Firewall Wizards mailing list archives
RE: PIX to PIX IPSEC VPN IKE Phase 2 problem
From: "Joe Keegan" <jkeegan () monstercable com>
Date: Wed, 8 Feb 2006 14:02:55 -0800
Thanks for the help, unfortunately this was a stupid error. After looking at the configs one more time I noticed the first octet was off by one for the crypto map on the branch VPN. I had looked over that config and the error messages dozen of times and missed it every time. Thanks again for the help. Joe
-----Original Message----- From: Julian M D [mailto:julianmd () gmail com] Sent: Tuesday, February 07, 2006 6:44 PM To: Joe Keegan Cc: Horvath, Kevin M.; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem I don't see anything wrong in your config, even though I've had situations in the past where the preshared key or the crypto map "CISCO VPN engineers said' gets corrupted by adding and removing commands in a certain order. If you removed the map first replaced the key, and then reapplied the map, that should have fixed the issue. For the sake of it, could you please post isakmp debug from HQ as well? As this is not a very elaborated vpn config, I also suggest to completly remove it, write mem, reboot, and then past it again using the cli. Keep us posted HTH Julian Dragut On 2/7/06, Joe Keegan <jkeegan () monstercable com> wrote:Julian, Thanks for the response. I remove the passphrase arerelated configsand added a very simple pass phrase and I am receiving thesame errors.Any other ideas? Thanks Joe-----Original Message----- From: Julian M D [mailto:julianmd () gmail com] Sent: Tuesday, February 07, 2006 2:36 PM To: Horvath, Kevin M. Cc: Joe Keegan; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem Addition to the last post: on the HQ pix if you use the clear isakmp key, it is alsogoing toerase the existing vpn preshared key, so you better removed with "no", rather than clear command. HTH On 2/7/06, Julian M D <julianmd () gmail com> wrote:Hi there, This is most probably because of the corruption in thepreshared key,so my advice is to do this on both pixes: HQ PIX no crypto map VPN interface outside clear isakmp key isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255crypto mapVPN interface outside REMOTE 501 no crypto map VPN interface outside clear isakmp key isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255crypto mapVPN interface outside wr mem clear crypto isakmp sa clear crypto ipsec sa Good luck, Julian Dragut please use the copy and paste when setting up the preshared key On 2/7/06, Horvath, Kevin M. <KEVIN.M.HORVATH () saic com> wrote:isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255 Verify that the you can reach the HQ ip from the 501 viaudp 500 and verify that the key matches what you have in the 501 config......reset both keys to (no spaces either) the same passphrase and try again.Kevin M. Horvath CISSP,CCSP,INFOSEC,CCNA ________________________________From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] OnBehalf Of JoeKeegan Sent: Monday, February 06, 2006 12:37 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem I am trying to setup a branch office with a site-to-siteVPN to our HQ office. The HQ PIX is a 515E with anexisting VPN toan existing router at another site. The branch office hasa PIX 501.The debug crypto isakmp looks ok on the 501 except itlooks to me that it is not completing IKE Phase 2.ISAKMP (0): processing SA payload. message ID = 3634014145 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP (0): atts not acceptable. Next payload is 0ISAKMP (0):SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0return statusis IKMP_ERR_NO_RETRANS ISAKMP: No cert, and no keys (public or pre-shared) withremote peeraa.bbb.194.253 VPN Peer:ISAKMP: Peer Info foraa.bbb.194.253/500 notfound - peers:1 I believe this would be caused by an issue in amismatched transform-set, but everything looks OK to me.Pertinent config info is below. Any help or ideas wouldbe great. thanks!HQ PIX 515E access-list VPN-IRL remark Prevent any VoIP trafficto be routedover the VPN to IRL access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0 255.255.0.0 access-list VPN-IRLremark AllowVPN connection to IRL access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 access-list VPN-HILremark AllowVPN connection to HIL access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 access-list NO-NATremark Don'tNAT traffic sent to IRL access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0 access-list NO-NATremark Don'tNAT traffic sent to HIL access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0 nat (inside) 0access-list NO-NATsysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsecsecurity-associationlifetime seconds 3600 crypto map VPN 100 ipsec-isakmpcrypto map VPN100 match address VPN-IRL crypto map VPN 100 set peerccc.dd.154.114crypto map VPN 100 set transform-set ESP-AES-SHA cryptomap VPN 200ipsec-isakmp crypto map VPN 200 match address VPN-HILcrypto map VPN200 set peer xxx.yyy.191.66 crypto map VPN 200 settransform-setESP-AES-SHA crypto map VPN interface outside isakmpenable outsideisakmp key ******** address ccc.dd.154.114 netmask255.255.255.255isakmp key ******** address xxx.yyy.191.66 netmask255.255.255.255isakmp identity address isakmp policy 100 authenticationpre-shareisakmp policy 100 encryption aes isakmp policy 100 hashsha isakmppolicy 100 group 2 isakmp policy 100 lifetime 3600 Branch PIX 501 access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0 access-list NO-NAT permit ip 172.20.0.0255.255.0.010.0.0.0 255.192.0.0 nat (inside) 0 access-list NO-NAT sysopt connection permit-ipsec crypto ipsec transform-setESP-AES-SHAesp-aes esp-sha-hmac crypto ipsecsecurity-association lifetimeseconds 3600 crypto map VPN 100 ipsec-isakmp cryptomap VPN 100match address VPN crypto map VPN 100 set peeraa.bbb.194.253 cryptomap VPN 100 set transform-set ESP-AES-SHA crypto map VPNinterfaceoutside isakmp enable outside isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255 isakmpidentity addressisakmp policy 100 authentication pre-share isakmp policy 100 encryption aes isakmp policy 100 hash sha isakmp policy100 group 2isakmp policy 100 lifetime 3600 I can post the entire debug session from both firewallsif it will help.IP's for the two devices are as follows HQ PIX IP = aa.bbb.194.253 Branch PIX IP = xxx.yyy.191.66 Thanks Joe --------------------------------------------- Joe Keegan IT Systems Architect (415) 330-2676 jkeegan () monstercable com
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 07)
- <Possible follow-ups>
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Horvath, Kevin M. (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 08)
- PIX to PIX IPSEC VPN IKE Phase 2 problem Mikael Velschow-Rasmussen (Feb 09)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 15)