topic Re: Pix 515e VPN in Network Security

Pix 515e VPN

johnnymac — Mon, 11 Mar 2019 09:01:25 GMT

Hi,

We are in the process of migrating from 506e verion 6.3 to a 515e Version 7.0(5). We have everything up and running now except for one remote site which is on a 172.16.0.0 network and connects via ADSL to an ISP then to an IT company who say they running a site to site VPN to us. Convoluted I know (we inherrited it). Here is the old part of the VPN config.

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set myset

crypto map dyn-map 20 ipsec-i

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 43200

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server x.x.x.x

vpngroup vpn3000 wins-server x.x.x.x

vpngroup vpn3000 default-domain xxxxxx.net

vpngroup vpn3000 split-tunnel nonat

vpngroup vpn3000 idle-time 7200

vpngroup vpn3000 password ********

And heres what I currently have on the new PIX for our client to site vpn which is working.

group-policy vpn3000 internal

group-policy vpn3000 attributes

wins-server value x.x.x.x x.x.x.x

dns-server value x.x.x.x x.x.x.x

split-tunnel-policy tunnelall

split-tunnel-network-list value vpn3000_splitTunnelAcl

default-domain value parkside.net

split-dns value parkside.net

username ********* password ************* encrypted privilege 15

http server enable

http x.x.x.x x.x.x.x inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool ippool

authentication-server-group Radius_Auth

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key *

The Guy at the IT company says i need to use this line

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

and the policies, but i'm not sure which policies relate to what? This also feels far to simple for a site to site?

He also advised me i'd need to use this nonat access

access-list nonat permit ip host 1.x.x.x.16.0.0 255.255.0.0

nat (inside) 0 access-list nonat

Can anyone shed any light on this.

Many thanks

J Mack

Re: Pix 515e VPN

m.sir — Tue, 28 Nov 2006 13:05:01 GMT

ISAKMP policy is not related to specific VPN

Process of ISAKMP policy negotation is following

The initiator will offer the highest priority proposal (in ISAKMP policy highest priority means lowest number fe. isakmp policy 10 has higher priority than isakmp policy 20) and the responder will search its locally configured ISAKMP policies for a match. If there are none, the initiator will propose the next highest ISAKMP policy. This process will continue until the initiator has no proposals left to offer the responder.

So you can have as many policies you want but at least one policy must match

NAT issues

Yes you need remove IPSec traffic from NAT process (because IPSEC doesnt cooperate with NAT well)

hope that helps rate if it does

Re: Pix 515e VPN

johnnymac — Tue, 28 Nov 2006 13:39:32 GMT

Hi Thanks,

I still can't get this site to connect, i've put in this command.

isakmp key xxxxxxxx address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

this seems to be the errors i'm getting.

3|Nov 28 2006 14:55:48|713902: Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from peer table failed, no match!

3|Nov 28 2006 14:55:48|713127: Group = DefaultRAGroup, IP = x.x.x.x,, Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list

does the remote peer use

Group = DefaultRAGroup

As part of the authentication process? As the guy from the IT company says there are not using a group name only a pre shared key?

Thanks.

J mack

Re: Pix 515e VPN

a.kiprawih — Tue, 28 Nov 2006 15:45:53 GMT

The error tells you IKE Phase 1 failure - mismatched config in pr. Check with your partner to ensure both side has identical policies (isakmp policy 10)

HTH