Firewall Wizards mailing list archives
RE: PIX to PIX IPSEC VPN IKE Phase 2 problem
From: "Joe Keegan" <jkeegan () monstercable com>
Date: Tue, 7 Feb 2006 17:20:45 -0800
Julian, Thanks for the response. I remove the passphrase are related configs and added a very simple pass phrase and I am receiving the same errors. Any other ideas? Thanks Joe
-----Original Message----- From: Julian M D [mailto:julianmd () gmail com] Sent: Tuesday, February 07, 2006 2:36 PM To: Horvath, Kevin M. Cc: Joe Keegan; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem Addition to the last post: on the HQ pix if you use the clear isakmp key, it is also going to erase the existing vpn preshared key, so you better removed with "no", rather than clear command. HTH On 2/7/06, Julian M D <julianmd () gmail com> wrote:Hi there, This is most probably because of the corruption in thepreshared key,so my advice is to do this on both pixes: HQ PIX no crypto map VPN interface outside clear isakmp key isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255 crypto map VPN interface outside REMOTE 501 no crypto map VPN interface outside clear isakmp key isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255 crypto map VPN interface outside wr mem clear crypto isakmp sa clear crypto ipsec sa Good luck, Julian Dragut please use the copy and paste when setting up the preshared key On 2/7/06, Horvath, Kevin M. <KEVIN.M.HORVATH () saic com> wrote:isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255 Verify that the you can reach the HQ ip from the 501 viaudp 500 and verify that the key matches what you have in the 501 config......reset both keys to (no spaces either) the same passphrase and try again.Kevin M. Horvath CISSP,CCSP,INFOSEC,CCNA ________________________________From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] OnBehalf Of JoeKeegan Sent: Monday, February 06, 2006 12:37 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem I am trying to setup a branch office with a site-to-siteVPN to our HQ office. The HQ PIX is a 515E with an existing VPN to an existing router at another site. The branch office has a PIX 501.The debug crypto isakmp looks ok on the 501 except itlooks to me that it is not completing IKE Phase 2.ISAKMP (0): processing SA payload. message ID = 3634014145 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS ISAKMP: No cert, and no keys (public or pre-shared) withremote peeraa.bbb.194.253 VPN Peer:ISAKMP: Peer Info foraa.bbb.194.253/500 notfound - peers:1 I believe this would be caused by an issue in amismatched transform-set, but everything looks OK to me.Pertinent config info is below. Any help or ideas wouldbe great. thanks!HQ PIX 515E access-list VPN-IRL remark Prevent any VoIP traffic to be routed over the VPN to IRL access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0 255.255.0.0 access-list VPN-IRLremark AllowVPN connection to IRL access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 access-list VPN-HILremark AllowVPN connection to HIL access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 access-list NO-NATremark Don'tNAT traffic sent to IRL access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 access-list NO-NATremark Don'tNAT traffic sent to HIL access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 nat (inside) 0access-list NO-NATsysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsecsecurity-associationlifetime seconds 3600 crypto map VPN 100 ipsec-isakmpcrypto map VPN100 match address VPN-IRL crypto map VPN 100 set peerccc.dd.154.114crypto map VPN 100 set transform-set ESP-AES-SHA cryptomap VPN 200ipsec-isakmp crypto map VPN 200 match address VPN-HILcrypto map VPN200 set peer xxx.yyy.191.66 crypto map VPN 200 set transform-set ESP-AES-SHA crypto map VPN interface outside isakmpenable outsideisakmp key ******** address ccc.dd.154.114 netmask255.255.255.255isakmp key ******** address xxx.yyy.191.66 netmask255.255.255.255isakmp identity address isakmp policy 100 authenticationpre-shareisakmp policy 100 encryption aes isakmp policy 100 hashsha isakmppolicy 100 group 2 isakmp policy 100 lifetime 3600 Branch PIX 501 access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0 access-list NO-NAT permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0 nat (inside) 0 access-list NO-NAT sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map VPN 100 ipsec-isakmp crypto map VPN 100 match address VPN crypto map VPN 100 set peeraa.bbb.194.253 cryptomap VPN 100 set transform-set ESP-AES-SHA crypto map VPNinterfaceoutside isakmp enable outside isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255 isakmp identity address isakmp policy 100 authentication pre-share isakmp policy 100 encryption aes isakmp policy 100 hash sha isakmp policy100 group 2isakmp policy 100 lifetime 3600 I can post the entire debug session from both firewallsif it will help.IP's for the two devices are as follows HQ PIX IP = aa.bbb.194.253 Branch PIX IP = xxx.yyy.191.66 Thanks Joe --------------------------------------------- Joe Keegan IT Systems Architect (415) 330-2676 jkeegan () monstercable com
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 07)
- <Possible follow-ups>
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Horvath, Kevin M. (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 08)
- PIX to PIX IPSEC VPN IKE Phase 2 problem Mikael Velschow-Rasmussen (Feb 09)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 15)