• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 563
  • Last Modified:

Copy Config from PIX 515e to PIX 515e

I have a Cisco 515e PIX version 6.3(5) that has a Failover Only Licesnse.(So it reboots itself every 24 hours)... I need to transfer that Config to another PIX with a Unrestricted License same model and version.  I upload it to my TFTP server and pull it down to the PIx with the (UR) and everything looks and works fine except for one issue.  The PIX has a IPsec site to site VPN tunnel to a remote location that never connects back up.  How can I go about getting this done to get the PIX with the UR licesnse to have the exact same conifg as the PIX with the FO licesnse and not lose the IPsec tunnel settings? I think version 7 would allow this but how do I do it with version 6.3?

Thanks
0
walcointl
Asked:
walcointl
  • 4
  • 2
1 Solution
 
InteraXCommented:
What's missing from the ipsec settinggs when you copy the config back on?
Are you using PDM to backup the conifg or command line?
0
 
walcointlAuthor Commented:
Im using command line, nothing is missing, if i do a show run the configs look exactly the same.  I think I saw someone that the certificate doesnt move over on version 6.3...
0
 
InteraXCommented:
What type of auth are you using for the IPSEC tunnel?

You may not be able to export the cert depending on how it was created. Can you post a sanitised copy of the ipsec config?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
walcointlAuthor Commented:
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer X.X.X.X
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key **** address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 
nodiscoCommented:
If you are using the exact same configuration and the psk is definitely correct, you should be fine.
You're not using certs to authenticate but if you have a local self-signed cert (ssh etc) you will need to regenerate this.

Another possibility is the arp-cache on your perimeter next hop be it a router/public switch.  If will have an old arp entry for the public ip of the old firewall and you have now replaced this ip with new hardware - you could clear the arp-cache or even reboot the next hop equipment.

Have you done any debugging?
Check if its failing at phase 1 or 2

Starting with the below will be helpful to see where its going astray

debug cry isakmp

hth
0
 
walcointlAuthor Commented:
Output of Debug, the 64.x.x.x address is the remote host im trying to reach.

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3103086274

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:64.X.X.X, dest:67.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2950305706
0
 
walcointlAuthor Commented:
I got it, thanks nodisco
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now