Re: PIX to PIX VPN Failing

well, which one is it ?
66.124.194.94 (as you write)
or
66.124.194.4 (as the config shows)


"Max Clark" <max.clark@xxxxxxxxx> wrote in message
> the
> 66.124.194.94 endpoint does not.

> dst src state pending created
> 66.124.194.4 65.200.10.132 QM_IDLE 0 1

> from 66.124.194.4 to 65.200.10.132 for prot 3
>
> crypto_isakmp_process_block: src 66.124.194.4, dest 65.200.10.132
> ISAKMP: attributes in transform:
> ISAKMP: encaps is 1
> ISAKMP: SA life type in seconds
> ISAKMP: SA life duration (basic) of 28800
> ISAKMP: SA life type in kilobytes
> ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
> ISAKMP: authenticator is HMAC-SHA
> ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request):
> proposal part #1,
> (key eng. msg.) dest= 66.124.194.4, src= 65.200.10.132,
> dest_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
> src_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac ,
> lifedur= 0s and 0kb,
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
>
> ISAKMP (0): processing NONCE payload. message ID = 3648266918
>
> ISAKMP (0): processing ID payload. message ID = 3648266918
> ISAKMP (0): processing ID payload. message ID =
> 3648266918map_alloc_entry: allocating entry 5
> map_alloc_entry: allocating entry 6
>
> ISAKMP (0): Creating IPSec SAs
> inbound SA from 66.124.194.4 to 65.200.10.132 (proxy
> 10.1.1.0 to 192.168.2.0)
> has spi 3614358339 and conn_id 5 and flags 4
> lifetime of 28800 seconds
> lifetime of 4608000 kilobytes
> outbound SA from 65.200.10.132 to 66.124.194.4 (proxy
> 192.168.2.0 to 10.1.1.0)
> has spi 2827747088 and conn_id 6 and flags 4
> lifetime of 28800 seconds
> lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue
> event...
> IPSEC(initialize_sas): ,
> (key eng. msg.) dest= 65.200.10.132, src= 66.124.194.4,
> dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
> src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac ,
> lifedur= 28800s and 4608000kb,
> spi= 0xd76ebb43(3614358339), conn_id= 5, keysize= 0, flags= 0x4
> IPSEC(initialize_sas): ,
> (key eng. msg.) src= 65.200.10.132, dest= 66.124.194.4,
> src_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
> dest_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac ,
> lifedur= 28800s and 4608000kb,
> spi= 0xa88bff10(2827747088), conn_id= 6, keysize= 0, flags= 0x4
>
> VPN Peer: IPSEC: Peer ip:66.124.194.4 Ref cnt incremented to:2 Total
> VPN Peers:2
> VPN Peer: IPSEC: Peer ip:66.124.194.4 Ref cnt incremented to:3 Total
> VPN Peers:2
> return status is IKMP_NO_ERROR
> ISAKMP (0): sending NOTIFY message 36136 protocol 1
> crypto_isakmp_process_block: src 66.124.194.4, dest 65.200.10.132
> ISAKMP (0): processing NOTIFY payload 36137 protocol 1
> spi 0, message ID = 3940387878
> ISAMKP (0): received DPD_R_U_THERE_ACK from peer 66.124.194.4
> return status is IKMP_NO_ERR_NO_TRANS
> ISAKMP (0): sending NOTIFY message 36136 protocol 1
> crypto_isakmp_process_block: src 66.124.194.4, dest 65.200.10.132
> ISAKMP (0): processing NOTIFY payload 36137 protocol 1
> spi 0, message ID = 2816603626
> ISAMKP (0): received DPD_R_U_THERE_ACK from peer 66.124.194.4
> return status is IKMP_NO_ERR_NO_TRANS
>
>
> This is the 515 (remote) configuration:
> ------------------------------------------------------
>
> access-list 80 permit ip host 10.1.1.10 192.168.1.0 255.255.255.0
> access-list 80 permit ip host 10.1.1.10 192.168.2.0 255.255.255.0
> access-list 81 permit ip host 10.1.1.10 192.168.1.0 255.255.255.0
> access-list 100 permit ip host 10.1.1.10 host 192.168.1.15
> access-list 100 permit ip host 10.1.1.3 host 192.168.2.2
> access-list 100 permit ip host 10.1.1.10 host 192.168.1.16
> access-list 110 permit ip host 10.1.1.3 host 192.168.1.3
> access-list 110 permit ip host 10.1.1.3 host 192.168.2.3
> access-list 120 permit ip host 10.1.1.10 host 192.168.1.15
> access-list 120 permit ip host 10.1.1.10 30.1.1.0 255.255.255.0
> access-list 120 permit ip host 10.1.1.3 host 192.168.1.3
> access-list 120 permit ip host 10.1.1.3 host 192.168.2.3
> access-list 120 permit ip host 10.1.1.3 192.168.1.32 255.255.255.252
> access-list 120 permit ip host 10.1.1.3 host 192.168.2.2
> access-list 120 permit ip host 10.1.1.10 host 192.168.1.16
> access-list 120 permit ip host 10.1.1.3 host 192.168.2.1
> access-list 130 permit ip host 10.1.1.3 192.168.1.32 255.255.255.252
> access-list 140 permit ip host 10.1.1.3 host 192.168.2.1
>
> nat (inside) 0 access-list 120
>
> crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 90 set transform-set strong-des
> crypto map remotes-map 30 ipsec-isakmp
> crypto map remotes-map 30 match address 100
> crypto map remotes-map 30 set peer 209.101.218.58
> crypto map remotes-map 30 set transform-set strong-des
> crypto map remotes-map 40 ipsec-isakmp
> crypto map remotes-map 40 match address 110
> crypto map remotes-map 40 set peer 65.200.10.132
> crypto map remotes-map 40 set transform-set strong-des
> crypto map remotes-map 50 ipsec-isakmp
> crypto map remotes-map 50 match address 130
> crypto map remotes-map 50 set peer 64.124.78.153
> crypto map remotes-map 50 set transform-set strong-des
> crypto map remotes-map 60 ipsec-isakmp
> crypto map remotes-map 60 match address 140
> crypto map remotes-map 60 set peer 144.223.11.70
> crypto map remotes-map 60 set transform-set strong-des
> crypto map remotes-map 90 ipsec-isakmp dynamic dynmap
> crypto map remotes-map client configuration address initiate
> crypto map remotes-map client configuration address respond
> crypto map remotes-map interface outside
> isakmp enable outside isakmp key ******** address 0.0.0.0 netmask
> 0.0.0.0
> isakmp key ******** address 64.124.78.153 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp key ******** address 209.101.218.58 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp key ******** address 144.223.11.70 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp key ******** address 65.200.10.132 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp identity address
> isakmp client configuration address-pool local IP_POOL outside
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption 3des
> isakmp policy 8 hash sha
> isakmp policy 8 group 2
> isakmp policy 8 lifetime 86400
> isakmp policy 9 authentication pre-share
> isakmp policy 9 encryption 3des
> isakmp policy 9 hash sha
> isakmp policy 9 group 1
> isakmp policy 9 lifetime 86400
>
> This is the 501 (local) configuration:
> --------------------------------------------------
>
> access-list 101 permit ip 192.168.2.0 255.255.255.0 10.1.1.0
> 255.255.255.0
> access-list 101 permit ip 192.168.2.0 255.255.255.0 103.0.0.0
> 255.255.255.0
> access-list 102 permit ip 192.168.2.0 255.255.255.0 10.1.1.0
> 255.255.255.0
> access-list 103 permit ip 192.168.2.0 255.255.255.0 103.0.0.0
> 255.255.255.0
>
> sysopt connection permit-ipsec
>
> crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
> crypto ipsec transform-set strong-3des esp-3des esp-md5-hmac
> crypto map remotes-map 40 ipsec-isakmp
> crypto map remotes-map 40 match address 102
> crypto map remotes-map 40 set peer 66.124.194.4
> crypto map remotes-map 40 set transform-set strong-des
> crypto map remotes-map 50 ipsec-isakmp
> crypto map remotes-map 50 match address 103
> crypto map remotes-map 50 set peer 144.223.39.94
> crypto map remotes-map 50 set transform-set strong-3des
> crypto map remotes-map interface outside
> isakmp enable outside
> isakmp key ******** address 144.223.39.94 netmask 255.255.255.255
> isakmp key ******** address 66.124.194.4 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp identity address
> isakmp keepalive 10
> isakmp policy 7 authentication pre-share
> isakmp policy 7 encryption 3des
> isakmp policy 7 hash md5
> isakmp policy 7 group 1
> isakmp policy 7 lifetime 86400
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption 3des
> isakmp policy 8 hash sha
> isakmp policy 8 group 2
> isakmp policy 8 lifetime 86400
> isakmp policy 9 authentication pre-share
> isakmp policy 9 encryption 3des
> isakmp policy 9 hash sha
> isakmp policy 9 group 1
> isakmp policy 9 lifetime 86400
> isakmp policy 40 authentication pre-share
> isakmp policy 40 encryption 3des
> isakmp policy 40 hash sha
> isakmp policy 40 group 1
> isakmp policy 40 lifetime 1000
> isakmp policy 50 authentication pre-share
> isakmp policy 50 encryption 3des
> isakmp policy 50 hash md5
> isakmp policy 50 group 2
> isakmp policy 50 lifetime 1000
>
>
> What am I missing?
>
> Thanks in advance,
> Max
>


.

Relevant Pages

  • [fw-wiz] Pix to Checkpoint VPN Connectivity
    ... ISAKMP: Checking IPSec proposal 1 ... fixup protocol dns maximum-length 512 ... ip audit signature 2000 disable ... isakmp policy 10 authentication pre-share ...
    (Firewall-Wizards)
  • [fw-wiz] VPN Client <> PIX 515 with certificates (long!)
    ... isakmp identity address ... isakmp policy 10 authentication rsa-sig ... Organization Unit: Evangelischer Oberkirchenrat IT ... remote peer supports dead peer detection ...
    (Firewall-Wizards)
  • RE: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
    ... The debug crypto isakmp looks ok on the 501 except it looks to me that it is ... access-list NO-NAT remark Don't NAT traffic sent to IRL ... crypto map VPN 100 match address VPN-IRL ... isakmp policy 100 authentication pre-share ...
    (Firewall-Wizards)
  • RE: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
    ... permit-ipsec" ensure that the PIX accepts UDP 500 from anywhere. ... The debug crypto isakmp looks ok on the 501 except it looks to ... crypto map VPN 100 match address VPN-IRL ... isakmp policy 100 authentication pre-share ...
    (Firewall-Wizards)
  • Re: PIX to PIX VPN Failing
    ... > crypto map remotes-map 30 match address 100 ... > crypto map remotes-map client configuration address initiate ... > isakmp policy 8 authentication pre-share ...
    (comp.dcom.sys.cisco)