:
FCH-MHS(config)# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. 71.252.112.80
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: 66.173.205.58:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1568, #recv errors 0
local crypto endpt.: 71.252.112.80, remote crypto endpt.: 66.173.205.58
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
DEBUG ISAKMP RESULTS
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP: no pre-shared key for 71.252.114.9
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 2 (6/4)... mess_id 0xcceee688
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (0/4)... mess_id 0xfdac6d69
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISAKMP (0): retransmitting phase 2 (7/4)... mess_id 0xcceee688
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (1/4)... mess_id 0xfdac6d69
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (8/4)... mess_id 0xcceee688
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (2/4)... mess_id 0xfdac6d69
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): deleting SA: src 71.252.114.9, dst 71.252.112.80
ISADB: reaper checking SA 0xdfc5d4, conn_id = 0
ISADB: reaper checking SA 0xfa5ee4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 71.252.114.9/500 not found - peers:0
ISADB: reaper checking SA 0xdfc5d4, conn_id = 0
ISADB: reaper checking SA 0xf120d4, conn_id = 0
ISAKMP (0): retransmitting phase 2 (9/4)... mess_id 0xcceee688
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (3/4)... mess_id 0xfdac6d69
crypto_isakmp_process_bloc
0
ISAKMP: error, msg not encrypted
ISAKMP (0): retransmitting phase 2 (10/4)... mess_id 0xcceee688
ISAKMP (0): retransmitting phase 2 (4/5)... mess_id 0xfdac6d69
ISAKMP (0): deleting SA: src 66.173.205.58, dst 71.252.112.80
ISADB: reaper checking SA 0xdfc5d4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 66.173.205.58/500 not found - peers:0
ISADB: reaper checking SA 0xf120d4, conn_id = 0
crypto_isakmp_process_bloc
0
ISAKMP: sa not found for ike msg
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_bloc
0
DEBUG IPSEC RESULTS:
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x8edf5660(2397001312) for SA
from 66.173.205.58 to 71.252.112.80 for prot 3
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 71.252.112.80, remote= 66.173.205.58,
local_proxy= 192.168.0.0/255.255.255.0/
remote_proxy= 192.168.1.0/255.255.255.0/
SHOW IPSEC SA RESULTS:
FCH-MHS(config)# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. 71.252.112.80
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: 66.173.205.58:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1568, #recv errors 0
local crypto endpt.: 71.252.112.80, remote crypto endpt.: 66.173.205.58
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am trying to use the pdm to see if my transform sets match my pre-shared keys... and as far as i can tell they do. I have even re-entered my pre-share key to make sure that it is the correct one. Is there a way of figuring this out by looking at the config?
thanks as always.
thanks as always.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the effort.
ASKER