RE: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem



Thanks for the help, unfortunately this was a stupid error. After
looking at the configs one more time I noticed the first octet was off
by one for the crypto map on the branch VPN.

I had looked over that config and the error messages dozen of times and
missed it every time.

Thanks again for the help.

Joe

-----Original Message-----
From: Julian M D [mailto:julianmd@xxxxxxxxx]
Sent: Tuesday, February 07, 2006 6:44 PM
To: Joe Keegan
Cc: Horvath, Kevin M.; firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem

I don't see anything wrong in your config, even though I've
had situations in the past where the preshared key or the
crypto map "CISCO VPN engineers said' gets corrupted by
adding and removing commands in a certain order.

If you removed the map first replaced the key, and then
reapplied the map, that should have fixed the issue. For the
sake of it, could you please post isakmp debug from HQ as well?

As this is not a very elaborated vpn config, I also suggest
to completly remove it, write mem, reboot, and then past it
again using the cli.

Keep us posted

HTH

Julian Dragut

On 2/7/06, Joe Keegan <jkeegan@xxxxxxxxxxxxxxxx> wrote:
Julian,

Thanks for the response. I remove the passphrase are
related configs
and added a very simple pass phrase and I am receiving the
same errors.

Any other ideas?

Thanks

Joe

-----Original Message-----
From: Julian M D [mailto:julianmd@xxxxxxxxx]
Sent: Tuesday, February 07, 2006 2:36 PM
To: Horvath, Kevin M.
Cc: Joe Keegan; firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem

Addition to the last post:

on the HQ pix if you use the clear isakmp key, it is also
going to
erase the existing vpn preshared key, so you better removed with
"no", rather than clear command.

HTH

On 2/7/06, Julian M D <julianmd@xxxxxxxxx> wrote:
Hi there,
This is most probably because of the corruption in the
preshared key,
so my advice is to do this on both pixes:

HQ PIX

no crypto map VPN interface outside clear isakmp key isakmp key
******** address xxx.yyy.191.66 netmask 255.255.255.255
crypto map
VPN interface outside

REMOTE 501

no crypto map VPN interface outside clear isakmp key isakmp key
******** address aa.bbb.194.253 netmask 255.255.255.255
crypto map
VPN interface outside

wr mem
clear crypto isakmp sa
clear crypto ipsec sa

Good luck,

Julian Dragut


please use the copy and paste when setting up the preshared key

On 2/7/06, Horvath, Kevin M. <KEVIN.M.HORVATH@xxxxxxxx> wrote:



isakmp key ******** address xxx.yyy.191.66 netmask
255.255.255.255



Verify that the you can reach the HQ ip from the 501 via
udp 500 and verify that the key matches what you have in the
501 config......reset both keys to (no spaces either) the same
passphrase and try again.




Kevin M. Horvath
CISSP,CCSP,INFOSEC,CCNA




________________________________


From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On
Behalf Of Joe
Keegan
Sent: Monday, February 06, 2006 12:37 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem




I am trying to setup a branch office with a site-to-site
VPN to our HQ office. The HQ PIX is a 515E with an
existing VPN to
an existing router at another site. The branch office has
a PIX 501.

The debug crypto isakmp looks ok on the 501 except it
looks to me that it is not completing IKE Phase 2.

ISAKMP (0): processing SA payload. message ID = 3634014145

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0):
SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status
is IKMP_ERR_NO_RETRANS
ISAKMP: No cert, and no keys (public or pre-shared) with
remote peer
aa.bbb.194.253 VPN Peer:ISAKMP: Peer Info for
aa.bbb.194.253/500 not
found - peers:1

I believe this would be caused by an issue in a
mismatched transform-set, but everything looks OK to me.

Pertinent config info is below. Any help or ideas would
be great. thanks!

HQ PIX 515E

access-list VPN-IRL remark Prevent any VoIP traffic
to be routed
over the VPN to IRL access-list VPN-IRL deny ip 10.10.0.0
255.255.0.0 172.18.0.0 255.255.0.0 access-list VPN-IRL
remark Allow
VPN connection to IRL access-list VPN-IRL permit ip 10.0.0.0
255.192.0.0 172.18.0.0 255.255.0.0 access-list VPN-HIL
remark Allow
VPN connection to HIL access-list VPN-HIL permit ip 10.0.0.0
255.192.0.0 172.20.0.0 255.255.0.0 access-list NO-NAT
remark Don't
NAT traffic sent to IRL access-list NO-NAT permit ip 10.0.0.0
255.192.0.0 172.18.0.0 255.255.0.0 access-list NO-NAT
remark Don't
NAT traffic sent to HIL access-list NO-NAT permit ip 10.0.0.0
255.192.0.0 172.20.0.0 255.255.0.0 nat (inside) 0
access-list NO-NAT
sysopt connection permit-ipsec crypto ipsec transform-set
ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec
security-association
lifetime seconds 3600 crypto map VPN 100 ipsec-isakmp
crypto map VPN
100 match address VPN-IRL crypto map VPN 100 set peer
ccc.dd.154.114
crypto map VPN 100 set transform-set ESP-AES-SHA crypto
map VPN 200
ipsec-isakmp crypto map VPN 200 match address VPN-HIL
crypto map VPN
200 set peer xxx.yyy.191.66 crypto map VPN 200 set
transform-set
ESP-AES-SHA crypto map VPN interface outside isakmp
enable outside
isakmp key ******** address ccc.dd.154.114 netmask
255.255.255.255
isakmp key ******** address xxx.yyy.191.66 netmask
255.255.255.255
isakmp identity address isakmp policy 100 authentication
pre-share
isakmp policy 100 encryption aes isakmp policy 100 hash
sha isakmp
policy 100 group 2 isakmp policy 100 lifetime 3600

Branch PIX 501

access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0
255.192.0.0 access-list NO-NAT permit ip 172.20.0.0
255.255.0.0
10.0.0.0 255.192.0.0 nat (inside) 0 access-list NO-NAT sysopt
connection permit-ipsec crypto ipsec transform-set
ESP-AES-SHA
esp-aes esp-sha-hmac crypto ipsec
security-association lifetime
seconds 3600 crypto map VPN 100 ipsec-isakmp crypto
map VPN 100
match address VPN crypto map VPN 100 set peer
aa.bbb.194.253 crypto
map VPN 100 set transform-set ESP-AES-SHA crypto map VPN
interface
outside isakmp enable outside isakmp key ******** address
aa.bbb.194.253 netmask 255.255.255.255 isakmp
identity address
isakmp policy 100 authentication pre-share isakmp policy 100
encryption aes isakmp policy 100 hash sha isakmp policy
100 group 2
isakmp policy 100 lifetime 3600

I can post the entire debug session from both firewalls
if it will help.

IP's for the two devices are as follows

HQ PIX IP = aa.bbb.194.253
Branch PIX IP = xxx.yyy.191.66

Thanks

Joe

---------------------------------------------
Joe Keegan IT Systems Architect
(415) 330-2676 jkeegan@xxxxxxxxxxxxxxxx





_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: PIX site-to-site VPN
    ... PIX 1: ... access-list acl_to_city2 ip host 10.y.y.1 host 222.222.222.222 ... isakmp identity hostname ... crypto map map_to_city2 100 set peer 222.222.222.222 ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
    ... no crypto map VPN interface outside ... clear isakmp key ... The HQ PIX is a 515E with an existing VPN to an existing router at another site. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
    ... situations in the past where the preshared key or the crypto map ... please post isakmp debug from HQ as well? ... on the HQ pix if you use the clear isakmp key, ... no crypto map VPN interface outside ...
    (Firewall-Wizards)
  • VPN client & PIX with Windows 2003 CA & RADIUS
    ... On the same PIX I Configured also access without certificate (isakmp ... policy 20 authentication pre-share). ... isakmp policy 10 authentication rsa-sig ... ISAKMP: retransmitting Config Mode Request...nod ...
    (comp.dcom.sys.cisco)
  • pix 525 & bdcom 2621 ipsec error!
    ... crypto isakmp key ciscobdcom 2621 10.10.20.138 255.255.255.224 ... crypto map 1 1 ipsec-isakmp ... interface FastEthernet0/0 ... fixup protocol dns maximum-length 512 ...
    (comp.security.firewalls)