Firewall Wizards mailing list archives

RE: PIX to PIX IPSEC VPN IKE Phase 2 problem

From: "Horvath, Kevin M." <KEVIN.M.HORVATH () saic com>
Date: Tue, 7 Feb 2006 15:55:12 -0500

isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255
 
Verify that the you can reach the HQ ip from the 501 via udp 500 and verify
that the key matches what you have in the 501 config......reset both keys to
(no spaces either) the same passphrase and try again.
 
Kevin M. Horvath
CISSP,CCSP,INFOSEC,CCNA



  _____  

From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Joe Keegan
Sent: Monday, February 06, 2006 12:37 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
 
I am trying to setup a branch office with a site-to-site VPN to our HQ
office. The HQ PIX is a 515E with an existing VPN to an existing router at
another site. The branch office has a PIX 501.
The debug crypto isakmp looks ok on the 501 except it looks to me that it is
not completing IKE Phase 2. 
ISAKMP (0): processing SA payload. message ID = 3634014145 
ISAKMP : Checking IPSec proposal 1 
ISAKMP: transform 1, ESP_AES 
ISAKMP:   attributes in transform: 
ISAKMP:      encaps is 1 
ISAKMP:      SA life type in seconds 
ISAKMP:      SA life duration (basic) of 3600 
ISAKMP:      SA life type in kilobytes 
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP:      authenticator is HMAC-SHA 
ISAKMP:      key length is 128 
ISAKMP (0): atts not acceptable. Next payload is 0 
ISAKMP (0): SA not acceptable! 
ISAKMP (0): sending NOTIFY message 14 protocol 0 
return status is IKMP_ERR_NO_RETRANS 
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer
aa.bbb.194.253 
VPN Peer:ISAKMP: Peer Info for aa.bbb.194.253/500 not found - peers:1 
I believe this would be caused by an issue in a mismatched transform-set,
but everything looks OK to me. 
Pertinent config info is below. Any help or ideas would be great. thanks! 
HQ PIX 515E 
access-list VPN-IRL remark Prevent any VoIP traffic to be routed over the
VPN to IRL 
access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0 255.255.0.0 
access-list VPN-IRL remark Allow VPN connection to IRL 
access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 
access-list VPN-HIL remark Allow VPN connection to HIL 
access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 
access-list NO-NAT remark Don't NAT traffic sent to IRL 
access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 
access-list NO-NAT remark Don't NAT traffic sent to HIL 
access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 
nat (inside) 0 access-list NO-NAT 
sysopt connection permit-ipsec 
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600 
crypto map VPN 100 ipsec-isakmp 
crypto map VPN 100 match address VPN-IRL 
crypto map VPN 100 set peer ccc.dd.154.114 
crypto map VPN 100 set transform-set ESP-AES-SHA 
crypto map VPN 200 ipsec-isakmp 
crypto map VPN 200 match address VPN-HIL 
crypto map VPN 200 set peer xxx.yyy.191.66 
crypto map VPN 200 set transform-set ESP-AES-SHA 
crypto map VPN interface outside 
isakmp enable outside 
isakmp key ******** address ccc.dd.154.114 netmask 255.255.255.255 
isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255 
isakmp identity address 
isakmp policy 100 authentication pre-share 
isakmp policy 100 encryption aes 
isakmp policy 100 hash sha 
isakmp policy 100 group 2 
isakmp policy 100 lifetime 3600 
Branch PIX 501 
access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0 
access-list NO-NAT permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0 
nat (inside) 0 access-list NO-NAT 
sysopt connection permit-ipsec 
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600 
crypto map VPN 100 ipsec-isakmp 
crypto map VPN 100 match address VPN 
crypto map VPN 100 set peer aa.bbb.194.253 
crypto map VPN 100 set transform-set ESP-AES-SHA 
crypto map VPN interface outside 
isakmp enable outside 
isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255 
isakmp identity address 
isakmp policy 100 authentication pre-share 
isakmp policy 100 encryption aes 
isakmp policy 100 hash sha 
isakmp policy 100 group 2 
isakmp policy 100 lifetime 3600 
I can post the entire debug session from both firewalls if it will help. 
IP's for the two devices are as follows 
HQ PIX IP = aa.bbb.194.253 
Branch PIX IP = xxx.yyy.191.66 
Thanks 
Joe 
--------------------------------------------- 
Joe Keegan                     IT Systems Architect 
(415) 330-2676       jkeegan () monstercable com

Current thread:

PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 07)
- <Possible follow-ups>
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Horvath, Kevin M. (Feb 07)
  - Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
    - Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
  - Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 08)
- PIX to PIX IPSEC VPN IKE Phase 2 problem Mikael Velschow-Rasmussen (Feb 09)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 15)