labdunn
asked on
No traffic across IPSEC Tunnel
I'm trying to build an IPSEC tunnel between 2 PIX boxes. Both are running 6.3(5).
Pings from the device on PixA's inside network to the device on PixB's inside network say "Reply from #.#.#.#: TTL expired in transit."
Pings from the device on PixB's inside network to the device on PixA's inside network say "Request timed out"
In both cases the tunnel seems to be formed. When I issue the command show "show crypto isakmp sa" I see the tunnel is formed and is in the state QM-IDLE on both PIXes.
I've never used PPPoE on a PIX before. PIXB's outside interface is configured for PPPoE. I don't beleive this Pix is the problem though. I have successfully configured a VPN tunnel between PixB and AsaC.
The addresses in the attached file have been changed to keep privacy. Hopefully I changed them consistantly.
Thanks for your help!
PIXVPNProb.txt
Pings from the device on PixA's inside network to the device on PixB's inside network say "Reply from #.#.#.#: TTL expired in transit."
Pings from the device on PixB's inside network to the device on PixA's inside network say "Request timed out"
In both cases the tunnel seems to be formed. When I issue the command show "show crypto isakmp sa" I see the tunnel is formed and is in the state QM-IDLE on both PIXes.
I've never used PPPoE on a PIX before. PIXB's outside interface is configured for PPPoE. I don't beleive this Pix is the problem though. I have successfully configured a VPN tunnel between PixB and AsaC.
The addresses in the attached file have been changed to keep privacy. Hopefully I changed them consistantly.
Thanks for your help!
PIXVPNProb.txt
The PIX configs looks good.
Is the SiteA PIX (10.24.135.254) the default gateway for the 10.24.135.7 host?
Is the SiteB PIX (192.168.32.1) the default gateway for the 192.168.32.150 host?
Is the SiteA PIX (10.24.135.254) the default gateway for the 10.24.135.7 host?
Is the SiteB PIX (192.168.32.1) the default gateway for the 192.168.32.150 host?
Agree completely with ricks v on the sysopt command, as one of the main causes of traffic not passing are issues with the acl's
your acl's for passing your interesting traffic across the tunnel look correct, and you are following good security protocol by narrowing them down to particular hosts, but for testing purposes I would try to to allow a broader access list such as:
access-list nonat permit ip 192.168.32.0 255.255.255.0 host 10.0.0.0 255.255.255.0 (this defines the interesting traffic being protected by the tunnel)
Also, please send the output of the show crypto ipsec sa, so we can see packets getting encrypted and the errors (if any)
show crypto isakmp sa will show the current state of the IKE sa's but not the traffic getting encrypted.
your acl's for passing your interesting traffic across the tunnel look correct, and you are following good security protocol by narrowing them down to particular hosts, but for testing purposes I would try to to allow a broader access list such as:
access-list nonat permit ip 192.168.32.0 255.255.255.0 host 10.0.0.0 255.255.255.0 (this defines the interesting traffic being protected by the tunnel)
Also, please send the output of the show crypto ipsec sa, so we can see packets getting encrypted and the errors (if any)
show crypto isakmp sa will show the current state of the IKE sa's but not the traffic getting encrypted.
The "sysopt" command is already applied to both PIX's.
ASKER
Hi guys. Thanks for all the ideas. I verified the sysopt connection permit-ipsec is in both boxes.
I expanded both of ACLs on both PIXes to the entire class C net.
I still get the same symptoms on both boxes. when I ping a box behind PIX B from a box behind box A I get the TTL expired in transit message. When I ping a box behind PIX A from a box behind Pix B I get Request timed out.
Attached is the results of the show crypto ipsec sa from both Pixes. I see send errors on both Pixes but no explaination of these errors.
Thanks once more for your help.
Bill
pixa-show-crypto-isakmkp-sa.TXT
pixB-show-crypto-isakmkp-sa.TXT
I expanded both of ACLs on both PIXes to the entire class C net.
I still get the same symptoms on both boxes. when I ping a box behind PIX B from a box behind box A I get the TTL expired in transit message. When I ping a box behind PIX A from a box behind Pix B I get Request timed out.
Attached is the results of the show crypto ipsec sa from both Pixes. I see send errors on both Pixes but no explaination of these errors.
Thanks once more for your help.
Bill
pixa-show-crypto-isakmkp-sa.TXT
pixB-show-crypto-isakmkp-sa.TXT
Looks like the sides are out of sync now. Expand site A to /24's to match.
conf t
access-list Galisteo permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0
no access-list Galisteo permit ip host 10.24.135.7 host 192.168.32.150
Then run a continuous ping between hosts and post a new "show cry ipsec sa" from both PIX's.
conf t
access-list Galisteo permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0
no access-list Galisteo permit ip host 10.24.135.7 host 192.168.32.150
Then run a continuous ping between hosts and post a new "show cry ipsec sa" from both PIX's.
ASKER
I changed the access-list statements for both nonat and Galisteo - Good catch! The access list statements on PIXA now look like below. I also noticed that the a machine behind PIXA is NOT able to initiate the tunnel. Only machines behind PIXB are able to initiate the tunnel.
With the tunnel up and continuos pings from both sides the results of show crypto isakmp sa from both Pixes are attached.
Thanks again for your help.
From PixA
access-list nonat permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list Galisteo permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0
crypto map VPN 67 ipsec-isakmp
crypto map VPN 67 match address Galisteo
crypto map VPN 67 set peer 72.216.245.22
crypto map VPN 67 set transform-set 3desmd5
pixa-show-crypto-isakmkp-sa.TXT
pixB-show-crypto-isakmkp-sa.TXT
With the tunnel up and continuos pings from both sides the results of show crypto isakmp sa from both Pixes are attached.
Thanks again for your help.
From PixA
access-list nonat permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list Galisteo permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0
crypto map VPN 67 ipsec-isakmp
crypto map VPN 67 match address Galisteo
crypto map VPN 67 set peer 72.216.245.22
crypto map VPN 67 set transform-set 3desmd5
pixa-show-crypto-isakmkp-sa.TXT
pixB-show-crypto-isakmkp-sa.TXT
The "show crypto" appears to still be the same. Can you post the now current configurations.
ASKER
My mistake on the earlier update. I think I posted the files from the wrong location. Here's the right files along with the the latest and greatest PIX configs.
Thanks again.
PixA-Config.TXT
PixB-config.TXT
PixA-show-cry-ipsec-sa.TXT
PixB-show-cry-ipsec-sa.TXT
Thanks again.
PixA-Config.TXT
PixB-config.TXT
PixA-show-cry-ipsec-sa.TXT
PixB-show-cry-ipsec-sa.TXT
Okay, so the tunnel looks good. Based on the show commands, it looks like a PC in Site B is pinging a PC in Site A, correct? Based on the output, the PC in site A isn't responding to the ping perhaps because it doesn't have a return route. What is the default gateway of the PC in site A? Is it 10.24.135.254? or something else?
ASKER
You are right. The gateway for the PC hehind PIX A is 10.24.135.11 not the Pix' 10.24.135.254. There are several VLANs behind PIXA and 10.24.135.11 is the core switch that serves as the router for all of them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks JFrederick29. Got my pings!
sysopt connection permit-ipsec
This will bypass acl and nat for only vpn traffic.
This way we can narrow down if it's acl related or not.