Hi everyone! 
I have made a test configuration for future use and I have a problem with vpn over lan like this.
I have something like this:
ROUTER 2600 (IOS c2600-jk9s-mz.122-12a)
(int eth0/0 address: 192.168.20.1)
|
|
(outside address: 192.168.20.219)
PIX 501 (OS 6.3(4))
(inside address: 10.1.1.1)
|
|
HOST
(ip add: 10.1.1.5)
(gw 10.1.1.1)
I can ping to 10.1.1.1
I can't ping to 192.168.20.219 and 192.168.20.1
I woud like to have a vpn connection from 10.1.1.5(host) to 192.168.20.1(2600 eth0/0)
My PIX 501 conf:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-abas
domain-name abas.pl
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside permit tcp any any
access-list outside permit ip any any
access-list inside deny tcp any any eq www
access-list inside permit ip any any
access-list inside permit tcp any any
access-list inside_outbound_nat0_acl permit ip host 10.1.1.5 192.168.20.0 255.255.255.0
access-list outside_cryptomap_20 permit ip host 10.1.1.5 192.168.20.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.20.219 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.1.5 255.255.255.255 inside
pdm location 10.1.1.10 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.1.1.0 255.255.255.0 dns outside 100 100 norandomseq
static (inside,outside) 192.168.20.0 10.1.1.0 netmask 255.255.255.0 0 0
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.1.10 255.255.255.255 inside
http 10.1.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.168.20.1
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.20.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
My 2600 conf:
2600#sh run
Building configuration...
Current configuration : 1498 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2600
!
!
ip subnet-zero
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key test address 192.168.20.219
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
!
crypto map cm-cryptomap local-address Ethernet0/0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 192.168.20.219
set transform-set cm-transformset-1
match address 110
!
call rsvp-sync
!
!
!
interface Ethernet0/0
description connected to EthernetLan_1
ip address 192.168.20.1 255.255.255.0
half-duplex
no cdp enable
crypto map cm-cryptomap
!
interface Serial1/0
physical-layer async
ip address 10.2.0.1 255.255.255.0
encapsulation ppp
ip tcp header-compression
async default routing
async mode dedicated
no peer default ip address
no fair-queue
!
interface Serial1/1
no ip address
shutdown
no cdp enable
!
interface Serial1/2
no ip address
shutdown
no cdp enable
!
interface Serial1/3
no ip address
shutdown
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip http server
!
access-list 100 permit ip any any
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit ip any any
no cdp run
!
!
dial-peer cor custom
!
line con 0
line 33
flush-at-activation
modem InOut
speed 115200
line aux 0
line vty 0 4
password test
login
!
end
My isakmp key on pix and 2600 is: test
When i try ping from host 10.1.1.5 to router 192.168.20.1 a can on router console something like this:
02:18:05: ISAKMP (0:0): received packet from 192.168.20.219 (N) NEW SA
02:18:05: ISAKMP: local port 500, remote port 500
02:18:05: ISAKMP (0:2): processing SA payload. message ID = 0
02:18:05: ISAKMP (0:2): found peer pre-shared key matching 192.168.20.219
02:18:05: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1 policy
02:18:05: ISAKMP: encryption DES-CBC
02:18:05: ISAKMP: hash MD5
02:18:05: ISAKMP: default group 2
02:18:05: ISAKMP: auth pre-share
02:18:05: ISAKMP: life type in seconds
02:18:05: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
02:18:05: ISAKMP (0:2): atts are acceptable. Next payload is 0
02:18:05: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
02:18:05: ISAKMP (0:2): sending packet to 192.168.20.219 (R) MM_SA_SETUP
02:18:15: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
02:18:15: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
02:18:15: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
02:18:15: ISAKMP (0:2): sending packet to 192.168.20.219 (R) MM_SA_SETUP
02:18:20: ISAKMP (0:0): received packet from 192.168.20.219 (N) NEW SA
02:18:20: ISAKMP: local port 500, remote port 500
02:18:20: ISAKMP (0:3): processing SA payload. message ID = 0
02:18:20: ISAKMP (0:3): found peer pre-shared key matching 192.168.20.219
02:18:20: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1 policy
02:18:20: ISAKMP: encryption DES-CBC
02:18:20: ISAKMP: hash MD5
02:18:20: ISAKMP: default group 2
02:18:20: ISAKMP: auth pre-share
02:18:20: ISAKMP: life type in seconds
02:18:20: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
02:18:20: ISAKMP (0:3): atts are acceptable. Next payload is 0
02:18:20: ISAKMP (0:3): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
02:18:20: ISAKMP (0:3): sending packet to 192.168.20.219 (R) MM_SA_SETUP
02:18:25: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
02:18:25: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
02:18:25: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
02:18:25: ISAKMP (0:2): sending packet to 192.168.20.219 (R) MM_SA_SETUP
02:18:30: ISAKMP (0:3): retransmitting phase 1 MM_SA_SETUP...
02:18:30: ISAKMP (0:3): incrementing error counter on sa: retransmit phase 1
02:18:30: ISAKMP (0:3): retransmitting phase 1 MM_SA_SETUP
02:18:30: ISAKMP (0:3): sending packet to 192.168.20.219 (R) MM_SA_SETUP
2600#
02:18:35: ISAKMP (0:2): received packet from 192.168.20.219 (R) MM_SA_SETUP
02:18:35: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
02:18:35: ISAKMP (0:2): retransmitting due to retransmit phase 1
02:18:35: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
02:18:35: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
on this same time on pix console I have something like this:
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 192.168.20.219, remote= 192.168.20.1,
local_proxy= 10.1.1.5/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 192.168.20.219, dst 192.168.20.1
ISADB: reaper checking SA 0xacd9dc, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 192.168.20.1/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 192.168.20.219, remote= 192.168.20.1,
local_proxy= 10.1.1.5/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4)
Please tell me what is wrong??
How can I establish a VPN connection betwean pix and 2600 with config like that?
Big Thanks!!!
I have made a test configuration for future use and I have a problem with vpn over lan like this.
I have something like this:
ROUTER 2600 (IOS c2600-jk9s-mz.122-12a)
(int eth0/0 address: 192.168.20.1)
|
|
(outside address: 192.168.20.219)
PIX 501 (OS 6.3(4))
(inside address: 10.1.1.1)
|
|
HOST
(ip add: 10.1.1.5)
(gw 10.1.1.1)
I can ping to 10.1.1.1
I can't ping to 192.168.20.219 and 192.168.20.1
I woud like to have a vpn connection from 10.1.1.5(host) to 192.168.20.1(2600 eth0/0)
My PIX 501 conf:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-abas
domain-name abas.pl
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside permit tcp any any
access-list outside permit ip any any
access-list inside deny tcp any any eq www
access-list inside permit ip any any
access-list inside permit tcp any any
access-list inside_outbound_nat0_acl permit ip host 10.1.1.5 192.168.20.0 255.255.255.0
access-list outside_cryptomap_20 permit ip host 10.1.1.5 192.168.20.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.20.219 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.1.5 255.255.255.255 inside
pdm location 10.1.1.10 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.1.1.0 255.255.255.0 dns outside 100 100 norandomseq
static (inside,outside) 192.168.20.0 10.1.1.0 netmask 255.255.255.0 0 0
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.1.10 255.255.255.255 inside
http 10.1.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.168.20.1
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.20.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
My 2600 conf:
2600#sh run
Building configuration...
Current configuration : 1498 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2600
!
!
ip subnet-zero
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key test address 192.168.20.219
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
!
crypto map cm-cryptomap local-address Ethernet0/0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 192.168.20.219
set transform-set cm-transformset-1
match address 110
!
call rsvp-sync
!
!
!
interface Ethernet0/0
description connected to EthernetLan_1
ip address 192.168.20.1 255.255.255.0
half-duplex
no cdp enable
crypto map cm-cryptomap
!
interface Serial1/0
physical-layer async
ip address 10.2.0.1 255.255.255.0
encapsulation ppp
ip tcp header-compression
async default routing
async mode dedicated
no peer default ip address
no fair-queue
!
interface Serial1/1
no ip address
shutdown
no cdp enable
!
interface Serial1/2
no ip address
shutdown
no cdp enable
!
interface Serial1/3
no ip address
shutdown
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip http server
!
access-list 100 permit ip any any
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit ip any any
no cdp run
!
!
dial-peer cor custom
!
line con 0
line 33
flush-at-activation
modem InOut
speed 115200
line aux 0
line vty 0 4
password test
login
!
end
My isakmp key on pix and 2600 is: test
When i try ping from host 10.1.1.5 to router 192.168.20.1 a can on router console something like this:
02:18:05: ISAKMP (0:0): received packet from 192.168.20.219 (N) NEW SA
02:18:05: ISAKMP: local port 500, remote port 500
02:18:05: ISAKMP (0:2): processing SA payload. message ID = 0
02:18:05: ISAKMP (0:2): found peer pre-shared key matching 192.168.20.219
02:18:05: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1 policy
02:18:05: ISAKMP: encryption DES-CBC
02:18:05: ISAKMP: hash MD5
02:18:05: ISAKMP: default group 2
02:18:05: ISAKMP: auth pre-share
02:18:05: ISAKMP: life type in seconds
02:18:05: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
02:18:05: ISAKMP (0:2): atts are acceptable. Next payload is 0
02:18:05: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
02:18:05: ISAKMP (0:2): sending packet to 192.168.20.219 (R) MM_SA_SETUP
02:18:15: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
02:18:15: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
02:18:15: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
02:18:15: ISAKMP (0:2): sending packet to 192.168.20.219 (R) MM_SA_SETUP
02:18:20: ISAKMP (0:0): received packet from 192.168.20.219 (N) NEW SA
02:18:20: ISAKMP: local port 500, remote port 500
02:18:20: ISAKMP (0:3): processing SA payload. message ID = 0
02:18:20: ISAKMP (0:3): found peer pre-shared key matching 192.168.20.219
02:18:20: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1 policy
02:18:20: ISAKMP: encryption DES-CBC
02:18:20: ISAKMP: hash MD5
02:18:20: ISAKMP: default group 2
02:18:20: ISAKMP: auth pre-share
02:18:20: ISAKMP: life type in seconds
02:18:20: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
02:18:20: ISAKMP (0:3): atts are acceptable. Next payload is 0
02:18:20: ISAKMP (0:3): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
02:18:20: ISAKMP (0:3): sending packet to 192.168.20.219 (R) MM_SA_SETUP
02:18:25: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
02:18:25: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
02:18:25: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
02:18:25: ISAKMP (0:2): sending packet to 192.168.20.219 (R) MM_SA_SETUP
02:18:30: ISAKMP (0:3): retransmitting phase 1 MM_SA_SETUP...
02:18:30: ISAKMP (0:3): incrementing error counter on sa: retransmit phase 1
02:18:30: ISAKMP (0:3): retransmitting phase 1 MM_SA_SETUP
02:18:30: ISAKMP (0:3): sending packet to 192.168.20.219 (R) MM_SA_SETUP
2600#
02:18:35: ISAKMP (0:2): received packet from 192.168.20.219 (R) MM_SA_SETUP
02:18:35: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
02:18:35: ISAKMP (0:2): retransmitting due to retransmit phase 1
02:18:35: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
02:18:35: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
on this same time on pix console I have something like this:
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 192.168.20.219, remote= 192.168.20.1,
local_proxy= 10.1.1.5/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 192.168.20.219, dst 192.168.20.1
ISADB: reaper checking SA 0xacd9dc, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 192.168.20.1/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 192.168.20.219, remote= 192.168.20.1,
local_proxy= 10.1.1.5/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4)
Please tell me what is wrong??
How can I establish a VPN connection betwean pix and 2600 with config like that?
Big Thanks!!!
