Help with VPN between a Cisco PIX 501 and a Cisco RVS4000

Good afternoon!

A client recently had a netopia firewall die at a remote site.  They replaced it with a Cisco RVS4000.  I am trying to reestablish their VPN tunnel with the main site with no luck thus far.  The main site has a PIX 501.  Hopefully I am just missing something simple.  Thank you!

PIX:
 
names
name 192.168.1.10 mail_server
name 192.168.1.6 term
name 192.168.3.0 nc
access-list outside_access_in permit tcp any host 66.193.181.109 eq smtp
access-list outside_access_in permit tcp any host 66.193.181.109 eq pop3
access-list outside_access_in permit tcp any host 66.193.181.109 eq 3389
access-list outside_access_in permit tcp any host 66.193.181.112 eq smtp
access-list outside_access_in permit tcp any host 66.193.181.112 eq pop3
access-list outside_access_in permit tcp any host 66.193.181.112 eq www
access-list outside_access_in permit tcp any host 66.193.181.110 eq pptp
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any nc 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.1.170 255.255.255.254
access-list inside_outbound_nat0_acl permit ip any 192.168.1.172 255.255.255.254
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.170 255.255.255.254
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.1.174 255.255.255.254
access-list inside_outbound_nat0_acl permit ip host 192.168.1.13 192.168.99.0 255.255.255.0
access-list outside_cryptomap_dyn_120 permit ip any 192.168.1.0 255.255.255.224
access-list outside_cryptomap_20 permit ip any nc 255.255.255.0
access-list outside_cryptomap_dyn_140 permit ip any 192.168.1.170 255.255.255.254
access-list tamir_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list tamir_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list tmeta_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list tmeta_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_160 permit ip any 192.168.1.172 255.255.255.254
access-list epaugh_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list outside_cryptomap_dyn_180 permit ip any 192.168.1.170 255.255.255.254
access-list ics_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list ics_splitTunnelAcl permit ip 10.10.10.0 255.255.255.0 any
access-list contract_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list contract_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_200 permit ip any 192.168.1.192 255.255.255.224
access-list peted_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list peted_splitTunnelAcl permit ip 10.10.10.0 255.255.255.0 any
access-list outside_cryptomap_dyn_220 permit ip any 192.168.1.174 255.255.255.254
access-list kkrause_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list kkrause_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_240 permit ip host 192.168.1.13 192.168.99.0 255.255.255.0
access-list corning_splitTunnelAcl permit ip host 192.168.1.13 any
no pager
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.193.181.120 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool tami 192.168.1.170-192.168.1.171
ip local pool tony 192.168.1.172-192.168.1.173
ip local pool ICSPOOL 192.168.1.21
ip local pool 200 192.168.1.200-192.168.1.208
ip local pool contract 192.168.1.15-192.168.1.20 mask 255.255.255.0
ip local pool karen 192.168.1.174-192.168.1.175
ip local pool corning 192.168.99.100-192.168.99.110
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 66.193.181.111
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.193.181.112 192.168.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 66.193.181.109 term netmask 255.255.255.255 0 0
static (inside,outside) 66.193.181.110 mail_server netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
conduit permit icmp host 66.193.181.120 any echo
conduit permit icmp host 66.193.181.110 any echo
route outside 0.0.0.0 0.0.0.0 66.193.181.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 180 match address outside_cryptomap_dyn_180
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 200 match address outside_cryptomap_dyn_200
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 220 match address outside_cryptomap_dyn_220
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 240 match address outside_cryptomap_dyn_240
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.162.202.250
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 66.162.202.250 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup contract address-pool 200
vpngroup contract dns-server mail_server
vpngroup contract wins-server mail_server
vpngroup contract default-domain pipemakers.local
vpngroup contract split-tunnel contract_splitTunnelAcl
vpngroup contract idle-time 1800
vpngroup contract password ********
vpngroup tamir address-pool tami
vpngroup tamir dns-server mail_server
vpngroup tamir wins-server mail_server
vpngroup tamir default-domain pipemakers
vpngroup tamir split-tunnel tamir_splitTunnelAcl
vpngroup tamir idle-time 1800
vpngroup tamir password ********
vpngroup tmeta address-pool tony
vpngroup tmeta dns-server mail_server
vpngroup tmeta wins-server mail_server
vpngroup tmeta default-domain pipemakers
vpngroup tmeta split-tunnel tmeta_splitTunnelAcl
vpngroup tmeta idle-time 80000
vpngroup tmeta password ********
vpngroup ics address-pool ICSPOOL
vpngroup ics dns-server mail_server
vpngroup ics wins-server mail_server
vpngroup ics default-domain pipemakers
vpngroup ics split-tunnel ics_splitTunnelAcl
vpngroup ics idle-time 1800
vpngroup ics password ********
vpngroup epaugh address-pool tami
vpngroup epaugh dns-server mail_server term
vpngroup epaugh default-domain pipemakers
vpngroup epaugh split-tunnel epaugh_splitTunnelAcl
vpngroup epaugh idle-time 1800
vpngroup epaugh password ********
vpngroup peted address-pool 200
vpngroup peted dns-server mail_server
vpngroup peted default-domain pipemakers
vpngroup peted split-tunnel peted_splitTunnelAcl
vpngroup peted idle-time 1800
vpngroup peted password ********
vpngroup kkrause address-pool karen
vpngroup kkrause dns-server mail_server
vpngroup kkrause wins-server mail_server
vpngroup kkrause default-domain pipemakers
vpngroup kkrause split-tunnel kkrause_splitTunnelAcl
vpngroup kkrause idle-time 1800
vpngroup kkrause password ********
vpngroup corning address-pool corning
vpngroup corning split-tunnel corning_splitTunnelAcl
vpngroup corning idle-time 1800
vpngroup corning password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
username Cisco password 9ViKxX39JvevUOV0 encrypted privilege 2
terminal width 80
Cryptochecksum:433cf261cae6200fd686d13bbc85f208
: end
npppix#

Open in new window




RVS4000:
RVS Config 1 RVS Config 2
SchoolPageAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

norgetekCommented:

Does phase 1 come up at all?  Do you have debug output?

Have you tried modifying the RVS "key lifetime" under phase 2 to 28800?
SchoolPageAuthor Commented:
I do not think phase 1 comes up at all.
The Key Lifetime was originall set at 28800, I changed it back and no result

Debug output from "debug crypto ipsec" and "debug crypto isakmp" :
 
User Access Verification

Password:
Type help or '?' for a list of available commands.
npppix> en
Password: *******
npppix# conf t
npppix(config)# debug crypto ipsec
npppix(config)# debugIPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 66.193.181.120, remote= 66.162.202.250,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= nc/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x2aac52e(44746030) for SA
        from  66.162.202.250 to  66.193.181.120 for prot 3


npppix(config)# debug crypto isakmp
npppix(config)# IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 66.193.181.120, remote= 66.162.202.250,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= nc/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2 (5/3)... mess_id 0xf29a5f72
ISAKMP (0): beginning Quick Mode exchange, M-ID of 210174114:c8700a2IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xdf3b720f(3745214991) for SA
        from  66.162.202.250 to  66.193.181.120 for prot 3

ISAKMP (0): retransmitting phase 2 (6/3)... mess_id 0xf29a5f72
ISAKMP (0): retransmitting phase 2 (0/3)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (7/3)... mess_id 0xf29a5f72
ISAKMP (0): retransmitting phase 2 (1/3)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (8/3)... mess_id 0xf29a5f72
ISAKMP (0): retransmitting phase 2 (2/3)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (9/3)... mess_id 0xf29a5f72
ISAKMP (0): retransmitting phase 2 (3/3)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (10/3)... mess_id 0xf29a5f72
ISAKMP (0): retransmitting phase 2 (4/4)... mess_id 0xc8700a2IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 66.193.181.120, remote= 66.162.202.250,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= nc/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2 (5/4)... mess_id 0xc8700a2
ISAKMP (0): beginning Quick Mode exchange, M-ID of -191073034:f49c74f6IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x3314d077(857002103) for SA
        from  66.162.202.250 to  66.193.181.120 for prot 3

ISAKMP (0): retransmitting phase 2 (6/4)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (0/4)... mess_id 0xf49c74f6
ISAKMP (0): retransmitting phase 2 (7/4)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (1/4)... mess_id 0xf49c74f6
ISAKMP (0): retransmitting phase 2 (8/4)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (2/4)... mess_id 0xf49c74f6
ISAKMP (0): retransmitting phase 2 (9/4)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (3/4)... mess_id 0xf49c74f6
ISAKMP (0): retransmitting phase 2 (10/4)... mess_id 0xc8700a2
ISAKMP (0): retransmitting phase 2 (4/5)... mess_id 0xf49c74f6
ISAKMP (0): deleting SA: src 66.162.202.250, dst 66.193.181.120
ISADB: reaper checking SA 0xfca234, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 66.162.202.250/500 not found - peers:0
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  66.162.202.250
IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 66.193.181.120, remote= 66.162.202.250,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= nc/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:66.162.202.250, dest:66.193.181.120 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:66.162.202.250, dest:66.193.181.120 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 27
ISAKMP (0): Total payload length: 31
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:66.162.202.250, dest:66.193.181.120 spt:500 dpt:500
ISAKMP: drop P2 msg on unauthenticated SA

ISAKMP (0): retransmitting phase 1 (1)...
crypto_isakmp_process_block:src:66.162.202.250, dest:66.193.181.120 spt:500 dpt:500
ISAKMP: phase 1 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:66.162.202.250, dest:66.193.181.120 spt:500 dpt:500
ISAKMP: drop P2 msg on unauthenticated SA
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 66.193.181.120, remote= 66.162.202.250,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= nc/255.255.255.0/0/0 (type=4)

Open in new window


Please let me know if there is another debug command that will help, those are the two I am familliar with.  Thank you!
norgetekCommented:

I would review your proxy ID configuration.  Both sides do not match.

On the pix you have:

local: 0.0.0.0/0
remote: 192.168.3.0/24

On the RVS you have:
local: 192.168.3.1/24
remote: 192.168.1/24

Change those to match by modify this line on the PIX:
access-list outside_cryptomap_20 permit ip any nc 255.255.255.0

To this:

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Also change the RVS to be 0 in the last octet instead of 1.

Change both of those and then initiate some traffic and do another debug and post it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amar85Commented:
At your pix end can you please be more specific on ACL?

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 nc 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 nc 255.255.255.0

Also hope you dont have route for inside network with same remote network at both ends
hope this helps further.

SchoolPageAuthor Commented:
Unit is being replaced with an ASA.  Thanks everyone for all your help, Happy Holidays!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.