PIX VPN Issue - 506E to 515E

[vtgman]

Hello All,

I am working to get a tunnel up. I am getting the following errors with the tunnel and it will not come up. Let me know what I am doing wrong. Set up one just like it and it works perfect. Not sure what I am doing wrong.


crypto_isakmp_process_block:src:216.12.92.163, dest:64.203.169.62 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: default group 2
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:216.12.92.163, dest:64.203.169.62 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:216.12.92.163, dest:64.203.169.62 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing keep alive: proposal=32767/32767 sec., actual=10/2 sec.
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:216.12.92.163/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:216.12.92.163/500 Ref cnt incremented to:1 Total VPN P
eers:1
crypto_isakmp_process_block:src:216.12.92.163, dest:64.203.169.62 spt:500 dpt:50
0
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 4037861185

Here is my config for the pix 506E
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname VTG
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list cemsi permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list letin1 permit icmp any any echo
access-list letin1 permit icmp any any echo-reply
access-list letin1 permit icmp any any traceroute
access-list letin1 permit icmp any any time-exceeded
access-list letin1 permit icmp any any
access-list letin1 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list letout permit icmp any any
access-list letout permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.203.169.62 255.255.255.248
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list cemsi
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group letin1 in interface outside
access-group letout in interface inside
route outside 0.0.0.0 0.0.0.0 64.203.169.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set cemsi esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address cemsi
crypto map outside_map 10 set peer 216.12.92.163
crypto map outside_map 10 set transform-set cemsi
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 216.12.92.163 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:35d80391fa85f00a77a67b3e45ed913c
: end
VTG(config)#

Here is the config for the PIX 515E
PIX Version 7.2(4)
!
hostname pixfirewall
domain-name comsonics.com
enable password gibDv3tmT3.Uxb1i encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.9.241 cemsidns1
name 192.168.9.242 cemsidns2
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 216.12.92.163 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.3.200 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name comsonics.com
access-list letin1 extended permit icmp any any echo
access-list letin1 extended permit icmp any any echo-reply
access-list letin1 extended permit icmp any any traceroute
access-list letin1 extended permit icmp any any time-exceeded
access-list letin1 extended permit ip 192.168.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list letin1 extended permit ip 192.168.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list letin1 extended permit ip 192.168.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list letin1 extended permit ip 192.168.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list letin1 extended permit ip 192.168.0.0 255.255.0.0 192.168.9.0 255.255.255.0
access-list letin1 extended permit ip 192.168.0.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list letin1 extended permit ip 192.168.0.0 255.255.0.0 192.168.45.0 255.255.255.0
access-list letin1 extended permit ip 192.168.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list letout extended permit ip any any
access-list letout extended permit tcp any any
access-list letout extended permit udp any any
access-list indy extended permit ip 192.168.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list sac extended permit ip 192.168.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.9.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.1 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.250 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.60 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.105 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.181 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.182 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.42 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.3.250 192.168.45.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.141 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.240 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.80 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.13 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.45 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.46 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.47 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.48 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.94 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.34 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.18 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.75 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.92 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.7 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.213 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.102 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.11 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.227 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.80 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.16 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.71 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.76 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.84 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.112 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.113 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.116 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.121 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.9.123 192.168.45.0 255.255.255.0
access-list nonat extended permit ip host 192.168.0.40 192.168.45.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.45.0 255.255.255.0
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.20.0 255.255.255.0
access-list comitvpn_splitTunnelAcl extended permit ip 192.168.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl extended permit ip any 192.168.45.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip any 192.168.20.0 255.255.255.0
access-list florida extended permit ip 192.168.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 100 extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list cemsi extended permit ip 192.168.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list comremote_splitTunnelAcl extended permit ip host 192.168.0.1 any
access-list comremote_splitTunnelAcl extended permit ip host 192.168.0.250 any
access-list comremote_splitTunnelAcl extended permit ip host 192.168.0.60 any
access-list comremote_splitTunnelAcl extended permit ip host 192.168.0.105 any
access-list comremote_splitTunnelAcl extended permit ip host 192.168.0.183 any
access-list comremote_splitTunnelAcl extended permit ip host 192.168.0.46 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.45.1-192.168.45.250
ip local pool vpnit 192.168.20.1-192.168.20.10
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group letin1 in interface outside
access-group letout in interface inside
route outside 0.0.0.0 0.0.0.0 216.12.92.161 1
route inside 192.168.0.0 255.255.255.0 192.168.3.250 1
route inside 192.168.9.0 255.255.255.0 192.168.3.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set indy esp-3des esp-md5-hmac
crypto ipsec transform-set sac esp-3des esp-md5-hmac
crypto ipsec transform-set cemsi esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside 10 match address indy
crypto map outside 10 set peer 24.123.27.18
crypto map outside 10 set transform-set indy
crypto map outside 20 match address sac
crypto map outside 20 set peer 12.189.215.154
crypto map outside 20 set transform-set sac
crypto map outside 30 match address cemsi
crypto map outside 30 set peer 64.203.169.62
crypto map outside 30 set transform-set cemsi
crypto map outside 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
ntp server 198.82.161.227 source outside prefer
group-policy cisco internal
group-policy cisco attributes
vpn-idle-timeout 30
group-policy comvpn internal
group-policy comvpn attributes
wins-server value 192.168.0.1
dns-server value 192.168.0.181 192.168.0.182
vpn-idle-timeout 30
group-policy comitvpn internal
group-policy comitvpn attributes
dns-server value 192.168.0.181 192.168.0.182
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value comitvpn_splitTunnelAcl
group-policy comremote internal
group-policy comremote attributes
dns-server value 192.168.0.181 192.168.0.182
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value comremote_splitTunnelAcl
group-policy comit internal
group-policy comit attributes
vpn-idle-timeout 30
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group 24.123.27.18 type ipsec-l2l
tunnel-group 24.123.27.18 ipsec-attributes
pre-shared-key *
tunnel-group 12.189.215.154 type ipsec-l2l
tunnel-group 12.189.215.154 ipsec-attributes
pre-shared-key *
tunnel-group 75.146.25.41 type ipsec-l2l
tunnel-group 75.146.25.41 ipsec-attributes
pre-shared-key *
tunnel-group comvpn type ipsec-ra
tunnel-group comvpn general-attributes
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy comvpn
tunnel-group comvpn ipsec-attributes
pre-shared-key *
tunnel-group cisco type ipsec-ra
tunnel-group cisco general-attributes
authentication-server-group (outside) LOCAL
default-group-policy cisco
tunnel-group comit type ipsec-ra
tunnel-group comit general-attributes
authentication-server-group (outside) LOCAL
default-group-policy comit
tunnel-group comitvpn type ipsec-ra
tunnel-group comitvpn general-attributes
address-pool vpnit
authentication-server-group (outside) LOCAL
default-group-policy comitvpn
tunnel-group comitvpn ipsec-attributes
pre-shared-key *
tunnel-group comremote type ipsec-ra
tunnel-group comremote general-attributes
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy comremote
tunnel-group comremote ipsec-attributes
pre-shared-key *
tunnel-group 64.203.169.62 type ipsec-l2l
tunnel-group 64.203.169.62 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a3a7cde6635c3478e349f48e1db381be

 

[unclerico]

List the output from teh following commands on both devices:

sh crypto isakmp sa
sh crypto ipsec sa

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[vtgman]

Pix 506 e
VTG(config)# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
64.203.169.62 216.12.92.163 QM_IDLE 0 0

VTG(config)# sh crypto ipsec sa
VTG(config)#

PIX 515E
pixfirewall# sh crypto isakmp sa

Active SA: 4
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 4

1 IKE Peer: 24.123.27.18
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 12.189.215.154
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
3 IKE Peer: 166.217.235.6
Type : user Role : responder
Rekey : no State : AM_ACTIVE
4 IKE Peer: 64.203.169.62
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

pixfirewall# sh crypto ipsec sa
pixfirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 40, local addr: 216.12.92.163

access-list outside_cryptomap_dyn_40 permit ip any 192.168.45.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.45.43/255.255.255.255/0/0)
current_peer: 166.217.235.6, username: jaymoyer
dynamic allocated peer ip: 192.168.45.43

#pkts encaps: 11106, #pkts encrypt: 11106, #pkts digest: 11106
#pkts decaps: 11277, #pkts decrypt: 11277, #pkts verify: 11277
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11106, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 22

local crypto endpt.: 216.12.92.163, remote crypto endpt.: 166.217.235.6

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8BAED0D0

inbound esp sas:
spi: 0x6031622C (1613849132)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1173, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18477
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8BAED0D0 (2343489744)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1173, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18477
IV size: 8 bytes
replay detection support: Y

Crypto map tag: outside, seq num: 20, local addr: 216.12.92.163

access-list sac permit ip 192.168.0.0 255.255.0.0 192.168.5.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer: 12.189.215.154

#pkts encaps: 578979, #pkts encrypt: 579048, #pkts digest: 579048
#pkts decaps: 433682, #pkts decrypt: 433682, #pkts verify: 433682
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 578979, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 69, #pre-frag failures: 0, #fragments created: 138
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 192
#send errors: 0, #recv errors: 0

local crypto endpt.: 216.12.92.163, remote crypto endpt.: 12.189.215.154

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7E9BA625

inbound esp sas:
spi: 0xF6657095 (4133843093)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1166, crypto-map: outside
sa timing: remaining key lifetime (kB/sec): (4229046/16791)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7E9BA625 (2124129829)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1166, crypto-map: outside
sa timing: remaining key lifetime (kB/sec): (4147056/16791)
IV size: 8 bytes
replay detection support: Y

Crypto map tag: outside, seq num: 10, local addr: 216.12.92.163

access-list indy permit ip 192.168.0.0 255.255.0.0 192.168.15.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
current_peer: 24.123.27.18

#pkts encaps: 353640, #pkts encrypt: 353709, #pkts digest: 353709
#pkts decaps: 273296, #pkts decrypt: 273296, #pkts verify: 273296
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 353640, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 69, #pre-frag failures: 0, #fragments created: 138
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 207
#send errors: 0, #recv errors: 0

local crypto endpt.: 216.12.92.163, remote crypto endpt.: 24.123.27.18

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: CFEF6D4F

inbound esp sas:
spi: 0x050E69F0 (84830704)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1165, crypto-map: outside
sa timing: remaining key lifetime (kB/sec): (4235362/16790)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xCFEF6D4F (3488574799)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1165, crypto-map: outside
sa timing: remaining key lifetime (kB/sec): (4115582/16790)
IV size: 8 bytes
replay detection support: Y

pixfirewall#

 

[vtgman]

Any thoughts from anyone. Still trying but getting the same problems. Have reconfigured and passwords are correct.