Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with site-to-site VPN

Status
Not open for further replies.
exxor

exxor

Programmer
Apr 29, 2005
9
0
0
SE
Hi!

I have problem with a VPN tunnel between a pix 515E (6.3) and a Shiva Netstructure. He says (the Shiva admin that is) that this configuration is working agains other Ciscos. So i belive there is something wrong in my end.

It i interpret the debug correctly it fails in phase1.

What can I try next?.. Im pretty stumped about what to do next. Any help is greatly appreciated!


Debug:
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 213.115.0.x, remote= 195.198.46.x,
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= test/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 213.115.0.x, dst 195.198.46.x
ISADB: reaper checking SA 0x109dd3c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 195.198.46.x/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 213.115.0.x, remote= 195.198.46.230,
local_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
remote_proxy= test/255.255.255.0/0/0 (type=4)


Config File:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxxxxx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name viaduct.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 213.115.25.x mail
name 192.168.251.0 test
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list nonat permit ip 192.168.100.0 255.255.255.0 213.115.25.x 255.255.255.224
access-list nonat permit ip 192.168.100.0 255.255.255.0 test 255.255.255.0
access-list vpnsplt permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list vpnsplt permit ip 213.115.25.x 255.255.255.224 192.168.150.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 test 255.255.255.0
pager lines 24
logging on
logging console alerts
logging trap emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 213.115.0.x 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0
ip address dmz 213.115.25.x 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 192.168.150.1-192.168.150.128
ip local pool vpnpool2 192.168.150.129-192.168.150.254
pdm location 192.168.100.20 255.255.255.255 inside
pdm location 213.115.25.x 255.255.255.224 inside
pdm location 192.168.100.141 255.255.255.255 inside
pdm location 192.168.100.139 255.255.255.255 inside
pdm location test 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) mail mail netmask 255.255.255.255 0 0
static (inside,dmz) sun sun netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host sun eq conduit permit tcp host sun eq https any
conduit permit tcp host mail eq smtp any
conduit permit tcp host mail eq pop3 any
route outside 0.0.0.0 0.0.0.0 213.115.0.209 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.20 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set trmset2 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map map2 10 set transform-set trmset2
crypto map map1 20 ipsec-isakmp
crypto map map1 20 match address outside_cryptomap_20
crypto map map1 20 set peer 195.198.46.x
crypto map map1 20 set transform-set ESP-3DES-MD5
crypto map map1 65535 ipsec-isakmp dynamic map2
crypto map map1 client configuration address respond
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp key ******** address 195.198.46.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup viagrp address-pool vpnpool1
vpngroup viagrp dns-server zeus
vpngroup viagrp default-domain viaduct.net
vpngroup viagrp idle-time 1800
vpngroup viagrp password ********
vpngroup viafw address-pool vpnpool2
vpngroup viafw dns-server zeus
vpngroup viafw wins-server zeus
vpngroup viafw default-domain viaduct.net
vpngroup viafw split-tunnel vpnsplt
vpngroup viafw idle-time 1800
vpngroup viafw password ********
telnet timeout 5
ssh 192.168.100.20 255.255.255.255 inside
ssh timeout 30
console timeout 0
username kalles password xxxxxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:3ee9084c04dfa1c334bas8b577c0975db
: end
 
Sort by date Sort by votes
What are the settings on the Shiva's end?


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
This is the settings I got from him:

Local peer 195.198.46.x
Remote peer 213.115.0.x

VPN parameters
IKE phase 1 - ESP-3DES-HMAC-MD5 DH Group 2
Key lifetime 24 hour

Ike phase 2 - ESP-3DES-HMAC MD5
Key lifetime 8 hour
4608000 kb

Password xxxxxxxxxx
192.168.100.0 customer-Net
 
Upvote 0 Downvote
Those look ok. Is PFS set?


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Only thing thats strange is

access-list nonat permit ip 192.168.100.0 255.255.255.0 213.115.25.x 255.255.255.224

Cant really see any use of this. I would remove it and try again

 
Upvote 0 Downvote
Supergrrover: No PFS is not set.

boymarty24: That line is so no NATing should not accure between inside and DMZ. Nothing to to with this.



 
Upvote 0 Downvote
Ooops,

Sorry i didnt notice that your dmz and outside ip almost was the same. Thought that it was your outside ip in that statement
 
Upvote 0 Downvote
Now we have gotten a bit further with this matter.. He added my 192.168.100.0 net in his config, and now the Tunnel is started in my end. He cant se it in the shiva.

Im getting a tunnel that bounces up and down every secound.. And a lot more debug info. I just cant see whats wrong in the debug, it says XZXZX_NO_ERROR everyware..

Can you help me locate the error?

Debug output:

ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 195.198.x.y

ISAKMP (0): deleting SA: src 195.198.x.y, dst 213.115.x.z
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Peer ip:195.198.x.y/500 Ref cnt incremented to:2 Total VPN Peers:1
ISADB: reaper checking SA 0x1177074, conn_id = 0
ISADB: reaper checking SA 0x1177f84, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:195.198.x.y/500 Ref cnt decremented to:1 Total VPN Peers:1
ISADB: reaper checking SA 0x1177074, conn_id = 0
ISADB: reaper checking SA 0x11777fc, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:195.198.x.y/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:195.198.x.y/500 Total VPN peers:0
ISADB: reaper checking SA 0x1177074, conn_id = 0
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
spi 0, message ID = 498426728
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 195.198.x.y

ISAKMP (0): deleting SA: src 195.198.x.y, dst 213.115.x.z
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Added new peer: ip:195.198.x.y/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:195.198.x.y/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
spi 0, message ID = 1192626343
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 195.198.x.y

ISAKMP (0): deleting SA: src 195.198.x.y, dst 213.115.x.z
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Peer ip:195.198.x.y/500 Ref cnt incremented to:2 Total VPN Peers:1
ISADB: reaper checking SA 0x11777fc, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:195.198.x.y/500 Ref cnt decremented to:1 Total VPN Peers:1
ISADB: reaper checking SA 0x1177074, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:195.198.x.y/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:195.198.x.y/500 Total VPN peers:0
ISADB: reaper checking SA 0x1177f84, conn_id = 0
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
spi 0, message ID = 491664837
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 195.198.x.y

ISAKMP (0): deleting SA: src 195.198.x.y, dst 213.115.x.z
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Added new peer: ip:195.198.x.y/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:195.198.x.y/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:195.198.x.y, dest:213.115.x.z spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
spi 0, message ID = 29774723
return status is IKMP_NO_ERR_NO_TRANS
 
Upvote 0 Downvote
What is the remote network that you are trying to reach through the VPN?
Things to try - Add this line to your config
crypto map map1 20 set pfs group2
just to humor me and see if the tunnel stays up.

Also kill the conduits and make them into an ACL.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Im afraid that did nothing for the tunnel..

How do I convert my conds to ACLs? Actually newer worked with ACLs before.. :)
 
Upvote 0 Downvote
conduit permit icmp any any
conduit permit tcp host sun eq conduit permit tcp host sun eq https any
conduit permit tcp host mail eq smtp any
conduit permit tcp host mail eq pop3 any

Would go -

fixup icmp error
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host sun eq www
access-list outside_in permit tcp any host sun eq https
access-list outside_in permit tcp any host mail eq smtp
access-list outside_in permit tcp any host mail eq pop3
access-group outside_in in interface outside



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
145
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
146
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
37
wrighbr1
wrighbr1
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
71
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top