Connection to Remote office 1

[scrimmy]

Please help

I need to set up a LAN-to-Lan connection between two offices.
The main office has a Cisco 3000 VPN concentrator
The remote office has a Cisco PIX 501 (172.16.54.0 255.255.255.0)
The VPN tunnel light stays on but I have no connection to my servers in the main office.

I managed to get this going about two years ago and now I can not recall the exact steps I need to follow.

On the Concentrator I have set the following
Configuration - system - tunnelling protocols - IPSec - LAN-to-LAN
Peer - IP address from ISP to match PIX ip address outside
Local Network IP address 172.31.0.0 wildcard mask 0.0.255.255.255
Remote network IP address 172.16.54.0 wildcard mask 0.0.0.255

Below are configs for the PIX, output from debug crypto ipsec and isakmp.


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.16.54.0 255.255.255.0 172.31.0.0 255.255.0.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside <IP address from ISP>
ip address inside 172.16.54.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 <ISP router> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer (Concentrator)
crypto map aptmap 10 set transform-set aptset
crypto map aptmap interface outside
isakmp enable outside
isakmp key ******** address (Concentrator) netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:95c61dddfbb5cca0cc488be506e70012
: end



pixfirewall# debug crypto ipsec
pixfirewall# IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x77e44f01(2011451137) for SA
from (Concentrator) to (IP address from ISP) for prot 3
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= (Concentrator), src= (IP address from ISP),
dest_proxy= 172.31.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 172.16.54.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= (IP address from ISP), src= (Concentrator),
dest_proxy= 172.16.54.0/255.255.255.0/0/0 (type=4),
src_proxy= 172.31.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x77e44f01(2011451137), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= (IP address from ISP), dest= (Concentrator),
src_proxy= 172.16.54.0/255.255.255.0/0/0 (type=4),
dest_proxy= 172.31.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0xd7e9df5(226401781), conn_id= 2, keysize= 0, flags= 0x4



pixfirewall# debu crypto isakmp
pixfirewall#
crypto_isakmp_process_block: src (Concentrator), dest (IP address from ISP)
crypto_isakmp_process_block: src (Concentrator), dest (IP address from ISP)
VPN Peer: ISAKMP: Added new peer: ipConcentrator) Total VPN Peers:1
VPN Peer: ISAKMP: Peer ipConcentrator) Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src (Concentrator), dest (IP address from ISP)
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src (Concentrator), dest (IP address from ISP)
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src (Concentrator), dest (IP address from ISP)
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 430604999:19aa82c7
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src (Concentrator), dest (IP address from ISP)
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 430604999

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 430604999

ISAKMP (0): processing ID payload. message ID = 430604999
ISAKMP (0): processing ID payload. message ID = 430604999
ISAKMP (0): Creating IPSec SAs
inbound SA from (Concentrator) to (IP address from ISP) (proxy 172.31.0.
0 to 172.16.54.0)
has spi 3510553771 and conn_id 1 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
outbound SA from (IP address from ISP) to (Concentrator) (proxy 172.16.54
.0 to 172.31.0.0)
has spi 77571729 and conn_id 2 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
VPN Peer: IPSEC: Peer ipConcentrator) Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ipConcentrator) Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src (Concentrator), dest (IP address from ISP)
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2966568993
ISAMKP (0): received DPD_R_U_THERE from peer (Concentrator)
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS

 

[themut]

Looks like the tunnel is established since you have inbound and outgoing SPIs according to the debugs. Your problem could be due to routing. Issue a show crypto ipsec sa command on the PIX and determine if packets are being encrypted and decrypted correctly.

On the VPN3000 go to:

Monitoring | Sessions

and determine if Bytes TX and Bytes RX are incrementing.

 

[scrimmy]

Thanks for the reply
Here is the info you asked for, hope this helps.
The pix has only been powered up for 2 minutes.

pixfirewall# show crypto ipsec sa


interface: outside
Crypto map tag: aptmap, local addr. (PIX outside IP Address)

local ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
current_peer: (Concentrator)
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 8, #recv errors 0

local crypto endpt.: (PIX outside IP Address), remote crypto endpt.: (Concentrator)
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 4fada7c5

inbound esp sas:
spi: 0x31d3fe8a(835976842)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: aptmap
sa timing: remaining key lifetime (k/sec): (4608000/27899)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x4fada7c5(1336780741)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: aptmap
sa timing: remaining key lifetime (k/sec): (4607999/27890)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:


pixfirewall#





Number Username IP Address Protocol Encrypt Duration Data Tx Data Rx
---------------------------------------------------------------------------------------------
1 L2L Test (PIX outside IP address) IPSecL2L 3DES168 0:02:24 0 872

 

[themut]

As can be seen from the logs, The PIX is encrypting the packets but it doesn't receive any encrypted packets to decrypt.

The information from the VPN3000 confirm this situation, the concentrator is decrypting packets but it is not encrypting any packets.

The VPN tunnel is up and working the problem lies on the VPN3000 side, it is not receiving any packets to encrypt. I would advise you to look there for the root of the problem. The most probable cause would be routing since the replies are not reaching the VPN3000, otherwise the concentrator would show packets being encrypted. Hope it helps!

 

[scrimmy]

Thanks for that.
The VPN3000 had a static route on it 172.16.0.0/255.240.0.0
I removed this static route and all started working.

Is it possible to connect to the PIX from my main site?

 

[themut]

You can access the PIX through the tunnel but you need to include the PIX's outside interface as part of the interesting traffic and configure the corresponding ssh/telnet command.

The links below should help you out:

http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1064460

http://www.cisco.com/en/US/products...s_configuration_example09186a0080094497.shtml