PIX to Router VPN

[nick25]

Hi all,

I'm having a problem with a site to site VPN between a PIX and a router. The layout is basically like this :

LAN A -- 192.168.20.1( PIX )192.168.50.1-- 192.168.50.3(Router1)192.200.200.13 ----- 192.200.200.14(Remote Router2)192.168.250.x --- LAN B

I've setup client to PIX VPNs successully before, but not site to site, so I would appreciate any help.

The 2 VPN peers are the PIX and Router2 and the problem basically is, after inputting configuration for VPN on the 2 peers, the traffic that's supposed to be using the VPN tunnel to go between LAN A and LAN B, just seems to be going through "normally".

Here are the vpn related config :

PIX (running os 7.0.1)

access-list l2l extended permit ip 192.168.20.0 255.255.255.0 192.168.250.0 255.255.255.0
crypto ipsec transform-set transform1 esp-3des esp-md5-hmac
crypto map crypto1 1 match address l2l
crypto map crypto1 1 set peer 192.168.250.200
crypto map crypto1 1 set transform-set transform1
crypto map crypto1 interface Remote
isakmp enable Remote
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
tunnel-group 192.168.250.200 type ipsec-l2l
tunnel-group 192.168.250.200 ipsec-attributes
pre-shared-key *
sysopt connection permit-ipsec

Note: I also had a nat 0 access-list but it didn't seem to make a difference.


Config for remote router:

interface loopback 1
ip address 192.168.250.200 255.255.255.0
crypto map Crypto1

Crypto isakmp policy 10
authentication pre-share
crypto isakmp key * address 192.168.50.1

crypto ipsec transform-set transform1 esp-3des

crypto map Crypto1 local-address interface loopback 1
crypto map Crypto1 20 ipsec-isakmp
set peer 192.168.50.1
set transform-set encrypt_des
match address 100

access-list 100 permit ip 192.168.250.0 0.0.0.255 192.168.50.0 0.0.0.255

I am not sure where the problem is coming from. Router1 lets all traffic through. Is there anything wrong with the configs?

Appreciate any help.

Thanks,

Nick

 

[lashboy]

Hi nick,

is this complete config from router?
I think you should set encryption and hash on router isakmp policy. look at my config between router and pix and see if you can get any help from this.


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!

!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warning
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.56.1
!
ip dhcp pool dtm
import all
network 192.168.56.0 255.255.255.0
default-router 192.168.56.1
!
!
no ip domain lookup
ip domain name private.corp
ip ssh time-out 60
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-2705682511
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2705682511
revocation-check none
rsakeypair TP-self-signed-2705682511
!
!
crypto pki certificate chain TP-self-signed-2705682511

!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxx address xx.xx.xx.xx
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set myset
match address 101
!
!
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface FastEthernet1
ip address xx.xx.xx.xx xx.xx.xx.xx
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!

!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 192.168.56.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000


ip nat inside source list 102 interface FastEthernet1 overload


!
access-list 101 permit ip 192.168.56.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 102 deny ip 192.168.56.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 102 permit ip 192.168.56.0 0.0.0.255 any
no cdp run
===================================================
!
PIX 501 CONFIG
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname abc
domain-name private.corp
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

access-list acl-out permit icmp any any echo-reply
access-list acl-out permit icmp any any unreachable
access-list acl-out permit icmp any any time-exceeded





access-list NONAT permit ip 192.168.88.0 255.255.255.0 192.168.56.0 255.255.255.0


access-list tim permit ip 192.168.88.0 255.255.255.0 192.168.56.0 255.255.255.0


pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 24.xx.xx.xx 255.255.xx.xx
ip address inside 192.168.88.254 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0



access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 24.xx.xx.xx




sysopt connection permit-ipsec

crypto ipsec transform-set AES-256 esp-des esp-md5-hmac
crypto map abc 10 ipsec-isakmp
crypto map abc 10 match address tim
crypto map abc 10 set peer xx.xx.xx.xx
crypto map abc 10 set transform-set AES-256

crypto map abc interface outside
isakmp enable outside


isakmp key ******** address xx.xx.xx.xx netmask 255.255.xx.xx
isakmp identity address
isakmp keepalive 10 3

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 5
isakmp policy 1 lifetime 28800
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 6 authentication pre-share
isakmp policy 6 encryption aes-256
isakmp policy 6 hash sha
isakmp policy 6 group 2
isakmp policy 6 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400

 

[nick25]

Hi lashboy,

no it's not the complete router config, just the vpn related part. But yea it seems there's no hash and encryption in the router's isakmp policy. I will have that fixed and see if that's the source of the problem.

Thanks,

Nick

 

[nick25]

Hello again,

That vpn "task" had been put on hold for a while so I'm just starting to work on it again.

Lashboy thanks for the help, but it seems it wasn't the hash/encryption that was the issue(at least not the only issue!).

I ran some debugs and according to them I think it was a problem with the access-lists which weren't mirrored.

Here's what a debug isakmp on the router gave me.

3d22h: ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE
(peer 192.168.50.1) input queue 0
3d22h: ISAKMP (0:1): deleting node -463469741 error TRUE reason "QM_TIMER expire
d"
3d22h: ISAKMP (0:1): deleting node -1553476178 error TRUE reason "QM_TIMER expir
ed"
3d22h: ISAKMP (0:1): deleting node -148007640 error TRUE reason "QM_TIMER expire
d"
3d22h: ISAKMP (0:1): deleting node -1599133358 error TRUE reason "QM_TIMER expir
ed"
3d22h: ISAKMP (0:1): deleting node 1908394726 error TRUE reason "QM_TIMER expire
d"
3d22h: ISAKMP (0:1): deleting node 1820682155 error TRUE reason "QM_TIMER expire
d"
3d22h: ISAKMP (0:1): deleting node 1622936710 error TRUE reason "QM_TIMER expire
d"
3d22h: ISAKMP: received ke message (1/1)
3d22h: ISAKMP: local port 500, remote port 500
3d22h: ISAKMP (0:2): beginning Main Mode exchange
3d22h: ISAKMP (2): sending packet to 192.168.50.1 (I) MM_NO_STATE
3d22h: ISAKMP (2): received packet from 192.168.50.1 (I) MM_NO_STATE
3d22h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with
peer at 192.168.50.1

From what I read this can be caused by non-matching access-lists, which is indeed the case here. I will fix that and hopefully it solves everything.