Trouble shooting site to site VPN issue

[dfletch]

Hello board,

I have been fighting like heck to get this things working and I have hit the wall! I’m not seeing any traffic negations on either end. I have tried to clear Crypto sa and several other things to get the 2 boxes to try and connect. Could you folks please have a look at my VPN configs and point out what I’m doing wrong?

Thanks,

DF


***************SITE 1***************************************
access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn3000_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 any
ip local pool remote 192.168.100.1-192.168.100.50
global (outside) 1 (CENSORED)
nat (inside) 0 access-list 101
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,outside) (CENSORED) Mail netmask 255.255.255.255 0 0
static (inside,outside) (CENSORED) DOM netmask 255.255.255.255 0 0
static (inside,outside) (CENSORED) VIDEO_SEVER netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 (CENSORED) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server local protocol tacacs+
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set MCDC-VPN esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set ESP-DES-MD5
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address 110
crypto map vpnmap 10 set peer (CENSORED)
crypto map vpnmap 10 set transform-set MCDC-VPN
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address (CENSORED) netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool remote
vpngroup vpn3000 dns-server (CENSORED)
vpngroup vpn3000 wins-server (CENSORED)
vpngroup vpn3000 default-domain (CENSORED)
vpngroup vpn3000 split-tunnel vpn3000_splitTunnelAcl
vpngroup vpn3000 split-dns (CENSORED)
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet timeout 5
ssh timeout 10
management-access outside
console timeout 0
terminal width 80
Cryptochecksum:8be375ecdc77b244bfdd2bd0f18c7cd7
: end
[OK]
*****************SITE 2*************************************
access-list inbound permit tcp any host (CENSORED) eq 6107
access-list inbound permit icmp any host (CENSORED) echo
access-list inside_outbound_nat0_acl permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
mtu outside 1500
mtu inside 1500
ip address outside (CENSORED) 255.255.255.240
ip address inside 172.16.2.1 255.255.255.0
arp timeout 14400
global (outside) 1 (CENSORED)
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.2.0 255.255.255.0 0 0
static (inside,outside) (CENSORED) Video_Server netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 (CENSORED) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server local protocol tacacs+
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set MCDC-VPN esp-des esp-md5-hmac
crypto map inside_map interface inside
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer (CENSORED)
crypto map outside_map 20 set transform-set MCDC-VPN
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address (CENSORED) netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ssh timeout 10
console timeout 0
terminal width 80
Cryptochecksum:6c2fe2e50a16b6b0a27324a2e7641c1b
: end
[OK]

 

[themut]

First of all it is not a good idea to use the keyword any on the ACL: access-list vpn3000_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 any
Configure only the IP address of your internal LAN instead of any.

You have a typo on your crypto configuration: "crypto map vpnmap 10 match address 110"

Look at your ACLs:
access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.100.0 255.255.255.0

 

[dfletch]

themut,

Thank you for replying and pointing out the typo.
I fixed the crypto configuration and ran clear cry sa, and I still don't see any change in the negations counters.

interface: outside
Crypto map tag: vpnmap, local addr. (CENSORED)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
current_peer: (CENSORED):0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: (CENSORED), remote crypto endpt.: (CENSORED)
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

 

[themut]

Did you fix the ACL vpn3000_splitTunnelAcl? What is the output from the show crypto isakmp sa?

 

[dfletch]

No I didn't change splittunnel line yet. So what you are saying is that I should add access-list vpn3000_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 192.168.100.0 255.255.255.0 which is the VPN remote pool? or just to 172.16.1.0 255.255.255.0? and the show crypto isakmp sa output is?

Total : 0
Embryonic : 0
dst src state pending created

 

[themut]

Yeap... you´re right. From show crypto isakmp sa...It looks like phase 1 is not even happening. I would advise you to enable debug crypto isakmp and debug crypto ipsec and try to determine the reason it is failing.

 

[EddieVenus]

I know that it sounds like a dumb question, but did you copy the config to the PIX? I mean did you copy an paste it into the PIX. When you save it the isakmp key is hashed out, and if you were to load that saved file, that line would be hashed out instead of the key. The other passwords are encrypted, not hashed in the config, so they work fine when you paste them. Just a thought.

Has this ever worked between these 2 PIX boxes? or is this the first time you ran the VPN between them. If it is a first time, have to verified that they are online and visable to each other? If they can see each other you just need to do like themut said and turn on debug crypto isakmp and debug crypto ipsec to find out what is happening. Also clear ipsec sa is how to clear the tunnel. It will not clear the settings, just the currnt tunnels. You will need to do that if you have some settings off after they negotiate isakmp.

ALso try resetting the PIX's. just a simple power cycle, it clears their heads, and sometimes is just what you needed to get a close one to work.

just some thoughts. good luck, it is not that far from working once you get this far.

 

[dfletch]

Hi Eddie,

I didn't copy and paste the config to the firewalls. I'm running debugs and the only output I see is the the client connection from remote users. No these two boxes have never connected to each other or anything else they are brand new. Does anyone know if this means "ISADB: reaper checking SA 0xfffe24, conn_id = 0" I see that during the debugging too?

Thanks,

DF

 

[tanker135]

If these boxes are in the same ciy, collect them, bring them to your lab and strip from the configs all but the basics for a simple tunnel. Use the simple site to site PIX VPN setup found at Cisco.com. You can simulate a public WAN with a couple of routers configured back to back. Use host PC's on each end pinging each other to provide interesting traffic. Once the basics are working, build on it.


A sample scripts that works like a charm:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname WarehousePIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 172.18.128.0 255.255.255.224 172.18.0.0 255.255.192.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baseT
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.252
ip address inside 172.18.128.1 255.255.255.224
arp timeout 14400
nat 0 access-list 101
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.xxx
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp key xxxxx address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp keepalive 10 2
telnet timeout 5
terminal width 80

Good luck!