RE: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
- From: "Joe Keegan" <jkeegan@xxxxxxxxxxxxxxxx>
- Date: Wed, 8 Feb 2006 14:02:55 -0800
Thanks for the help, unfortunately this was a stupid error. After
looking at the configs one more time I noticed the first octet was off
by one for the crypto map on the branch VPN.
I had looked over that config and the error messages dozen of times and
missed it every time.
Thanks again for the help.
Joe
-----Original Message-----_______________________________________________
From: Julian M D [mailto:julianmd@xxxxxxxxx]
Sent: Tuesday, February 07, 2006 6:44 PM
To: Joe Keegan
Cc: Horvath, Kevin M.; firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
I don't see anything wrong in your config, even though I've
had situations in the past where the preshared key or the
crypto map "CISCO VPN engineers said' gets corrupted by
adding and removing commands in a certain order.
If you removed the map first replaced the key, and then
reapplied the map, that should have fixed the issue. For the
sake of it, could you please post isakmp debug from HQ as well?
As this is not a very elaborated vpn config, I also suggest
to completly remove it, write mem, reboot, and then past it
again using the cli.
Keep us posted
HTH
Julian Dragut
On 2/7/06, Joe Keegan <jkeegan@xxxxxxxxxxxxxxxx> wrote:
Julian,related configs
Thanks for the response. I remove the passphrase are
and added a very simple pass phrase and I am receiving thesame errors.
going to
Any other ideas?
Thanks
Joe
-----Original Message-----
From: Julian M D [mailto:julianmd@xxxxxxxxx]
Sent: Tuesday, February 07, 2006 2:36 PM
To: Horvath, Kevin M.
Cc: Joe Keegan; firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
Addition to the last post:
on the HQ pix if you use the clear isakmp key, it is also
crypto maperase the existing vpn preshared key, so you better removed with
"no", rather than clear command.
HTH
On 2/7/06, Julian M D <julianmd@xxxxxxxxx> wrote:
Hi there,preshared key,
This is most probably because of the corruption in the
so my advice is to do this on both pixes:
HQ PIX
no crypto map VPN interface outside clear isakmp key isakmp key
******** address xxx.yyy.191.66 netmask 255.255.255.255
crypto mapVPN interface outside
REMOTE 501
no crypto map VPN interface outside clear isakmp key isakmp key
******** address aa.bbb.194.253 netmask 255.255.255.255
existing VPN toVPN interface outsideudp 500 and verify that the key matches what you have in the
wr mem
clear crypto isakmp sa
clear crypto ipsec sa
Good luck,
Julian Dragut
please use the copy and paste when setting up the preshared key
On 2/7/06, Horvath, Kevin M. <KEVIN.M.HORVATH@xxxxxxxx> wrote:
isakmp key ******** address xxx.yyy.191.66 netmask
255.255.255.255
Verify that the you can reach the HQ ip from the 501 via
501 config......reset both keys to (no spaces either) the same
passphrase and try again.
Behalf Of Joe
Kevin M. Horvath
CISSP,CCSP,INFOSEC,CCNA
________________________________
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On
VPN to our HQ office. The HQ PIX is a 515E with anKeegan
Sent: Monday, February 06, 2006 12:37 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
I am trying to setup a branch office with a site-to-site
a PIX 501.an existing router at another site. The branch office has
ISAKMP (0):looks to me that it is not completing IKE Phase 2.
The debug crypto isakmp looks ok on the 501 except it
ISAKMP (0): processing SA payload. message ID = 3634014145
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP (0): atts not acceptable. Next payload is 0
return statusSA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
to be routedremote peeris IKMP_ERR_NO_RETRANS
ISAKMP: No cert, and no keys (public or pre-shared) with
aa.bbb.194.253/500 notaa.bbb.194.253 VPN Peer:ISAKMP: Peer Info for
mismatched transform-set, but everything looks OK to me.found - peers:1
I believe this would be caused by an issue in a
be great. thanks!
Pertinent config info is below. Any help or ideas would
HQ PIX 515E
access-list VPN-IRL remark Prevent any VoIP traffic
transform-setremark Allowover the VPN to IRL access-list VPN-IRL deny ip 10.10.0.0
255.255.0.0 172.18.0.0 255.255.0.0 access-list VPN-IRL
remark AllowVPN connection to IRL access-list VPN-IRL permit ip 10.0.0.0
255.192.0.0 172.18.0.0 255.255.0.0 access-list VPN-HIL
remark Don'tVPN connection to HIL access-list VPN-HIL permit ip 10.0.0.0
255.192.0.0 172.20.0.0 255.255.0.0 access-list NO-NAT
remark Don'tNAT traffic sent to IRL access-list NO-NAT permit ip 10.0.0.0
255.192.0.0 172.18.0.0 255.255.0.0 access-list NO-NAT
access-list NO-NATNAT traffic sent to HIL access-list NO-NAT permit ip 10.0.0.0
255.192.0.0 172.20.0.0 255.255.0.0 nat (inside) 0
security-associationsysopt connection permit-ipsec crypto ipsec transform-set
ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec
crypto map VPNlifetime seconds 3600 crypto map VPN 100 ipsec-isakmp
ccc.dd.154.114100 match address VPN-IRL crypto map VPN 100 set peer
map VPN 200crypto map VPN 100 set transform-set ESP-AES-SHA crypto
crypto map VPNipsec-isakmp crypto map VPN 200 match address VPN-HIL
200 set peer xxx.yyy.191.66 crypto map VPN 200 set
255.255.0.0enable outsideESP-AES-SHA crypto map VPN interface outside isakmp
255.255.255.255isakmp key ******** address ccc.dd.154.114 netmask
255.255.255.255isakmp key ******** address xxx.yyy.191.66 netmask
pre-shareisakmp identity address isakmp policy 100 authentication
sha isakmpisakmp policy 100 encryption aes isakmp policy 100 hash
policy 100 group 2 isakmp policy 100 lifetime 3600
Branch PIX 501
access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0
255.192.0.0 access-list NO-NAT permit ip 172.20.0.0
ESP-AES-SHA10.0.0.0 255.192.0.0 nat (inside) 0 access-list NO-NAT sysopt
connection permit-ipsec crypto ipsec transform-set
security-association lifetimeesp-aes esp-sha-hmac crypto ipsec
map VPN 100seconds 3600 crypto map VPN 100 ipsec-isakmp crypto
identity addressaa.bbb.194.253 cryptomatch address VPN crypto map VPN 100 set peer
interfacemap VPN 100 set transform-set ESP-AES-SHA crypto map VPN
outside isakmp enable outside isakmp key ******** address
aa.bbb.194.253 netmask 255.255.255.255 isakmp
100 group 2isakmp policy 100 authentication pre-share isakmp policy 100
encryption aes isakmp policy 100 hash sha isakmp policy
if it will help.isakmp policy 100 lifetime 3600
I can post the entire debug session from both firewalls
IP's for the two devices are as follows
HQ PIX IP = aa.bbb.194.253
Branch PIX IP = xxx.yyy.191.66
Thanks
Joe
---------------------------------------------
Joe Keegan IT Systems Architect
(415) 330-2676 jkeegan@xxxxxxxxxxxxxxxx
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Prev by Date: RE: [fw-wiz] on-the-fly-analysis vs. proxy rewrites
- Next by Date: Re: [fw-wiz] question on securing out-of-band management (ver. 2)
- Previous by thread: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
- Next by thread: [fw-wiz] Cisco ASA 5510 and proxy server detection
- Index(es):
Relevant Pages
|
|
