RE: PIX to PIX IPSEC VPN IKE Phase 2 problem

["Joe Keegan" <jkeegan () monstercable com>]

Julian,

Thanks for the response. I remove the passphrase are related configs and
added a very simple pass phrase and I am receiving the same errors.

Any other ideas?

Thanks

Joe 

> -----Original Message-----
> From: Julian M D [mailto:julianmd () gmail com] 
> Sent: Tuesday, February 07, 2006 2:36 PM
> To: Horvath, Kevin M.
> Cc: Joe Keegan; firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
>
> Addition to the last post:
>
> on the HQ pix if you use the clear isakmp key, it is also 
> going to erase the existing vpn preshared key, so you better 
> removed with "no",  rather than clear command.
>
> HTH
>
> On 2/7/06, Julian M D <julianmd () gmail com> wrote:
> > Hi there,
> > This is most probably because of the corruption in the 
> preshared key, 
> > so my advice is to do this on both pixes:
> >
> > HQ PIX
> >
> > no crypto map VPN interface outside
> > clear isakmp key
> > isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255 
> > crypto map VPN interface outside
> >
> > REMOTE 501
> >
> > no crypto map VPN interface outside
> > clear isakmp key
> > isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255 
> > crypto map VPN interface outside
> >
> > wr mem
> > clear crypto isakmp sa
> > clear crypto ipsec sa
> >
> > Good luck,
> >
> > Julian Dragut
> >
> >
> > please use the copy and paste when setting up the preshared key
> >
> > On 2/7/06, Horvath, Kevin M. <KEVIN.M.HORVATH () saic com> wrote:
> > > isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255
> > >
> > >
> > >
> > > Verify that the you can reach the HQ ip from the 501 via 
> udp 500 and verify that the key matches what you have in the 
> 501 config......reset both keys to (no spaces either) the same 
> passphrase and try again.
> > > Kevin M. Horvath
> > > CISSP,CCSP,INFOSEC,CCNA
> > >
> > >
> > >
> > >
> > > ________________________________
> >
> > > From: firewall-wizards-admin () honor icsalabs com 
> > > [mailto:firewall-wizards-admin () honor icsalabs com] On 
> Behalf Of Joe 
> > > Keegan
> > > Sent: Monday, February 06, 2006 12:37 PM
> > > To: firewall-wizards () honor icsalabs com
> > > Subject: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
> > >
> > >
> > >
> > >
> > > I am trying to setup a branch office with a site-to-site 
> VPN to our HQ office. The HQ PIX is a 515E with an existing 
> VPN to an existing router at another site. The branch office 
> has a PIX 501.
> > > The debug crypto isakmp looks ok on the 501 except it 
> looks to me that it is not completing IKE Phase 2.
> > > ISAKMP (0): processing SA payload. message ID = 3634014145
> > >
> > > ISAKMP : Checking IPSec proposal 1
> > >
> > > ISAKMP: transform 1, ESP_AES
> > > ISAKMP:   attributes in transform:
> > > ISAKMP:      encaps is 1
> > > ISAKMP:      SA life type in seconds
> > > ISAKMP:      SA life duration (basic) of 3600
> > > ISAKMP:      SA life type in kilobytes
> > > ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
> > > ISAKMP:      authenticator is HMAC-SHA
> > > ISAKMP:      key length is 128
> > > ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA 
> > > not acceptable!
> > > ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is 
> > > IKMP_ERR_NO_RETRANS
> > > ISAKMP: No cert, and no keys (public or pre-shared) with 
> remote peer  
> > > aa.bbb.194.253 VPN Peer:ISAKMP: Peer Info for 
> aa.bbb.194.253/500 not 
> > > found - peers:1
> > >
> > > I believe this would be caused by an issue in a 
> mismatched transform-set, but everything looks OK to me.
> > > Pertinent config info is below. Any help or ideas would 
> be great. thanks!
> > > HQ PIX 515E
> > >
> > > access-list VPN-IRL remark Prevent any VoIP traffic to be routed 
> > > over the VPN to IRL access-list VPN-IRL deny ip 10.10.0.0 
> > > 255.255.0.0 172.18.0.0 255.255.0.0 access-list VPN-IRL 
> remark Allow 
> > > VPN connection to IRL access-list VPN-IRL permit ip 10.0.0.0 
> > > 255.192.0.0 172.18.0.0 255.255.0.0 access-list VPN-HIL 
> remark Allow 
> > > VPN connection to HIL access-list VPN-HIL permit ip 10.0.0.0 
> > > 255.192.0.0 172.20.0.0 255.255.0.0 access-list NO-NAT 
> remark Don't 
> > > NAT traffic sent to IRL access-list NO-NAT permit ip 10.0.0.0 
> > > 255.192.0.0 172.18.0.0 255.255.0.0 access-list NO-NAT 
> remark Don't 
> > > NAT traffic sent to HIL access-list NO-NAT permit ip 10.0.0.0 
> > > 255.192.0.0 172.20.0.0 255.255.0.0 nat (inside) 0 
> access-list NO-NAT 
> > > sysopt connection permit-ipsec crypto ipsec transform-set 
> > > ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec 
> security-association 
> > > lifetime seconds 3600 crypto map VPN 100 ipsec-isakmp 
> crypto map VPN 
> > > 100 match address VPN-IRL crypto map VPN 100 set peer 
> ccc.dd.154.114 
> > > crypto map VPN 100 set transform-set ESP-AES-SHA crypto 
> map VPN 200 
> > > ipsec-isakmp crypto map VPN 200 match address VPN-HIL 
> crypto map VPN 
> > > 200 set peer xxx.yyy.191.66 crypto map VPN 200 set transform-set 
> > > ESP-AES-SHA crypto map VPN interface outside isakmp 
> enable outside 
> > > isakmp key ******** address ccc.dd.154.114 netmask 
> 255.255.255.255 
> > > isakmp key ******** address xxx.yyy.191.66 netmask 
> 255.255.255.255 
> > > isakmp identity address isakmp policy 100 authentication 
> pre-share 
> > > isakmp policy 100 encryption aes isakmp policy 100 hash 
> sha isakmp 
> > > policy 100 group 2 isakmp policy 100 lifetime 3600
> > >
> > > Branch PIX 501
> > >
> > > access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0 
> > > 255.192.0.0 access-list NO-NAT permit ip 172.20.0.0 255.255.0.0 
> > > 10.0.0.0 255.192.0.0 nat (inside) 0 access-list NO-NAT sysopt 
> > > connection permit-ipsec crypto ipsec transform-set ESP-AES-SHA 
> > > esp-aes esp-sha-hmac crypto ipsec security-association lifetime 
> > > seconds 3600 crypto map VPN 100 ipsec-isakmp crypto map VPN 100 
> > > match address VPN crypto map VPN 100 set peer 
> aa.bbb.194.253 crypto 
> > > map VPN 100 set transform-set ESP-AES-SHA crypto map VPN 
> interface 
> > > outside isakmp enable outside isakmp key ******** address 
> > > aa.bbb.194.253 netmask 255.255.255.255 isakmp identity address 
> > > isakmp policy 100 authentication pre-share isakmp policy 100 
> > > encryption aes isakmp policy 100 hash sha isakmp policy 
> 100 group 2 
> > > isakmp policy 100 lifetime 3600
> > >
> > > I can post the entire debug session from both firewalls 
> if it will help.
> > > IP's for the two devices are as follows
> > >
> > > HQ PIX IP = aa.bbb.194.253
> > > Branch PIX IP = xxx.yyy.191.66
> > >
> > > Thanks
> > >
> > > Joe
> > >
> > > ---------------------------------------------
> > > Joe Keegan                     IT Systems Architect
> > > (415) 330-2676       jkeegan () monstercable com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards