Site to site VPN (Peer not found)

optize · Jun 9, 2006

I'm having a hard time getting these two Cisco PIX 515e's to work correctly.

Here are the (vpn) configs. I've removed the real IP's and replaced them with.

PIX 1: 192.168.0.1
PIX 2: 192.168.0.2

Pix 1 Config:
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 192.168.0.2
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 192.168.0.2 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
sysopt connection permit-ipsec

Pix 2 Config:
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 192.168.0.1
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 192.168.0.1 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

This is what I have enabled on the core routers;

access-list 101 permit esp host 192.168.0.1 host 192.168.0.2
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 4500
access-list 101 permit udp any eq isakmp any
access-list 101 permit udp any eq 4500 any
access-list 101 permit udp any eq isakmp any
access-list 101 permit udp any any eq isakmp

I know for a fact that PIX 1 works. I can connect to other site to site VPN's on that pix, however PIX 2 is having issues.

Here is the output of debug cry isa

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): retransmitting phase 1 (4)...
ISAKMP (0): deleting SA: src 192.168.0.1, dst 192.168.0.2
ISADB: reaper checking SA 0x366aecc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 192.168.0.2/500 not found - peers:0

# show cry isa sa
Total : 1
Embryonic : 1
dst src state pending created
192.168.0.2 192.168.0.1 MM_NO_STATE 0 0

Thanks.

Supergrrover · Jun 10, 2006

Try adding these to to PIX2
isakmp identity address

PIX uses the IP address for the IKE identity in the IKE negotiations.

Is that doesn't work, can you show debugs for each system when you try to bring up the tunnel?

Brent
Systems Engineer / Consultant
CCNP

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Site to site VPN (Peer not found)

optize

IS-IT--Management

Supergrrover

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor