topic Re: PIX 515E in Network Security

PIX 515E

philipsyao — Mon, 11 Mar 2019 09:23:16 GMT

I configure a IPSec Tunnel to Nortel Contivity switch out of my network. The problem is: when I use "show crypto ipsec sa" and "show crypto isakmp sa" commands, the outfut is as following:

firewall# show crypto ipsec sa

interface: outside

Crypto map tag: outside_map, local addr. OutsideInterface

local ident (addr/mask/prot/port): (DMS100/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (198.206.164.1/255.255.255.255/0/0)

current_peer: 47.234.0.60

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: OutsideInterface, remote crypto endpt.: 47.234.0.60

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

firewall# show crypto isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

It seems that the negotiation process is not initiated from my side. Is there any trigger I have to pull?

The configuration I had is this:

access-list inside_nat0_outbound permit ip host DMS100 host 198.206.164.1

access-list outside_cryptomap_20 permit ip host DMS100 host 198.206.164.1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 47.234.0.60

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 47.234.0.60 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 1

isakmp policy 30 lifetime 86400

nat (inside) 0 access-list inside_nat0_outbound

BTW: As my understanding, the crpyto sequence number and isakmp priority number is NOT necessary to be the same at the both side, am I right?

Re: PIX 515E

sachinraja — Tue, 23 Jan 2007 00:10:38 GMT

Hello philips..

The IPSEC tunnel will not be initiated, unless you force an interesting traffic to flow on the PIX. Try to initiate a traffic from host DMS100 to host 198.206.164.1 & then see the show commands given above. You can also do some debugs... debug crypto isakmp sa, ipsec and see if there any errors.. sequence no need not match, but make sure you match the other things like encryption, authentication, pfs, lifetime, crypto ACL etc...

Hope this helps.. let us know the results ....

Raj

Re: PIX 515E

philipsyao — Tue, 23 Jan 2007 13:31:18 GMT

due to some reason, we cannot trigger a traffic on the DMS100, but it's able to recieve traffic. People on the 198.206.164.1 said they initiated traffic towards DMS100, but there is no response from our side. What could be the reason? They can ping my outside public IP address.

Re: PIX 515E

sachinraja — Wed, 24 Jan 2007 00:46:07 GMT

Hello philips,

Are you able to see any traffic hitting your PIX , when they initiate the traffic ?? run some debugs, given above and see what exactly is happening.. you can also ask the remote guys to run some debugs and see what happens... the configs on your end PIX, looks fine... make sure of the following from your end:

1) hope you are able to ping and reach 47.234.0.60

2) Be very sure of the parameters configured on the Nortel box . they should have configured DES encryption, md5 hash, group 1, lifetime 86400, the same ISAKMP key, transform sets etc.. even if one of these parameters dont match, it is going to be an issue...

3) default gateway on DMS100 will point to the local DMZ ip address of the PIX..

4) Just to be sure, make sure you see the NAT translation on the show xlate

Try these and give us more info on the issue..

Raj

Re: PIX 515E

philipsyao — Wed, 24 Jan 2007 14:16:06 GMT

The problem has been solved. I feel so embarrassed because it's a very silly mistake---They gave me the wrong key. Later when I use debug and show logging command, I saw the "CRYPTO-4-IKMP_BAD_MESSAGE", then I knew the point. Since I double-checked every parameter with them and they said yes, so I didn't pay much attention to it. Sorry for the silly mistake and thank you very much.