Firewall Wizards mailing list archives
RE: PIX to PIX IPSEC VPN IKE Phase 2 problem
From: "Joe Keegan" <jkeegan () monstercable com>
Date: Tue, 7 Feb 2006 17:17:56 -0800
Thanks for your response.
I have verified connectivity and also should the "sysopt connection
permit-ipsec" ensure that the PIX accepts UDP 500 from anywhere.
I have reset the passphrase on both sides to something very simple and
still have the same problem.
Any other ideas?
Thanks
Joe
________________________________
From: KEVIN.M.HORVATH () saic com [mailto:KEVIN.M.HORVATH () saic com]
Sent: Tuesday, February 07, 2006 12:55 PM
To: Joe Keegan; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
isakmp key ******** address xxx.yyy.191.66 netmask
255.255.255.255
Verify that the you can reach the HQ ip from the 501 via udp 500
and verify that the key matches what you have in the 501
config......reset both keys to (no spaces either) the same passphrase
and try again.
Kevin M. Horvath
CISSP,CCSP,INFOSEC,CCNA
________________________________
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Joe
Keegan
Sent: Monday, February 06, 2006 12:37 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
I am trying to setup a branch office with a site-to-site VPN to
our HQ office. The HQ PIX is a 515E with an existing VPN to an existing
router at another site. The branch office has a PIX 501.
The debug crypto isakmp looks ok on the 501 except it looks to
me that it is not completing IKE Phase 2.
ISAKMP (0): processing SA payload. message ID = 3634014145
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
ISAKMP: No cert, and no keys (public or pre-shared) with remote
peer aa.bbb.194.253
VPN Peer:ISAKMP: Peer Info for aa.bbb.194.253/500 not found -
peers:1
I believe this would be caused by an issue in a mismatched
transform-set, but everything looks OK to me.
Pertinent config info is below. Any help or ideas would be
great. thanks!
HQ PIX 515E
access-list VPN-IRL remark Prevent any VoIP traffic to be routed
over the VPN to IRL
access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0
255.255.0.0
access-list VPN-IRL remark Allow VPN connection to IRL
access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0
255.255.0.0
access-list VPN-HIL remark Allow VPN connection to HIL
access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0
255.255.0.0
access-list NO-NAT remark Don't NAT traffic sent to IRL
access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.18.0.0
255.255.0.0
access-list NO-NAT remark Don't NAT traffic sent to HIL
access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.20.0.0
255.255.0.0
nat (inside) 0 access-list NO-NAT
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map VPN 100 ipsec-isakmp
crypto map VPN 100 match address VPN-IRL
crypto map VPN 100 set peer ccc.dd.154.114
crypto map VPN 100 set transform-set ESP-AES-SHA
crypto map VPN 200 ipsec-isakmp
crypto map VPN 200 match address VPN-HIL
crypto map VPN 200 set peer xxx.yyy.191.66
crypto map VPN 200 set transform-set ESP-AES-SHA
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address ccc.dd.154.114 netmask
255.255.255.255
isakmp key ******** address xxx.yyy.191.66 netmask
255.255.255.255
isakmp identity address
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption aes
isakmp policy 100 hash sha
isakmp policy 100 group 2
isakmp policy 100 lifetime 3600
Branch PIX 501
access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0
255.192.0.0
access-list NO-NAT permit ip 172.20.0.0 255.255.0.0 10.0.0.0
255.192.0.0
nat (inside) 0 access-list NO-NAT
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map VPN 100 ipsec-isakmp
crypto map VPN 100 match address VPN
crypto map VPN 100 set peer aa.bbb.194.253
crypto map VPN 100 set transform-set ESP-AES-SHA
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address aa.bbb.194.253 netmask
255.255.255.255
isakmp identity address
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption aes
isakmp policy 100 hash sha
isakmp policy 100 group 2
isakmp policy 100 lifetime 3600
I can post the entire debug session from both firewalls if it
will help.
IP's for the two devices are as follows
HQ PIX IP = aa.bbb.194.253
Branch PIX IP = xxx.yyy.191.66
Thanks
Joe
---------------------------------------------
Joe Keegan IT Systems Architect
(415) 330-2676 jkeegan () monstercable com
Current thread:
- PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 07)
- <Possible follow-ups>
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Horvath, Kevin M. (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 08)
- PIX to PIX IPSEC VPN IKE Phase 2 problem Mikael Velschow-Rasmussen (Feb 09)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 15)