Steve Gould
asked on
Adding site-to-site VPN to my PIX that already has remote access VPN
I have a Cisco PIX 525 (IOS 7.0(4) + ASDM 5.0(4)) that is already set up as a Remote Access VPN and working quite well as far as I can tell. I would like to add a Cisco SA 520 Security Appliance to my network at home and create a site-to-site VPN between the two. I have a static IP on my home ADSL connection. I would like to know if I can simply run the VPN Wizard again from ASDM and it will add the necessary configuration lines, or will it simply overwrite what is currently in existence for the Remote Access VPN. If anyone can give me some guidance as to what lines are needed to facilitate the Site-to-Site alongside the Remote Access I'd be very grateful. I can supply configuration details if necessary.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran the VPN wizard again which seemed to go successfully. However I cannot test the result until the other side of my network is available - nudging my ISP along and will test in the next couple of days and see if I can link it up.
ASKER
I ran the wizard again on the PIX however when I try to connect up on the SA520 I get the following error:
2010-04-06 19:51:24: INFO: accept a request to establish IKE-SA: xxx.xxx.xxx.xxx
2010-04-06 19:51:24: INFO: Configuration found for xxx.xxx.xxx.xxx.
2010-04-06 19:51:24: INFO: Initiating new phase 1 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx
2010-04-06 19:51:24: INFO: Beginning Aggressive mode.
2010-04-06 19:51:24: INFO: NAT-Traversal is Enabled
2010-04-06 19:51:24: INFO: [agg_i1send:254]: XXX: NUMNATTVENDORIDS: 3
2010-04-06 19:51:24: INFO: [agg_i1send:258]: XXX: setting vendorid: 4
2010-04-06 19:51:24: INFO: [agg_i1send:258]: XXX: setting vendorid: 8
2010-04-06 19:51:24: INFO: [agg_i1send:258]: XXX: setting vendorid: 9
2010-04-06 19:51:24: INFO: Received Vendor ID: CISCO-UNITY
2010-04-06 19:51:24: INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xa
2010-04-06 19:51:24: INFO: Received Vendor ID: DPD
2010-04-06 19:51:24: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike
2010-04-06 19:51:24: INFO: Received unknown Vendor ID
2010-04-06 19:51:24: INFO: Received unknown Vendor ID
2010-04-06 19:51:24: INFO: NAT-D payload matches for yyy.yyy.yyy.yyy[500]
2010-04-06 19:51:24: INFO: NAT-D payload matches for xxx.xxx.xxx.xxx[500]
2010-04-06 19:51:24: INFO: For xxx.xxx.xxx.xxx[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike
2010-04-06 19:51:24: INFO: NAT not detected
2010-04-06 19:51:24: INFO: ISAKMP-SA established for yyy.yyy.yyy.yyy[500]-xxx.x
2010-04-06 19:51:25: INFO: Initiating new phase 2 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx
2010-04-06 19:51:25: ERROR: Unknown notify message from xxx.xxx.xxx.xxx[500].No phase2 handle found.
2010-04-06 19:51:25: INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=f972bce827060e43:e1d32
2010-04-06 19:51:34: ERROR: Phase 2 negotiation failed due to time up. 8f4b04ceb9978080:5fdd8b3a5
2010-04-06 19:51:34: INFO: an undead schedule has been deleted: 'quick_i1prep'.
2010-04-06 19:51:34: INFO: ISAKMP-SA deleted for yyy.yyy.yyy.yyy[500]-xxx.x
2010-04-06 19:52:25: ERROR: Phase 2 negotiation failed due to time up. f972bce827060e43:e1d329315
2010-04-06 19:52:25: INFO: an undead schedule has been deleted: 'quick_i1prep'.
2010-04-06 19:52:25: INFO: ISAKMP-SA deleted for yyy.yyy.yyy.yyy[500]-xxx.x
It is as if the wizard did not add any of the config to do the phase 2 negociation. I have a feeling i'm going to need to go to the command line to make this work so any further help with be much appreciated.
2010-04-06 19:51:24: INFO: accept a request to establish IKE-SA: xxx.xxx.xxx.xxx
2010-04-06 19:51:24: INFO: Configuration found for xxx.xxx.xxx.xxx.
2010-04-06 19:51:24: INFO: Initiating new phase 1 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx
2010-04-06 19:51:24: INFO: Beginning Aggressive mode.
2010-04-06 19:51:24: INFO: NAT-Traversal is Enabled
2010-04-06 19:51:24: INFO: [agg_i1send:254]: XXX: NUMNATTVENDORIDS: 3
2010-04-06 19:51:24: INFO: [agg_i1send:258]: XXX: setting vendorid: 4
2010-04-06 19:51:24: INFO: [agg_i1send:258]: XXX: setting vendorid: 8
2010-04-06 19:51:24: INFO: [agg_i1send:258]: XXX: setting vendorid: 9
2010-04-06 19:51:24: INFO: Received Vendor ID: CISCO-UNITY
2010-04-06 19:51:24: INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xa
2010-04-06 19:51:24: INFO: Received Vendor ID: DPD
2010-04-06 19:51:24: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike
2010-04-06 19:51:24: INFO: Received unknown Vendor ID
2010-04-06 19:51:24: INFO: Received unknown Vendor ID
2010-04-06 19:51:24: INFO: NAT-D payload matches for yyy.yyy.yyy.yyy[500]
2010-04-06 19:51:24: INFO: NAT-D payload matches for xxx.xxx.xxx.xxx[500]
2010-04-06 19:51:24: INFO: For xxx.xxx.xxx.xxx[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike
2010-04-06 19:51:24: INFO: NAT not detected
2010-04-06 19:51:24: INFO: ISAKMP-SA established for yyy.yyy.yyy.yyy[500]-xxx.x
2010-04-06 19:51:25: INFO: Initiating new phase 2 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx
2010-04-06 19:51:25: ERROR: Unknown notify message from xxx.xxx.xxx.xxx[500].No phase2 handle found.
2010-04-06 19:51:25: INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=f972bce827060e43:e1d32
2010-04-06 19:51:34: ERROR: Phase 2 negotiation failed due to time up. 8f4b04ceb9978080:5fdd8b3a5
2010-04-06 19:51:34: INFO: an undead schedule has been deleted: 'quick_i1prep'.
2010-04-06 19:51:34: INFO: ISAKMP-SA deleted for yyy.yyy.yyy.yyy[500]-xxx.x
2010-04-06 19:52:25: ERROR: Phase 2 negotiation failed due to time up. f972bce827060e43:e1d329315
2010-04-06 19:52:25: INFO: an undead schedule has been deleted: 'quick_i1prep'.
2010-04-06 19:52:25: INFO: ISAKMP-SA deleted for yyy.yyy.yyy.yyy[500]-xxx.x
It is as if the wizard did not add any of the config to do the phase 2 negociation. I have a feeling i'm going to need to go to the command line to make this work so any further help with be much appreciated.
ASKER
I realise this has become more difficult so i'll increase the point value. Thanks to those that have helped so far.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks vreinaldo but it turns out I had PFS turned on for the SA 520 but off for the PIX 525. As soon as I turned it off the link came straight up. So it seems it is problem solved.
Can you post your config, so i can give you a full detailed commands needed for this,
Thanks!