topic Re: VPN L2L in Network Security

VPN L2L

niro — Mon, 11 Mar 2019 10:11:18 GMT

I'm having trouble setting up a pix to pix vpn connection...I'm running a pix 515 v 7.0 on one end and a pix 515e 6.3 on the other end, here's the vpn configs (I starred out the public IPs) The tunnel I'm working on is the vpntunnel 21 and europe:

europe:

access-list 101 extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list 101 extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

nat-control

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set RTS esp-3des esp-sha-hmac

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto map RTS 1 set peer *******

crypto map RTS 1 set transform-set RTS

crypto map vpntunnel 21 match address 101

crypto map vpntunnel 21 set peer ******

crypto map vpntunnel 21 set transform-set london

crypto map vpntunnel interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 10000

tunnel-group RTS type ipsec-l2l

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

London:

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list 101 permit ip 172.16.70.0 255.255.255.0 172.17.5.0 255.255.255.0

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list 101 permit ip 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

access-list hk permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list hk permit icmp 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list hk permit ip 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ny esp-des esp-md5-hmac

crypto ipsec transform-set europe esp-3des esp-md5-hmac

crypto map vpntunnel 1 ipsec-isakmp

crypto map vpntunnel 1 match address 102

crypto map vpntunnel 1 set peer ******

crypto map vpntunnel 1 set transform-set ny

crypto map europe 5 ipsec-isakmp

crypto map europe 5 match address hk

crypto map europe 5 set peer ******

crypto map europe 5 set transform-set london

crypto map europe interface outside

isakmp enable outside

isakmp key ******** address ****** netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 10000

isakmp policy 6 authentication pre-share

isakmp policy 6 encryption 3des

isakmp policy 6 hash md5

isakmp policy 6 group 2

isakmp policy 6 lifetime 86400

The tunnel seems to come up normal when I initiate it from the london side, but not from the europe side. Also even though the tunnel is up, no traffic seems to be going through, I'm not able to connect to any devices on the other side:

Europe:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: *******

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

London:

Total : 1

Embryonic : 0

dst src state pending created

****** 172.16.70.100 QM_IDLE 0 1

any ideas what I'm doing wrong here??

Re: VPN L2L

acomiskey — Wed, 09 May 2007 12:42:20 GMT

I would start by getting rid of

access-list hk permit icmp 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

as it is not needed and the acl's should be mirrors of eachother on the two fw's.

Re: VPN L2L

niro — Wed, 09 May 2007 12:44:50 GMT

yea I did that, same problem. I only put it in there to test something and forgot to take it out. Still not working though. ;/

Re: VPN L2L

acomiskey — Wed, 09 May 2007 12:52:15 GMT

Try making 2 separate acl's for your europe fw, one for nat exemption and one for crypto, don't use 101 for both.

Re: VPN L2L

niro — Wed, 09 May 2007 12:57:22 GMT

Yup tried that also...only reason I tried the same one for both was because it wasn't working. Anyway I just switched it back to seperate ACls, still same problem:

access-list london-nat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list london-nat extended permit ip 10.24.1.0 255.255.255.0 192.168.70.0 255.255.255.0

nat (inside) 0 access-list london-nat

Re: VPN L2L

acomiskey — Wed, 09 May 2007 13:00:57 GMT

Do you mean 10.20.1.0?

Re: VPN L2L

niro — Wed, 09 May 2007 13:09:48 GMT

yea typo 🙂 Been working on this too many hours:) Fixed it but still same problem...I'm getting these messages in syslog when trying to connect though:

when initiated from europe:

10.20.1.254,May 08 2007 14:05:57: %PIX-6-609001: Built local-host inside:10.20.1.250

10.20.1.254,May 08 2007 14:05:57: %PIX-6-305011: Built dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381

10.20.1.254,May 08 2007 14:05:57: %PIX-6-302013: Built outbound TCP connection 591 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/50498 (172.16.71.100/1381)

when intiated from london:

192.168.70.100,%PIX-6-302013: Built outbound TCP connection 19183 for outside:10.20.1.250/23 (10.20.1.250/23) to inside:192.168.70.253/63170 (192.168.70.253/63170)

10.20.1.254,May 08 2007 14:06:27: %PIX-6-302014: Teardown TCP connection 591 for outside:192.168.70.253/23 to inside:10.20.1.250/50498 duration 0:00:30 bytes 0 SYN Timeout

10.20.1.254,May 08 2007 14:06:57: %PIX-6-305012: Teardown dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381 duration 0:01:00

10.20.1.254,May 08 2007 14:06:57: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:01:00

Doesn't look like the traffic is actually crossing the tunnel.

Re: VPN L2L

acomiskey — Wed, 09 May 2007 13:42:33 GMT

What is 172.16.71.100, pat address? It seems like nat exemption is not working at europe fw.

Re: VPN L2L

niro — Wed, 09 May 2007 13:49:30 GMT

that's the DMZ side of the FW in europe...I just tried from another host that definetly doesn't attempt any dmz connections to see if I see any translations created:

europeSW-01's IP is 192.168.71.200

europeSW-01#telnet 192.168.70.200

Trying 192.168.70.200 ...

% Connection timed out; remote host not responding

EUROPE-FW-01# sh log | i 70.200

May 08 2007 14:46:21: %PIX-6-609001: Built local-host outside:192.168.70.200

May 08 2007 14:46:21: %PIX-6-609002: Teardown local-host outside:192.168.70.200

duration 0:00:00

May 08 2007 14:46:25: %PIX-6-609001: Built local-host outside:192.168.70.200

May 08 2007 14:46:25: %PIX-6-609002: Teardown local-host outside:192.168.70.200

duration 0:00:00

EUROPE-FW-01# sh log | i 71.200

May 08 2007 14:46:33: %PIX-6-609001: Built local-host inside:192.168.71.200

May 08 2007 14:46:33: %PIX-6-609002: Teardown local-host inside:192.168.71.200 d

uration 0:00:00

EUROPE-FW-01# sh xlate | i 71.200

EUROPE-FW-01#

Re: VPN L2L

acomiskey — Wed, 09 May 2007 13:59:56 GMT

Doesn't this mean that 10.20.1.250 is being translated to 172.16.71.100?

Built dynamic TCP translation from inside:10.20.1.250/50498 to outside:172.16.71.100/1381

Re: VPN L2L

niro — Wed, 09 May 2007 14:12:05 GMT

Yea that was before I corrected the 10.24 acl...here's the new syslogs:

2007-05-09 11:10:36,Local4.Info,10.20.1.254,May 08 2007 15:10:57: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:36,Local4.Info,10.20.1.254,May 08 2007 15:10:57: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:00

2007-05-09 11:10:38,Local4.Info,10.20.1.254,May 08 2007 15:10:59: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:38,Local4.Info,10.20.1.254,May 08 2007 15:10:59: %PIX-6-302020: Built ICMP connection for faddr 192.168.70.253/0 gaddr 10.20.1.250/28 laddr 10.20.1.250/28

2007-05-09 11:10:46,Local4.Info,10.20.1.254,May 08 2007 15:11:07: %PIX-6-302021: Teardown ICMP connection for faddr 192.168.70.253/0 gaddr 10.20.1.250/28 laddr 10.20.1.250/28

2007-05-09 11:10:46,Local4.Info,10.20.1.254,May 08 2007 15:11:07: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:08

2007-05-09 11:10:52,Local4.Info,10.20.1.254,May 08 2007 15:11:12: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:10:52,Local4.Info,10.20.1.254,May 08 2007 15:11:12: %PIX-6-302013: Built outbound TCP connection 1202 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/46402 (10.20.1.250/46402)

007-05-09 11:11:22,Local4.Info,10.20.1.254,May 08 2007 15:11:42: %PIX-6-302014: Teardown TCP connection 1202 for outside:192.168.70.253/23 to inside:10.20.1.250/46402 duration 0:00:30 bytes 0 SYN Timeout

2007-05-09 11:11:22,Local4.Info,10.20.1.254,May 08 2007 15:11:42: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:30

2007-05-09 11:12:28,Local4.Info,10.20.1.254,May 08 2007 15:12:49: %PIX-6-609001: Built local-host inside:10.20.1.250

2007-05-09 11:12:28,Local4.Info,10.20.1.254,May 08 2007 15:12:49: %PIX-6-302013: Built outbound TCP connection 1223 for outside:192.168.70.253/23 (192.168.70.253/23) to inside:10.20.1.250/28994 (10.20.1.250/28994)

2007-05-09 11:12:58,Local4.Info,10.20.1.254,May 08 2007 15:13:19: %PIX-6-302014: Teardown TCP connection 1223 for outside:192.168.70.253/23 to inside:10.20.1.250/28994 duration 0:00:30 bytes 0 SYN Timeout

2007-05-09 11:12:58,Local4.Info,10.20.1.254,May 08 2007 15:13:19: %PIX-6-609002: Teardown local-host inside:10.20.1.250 duration 0:00:30

Re: VPN L2L

niro — Wed, 09 May 2007 14:37:53 GMT

I'm starting to think the problem is on the dmz router...here's the setup:

londonfw-dmzrouter-internet-europterouter-eurotefw

I'm getting these messages on the london router (the source and dest addresses are correct):

ip nat inside source static tcp 172.16.70.100 500 ***** 500 extendable

.May 9 15:35:11.019: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet ha

s invalid spi for

destaddr=*****, prot=50, spi=0x35B97736(901347126), srcaddr=*****

Re: VPN L2L

niro — Wed, 09 May 2007 14:41:29 GMT

I just found this config left out by the previous engineer on the london router...I'm guessing this is conflicting. I'll try to remove the crypto map later on tonight and see if it works:

interface FastEthernet0

ip address ****** 255.255.255.248

ip access-group 130 in

ip nat outside

ip route-cache flow

speed auto

crypto map vpntunnel

Re: VPN L2L

niro — Wed, 09 May 2007 17:35:23 GMT

Yup that's what it was..gotta love old left over configs from ages ago that never get removed.

Re: VPN L2L

niro — Wed, 09 May 2007 22:28:33 GMT

Ok I got a new problem...now the tunnel gets created fine no matter where I initiate traffic from...however, if I initiate the traffic from london, after the tunnel gets created no traffic is able to pass through the tunnel. As soon as I send any kind of traffic out from europe everything works fine both ways. Any ideas why that would happen?

Re: VPN L2L

niro — Thu, 10 May 2007 16:37:57 GMT

Ok this is starting to drive me crazy I think. It looks like I have to initiate interesting traffic from both ends before the connection actually works. On the London router (not the FW) I'm getting these messages:

May 10 17:16:42.170: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has

invalid spi for

destaddr=*.*.*.*, prot=50, spi=0x354F6836(894396470), srcaddr=*.*.*.*

I'm using a static nat on that router for the fw (the public IP is the same as the outside interface):

ip nat inside source static tcp 172.16.70.100 500 217.196.246.234 500 extendable

Re: VPN L2L

hoogen_82 — Thu, 10 May 2007 17:10:28 GMT

OKay i will try to rebuild your configuration also for your case do try to clear crypto ipsec sa and clear crypto isakmp sa and try setting up the tunnel and see if traffic is flowing through.

hostname europe

enable password 2KFQnbNIdI.2KYOU encrypted

names

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list nonat extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

$$$$$$$$

hostname europe

enable password 2KFQnbNIdI.2KYOU encrypted

names

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list nonat extended permit 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

###########################################

One thing to notice the extra intresting traffic from London to europe PIX, if you notice in Europe you dont have it marked as interesting.

HTH

Hoogen

Re: VPN L2L

hoogen_82 — Thu, 10 May 2007 17:13:42 GMT

Oops lots of changes before i could post mine. Well do you have a diagram and what are you trying to achieve..

-Hoogen

Re: VPN L2L

niro — Thu, 10 May 2007 18:02:31 GMT

Here's a diagram I just put together of the setup. All I want to do is have the London LAN communicate with the Europe LAN.

Re: VPN L2L

hoogen_82 — Thu, 10 May 2007 18:16:38 GMT

Okay this should be your config

hostname europe

enable password xxx

names

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list nonat extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer 172.16.70.100

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group 172.16.70.100 type ipsec-l2l

tunnel-group 172.16.70.100 ipsec-attributes

pre-shared-key *

$$$$$$$$

hostname europe

enable password xxx

names

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list nonat extended permit 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.71.253

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer 172.16.71.100

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group 172.16.71.100 type ipsec-l2l

tunnel-group 172.16.71.100 ipsec-attributes

pre-shared-key *

###########################################

THe above config should work good. Just confused about the Ip'S on your routers though, let your routers only do routing, leave the firewall portforwarding tunnel stuff to the pix.

HTH

Hoogen