Firewall Wizards mailing list archives
PIX to PIX IPSEC VPN IKE Phase 2 problem
From: "Joe Keegan" <jkeegan () monstercable com>
Date: Mon, 6 Feb 2006 09:36:40 -0800
I am trying to setup a branch office with a site-to-site VPN to our HQ office. The HQ PIX is a 515E with an existing VPN to an existing router at another site. The branch office has a PIX 501. The debug crypto isakmp looks ok on the 501 except it looks to me that it is not completing IKE Phase 2. ISAKMP (0): processing SA payload. message ID = 3634014145 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS ISAKMP: No cert, and no keys (public or pre-shared) with remote peer aa.bbb.194.253 VPN Peer:ISAKMP: Peer Info for aa.bbb.194.253/500 not found - peers:1 I believe this would be caused by an issue in a mismatched transform-set, but everything looks OK to me. Pertinent config info is below. Any help or ideas would be great. thanks! HQ PIX 515E access-list VPN-IRL remark Prevent any VoIP traffic to be routed over the VPN to IRL access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0 255.255.0.0 access-list VPN-IRL remark Allow VPN connection to IRL access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 access-list VPN-HIL remark Allow VPN connection to HIL access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 access-list NO-NAT remark Don't NAT traffic sent to IRL access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 access-list NO-NAT remark Don't NAT traffic sent to HIL access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 nat (inside) 0 access-list NO-NAT sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map VPN 100 ipsec-isakmp crypto map VPN 100 match address VPN-IRL crypto map VPN 100 set peer ccc.dd.154.114 crypto map VPN 100 set transform-set ESP-AES-SHA crypto map VPN 200 ipsec-isakmp crypto map VPN 200 match address VPN-HIL crypto map VPN 200 set peer xxx.yyy.191.66 crypto map VPN 200 set transform-set ESP-AES-SHA crypto map VPN interface outside isakmp enable outside isakmp key ******** address ccc.dd.154.114 netmask 255.255.255.255 isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255 isakmp identity address isakmp policy 100 authentication pre-share isakmp policy 100 encryption aes isakmp policy 100 hash sha isakmp policy 100 group 2 isakmp policy 100 lifetime 3600 Branch PIX 501 access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0 access-list NO-NAT permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0 nat (inside) 0 access-list NO-NAT sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map VPN 100 ipsec-isakmp crypto map VPN 100 match address VPN crypto map VPN 100 set peer aa.bbb.194.253 crypto map VPN 100 set transform-set ESP-AES-SHA crypto map VPN interface outside isakmp enable outside isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255 isakmp identity address isakmp policy 100 authentication pre-share isakmp policy 100 encryption aes isakmp policy 100 hash sha isakmp policy 100 group 2 isakmp policy 100 lifetime 3600 I can post the entire debug session from both firewalls if it will help. IP's for the two devices are as follows HQ PIX IP = aa.bbb.194.253 Branch PIX IP = xxx.yyy.191.66 Thanks Joe --------------------------------------------- Joe Keegan IT Systems Architect (415) 330-2676 jkeegan () monstercable com
Current thread:
- PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 07)
- <Possible follow-ups>
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Horvath, Kevin M. (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 08)
- PIX to PIX IPSEC VPN IKE Phase 2 problem Mikael Velschow-Rasmussen (Feb 09)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 15)