04-04-2008 04:00 PM - edited 03-11-2019 05:27 AM
Hi,
I have PIX with OS ver 7.2 and I am trying to setup RAVPN, however it keeps failing and I get the following error on the PIX when enabling the crypto debug commands:
Apr 05 01:47:15 [IKEv1]: Group = ccie, IP = 192.1.24.114, Error: Unable to remov
e PeerTblEntry
Apr 05 01:47:20 [IKEv1]: Group = ccie, IP = 192.1.24.114, Removing peer from pee
r table failed, no match!
And the following error is from my VPN client ver 4.8.01:
The remote peer is no longer responding
01:53:32.493 04/05/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
Here is my PIX VPN config:
crypto ipsec transform-set ccie esp-des esp-md5-hmac
crypto dynamic-map ccie 1 set transform-set ccie
crypto dynamic-map ccie 1 set reverse-route
crypto map cciemap 1 ipsec-isakmp dynamic ccie
crypto map cciemap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group ccie type ipsec-ra
tunnel-group ccie general-attributes
address-pool ccie
tunnel-group ccie ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (outside) none
Any idea of why the VPN is failing?
R/ Haitham
Solved! Go to Solution.
04-07-2008 09:47 AM
Haitham,
I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following
crypto isakmp policy 1
hash md5
Do not forget to apply your NAT statements. After ACL change, following is also missing.
nat (inside) 0 access-list inside_nat0_outbound
Please attach the latest config.
Regards
04-04-2008 04:28 PM
Hi Haitham,
First of all, Your VPN IP pool does not meet RFC 1918. Please create a new pool according to section "3. Private Address Space" in following link
http://www.faqs.org/rfcs/rfc1918.html
If too lazy to read, just choose a pool in 192.168.x.x not 192.x.x.x
Second and most probably, check your Exempt NAT statement for VPN pool. Or post the related config for me to check
Also try restarting the PIX after your config is done
Regards
04-04-2008 04:38 PM
Hi Husycisco, Well I understand of your above answers but is it required NAT exemption rule as what I understand can we use NAT/PAT to allow VPN network traffic for Inside/DMZ Zone whatever you want to allow. Thanks
04-05-2008 12:40 AM
Hi Richard,
Exempt NAT is not a must, but is the widely used NAT type for simple RA VPN. But in scenarios where required, like in spoke to spoke topology, NAT/PAT can be implemented instead exempt NAT.
Regards
04-05-2008 01:49 AM
Hi husycisco,
I agree on the private addressing and on the NAT points, however would creating a non-private IP pool and not configuring NAT, really prevent the RAVPN from coming up?
R/Haitham
04-05-2008 06:54 AM
Haitham,
Your IP addressing does not actually end up with the error you are encountering right now, but missing/wrong NAT statements may cause this. Please attach your sanitized config.
04-05-2008 02:20 PM
Husycisco,
I added the NAT config as you suggested and also changed the NAT as you advised but this also didnt bring this into working environment! Please note that this configuration is in the lab, so don't beat me on using some public addresses:)
Attached please find the full PIX config file.
Appreciate your feedback on how to make the RAVPN work!
R/ Haitham
04-05-2008 02:58 PM
Haitham,
There are some simple configuration steps missing in your config.
First of all, you do not have a default route. X is your default gateway for PIX
route outside 0.0.0.0 0.0.0.0 192.1.24.x
Second, basic NAT and global statements. If you want to proceed without them, which is not the best practice in fact, you should disable nat-control. Following would be the best practice for NAT statements. Btw there are two configs in txt you attach, in one the VPN pool is 1.1.1.0 and in other 192.168.1.0. I am assuming 1.1.1.0 is active in following config suggestion. Also keep in mind that 192.168.1.0 is the default IP config of the most off the shelve internet modem/routers, so that would make a conflict with VPN user's local network. Stick with RFC 1918, but do not use widely used ranges like this.
no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
nat (inside) 0 inside_nat0_outbound
nat (inside) 1 0 0
global (outside) 1 interface
access-list inside_nat0_outbound permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.224
Third, for the sake of simplicty, apply the following
no crypto dynamic-map ccie 1 set reverse-route
tunnel-group ccie ipsec-attributes
no isakmp ikev1-user-authentication (outside) none
And last, use the latest version of Cisco VPN client, or at least version 5.x
Regards
04-05-2008 04:31 PM
Hi Husycisco, May i know whats a meaning of this coomand no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 in above configuration.
04-06-2008 02:15 PM
04-06-2008 07:15 PM
Haitham,
I assumed you were using 1.1.1.0 as the VPN pool in my previous suggestion but I see that you use 192.168.1.0. Then you should make the following modification
no access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
04-06-2008 10:31 PM
huskcisco,
I changed it but still giving the same error!
I am not sure whether the NAT has anything to do with failing the tunnel to get established, it should has more to do with the communications after the establishement! Should we look somewhere else!
R/ Haitham
04-07-2008 09:47 AM
Haitham,
I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following
crypto isakmp policy 1
hash md5
Do not forget to apply your NAT statements. After ACL change, following is also missing.
nat (inside) 0 access-list inside_nat0_outbound
Please attach the latest config.
Regards
04-07-2008 11:42 AM
Thanks husycisco, and now it finally worked!
So it was due to the hash mismatch between Phase I and Phase II!!
Thanks for your support and patience.
R/ Haitham
04-07-2008 11:53 AM
Haitham,
You are welcome. Nice to hear that issue is resolved.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide