Re: VPN L2L - Page 2

niro · ‎05-09-2007

I'm having trouble setting up a pix to pix vpn connection...I'm running a pix 515 v 7.0 on one end and a pix 515e 6.3 on the other end, here's the vpn configs (I starred out the public IPs) The tunnel I'm working on is the vpntunnel 21 and europe:

europe:

access-list 101 extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list 101 extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

nat-control

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set RTS esp-3des esp-sha-hmac

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto map RTS 1 set peer *******

crypto map RTS 1 set transform-set RTS

crypto map vpntunnel 21 match address 101

crypto map vpntunnel 21 set peer ******

crypto map vpntunnel 21 set transform-set london

crypto map vpntunnel interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 10000

tunnel-group RTS type ipsec-l2l

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

London:

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list 101 permit ip 172.16.70.0 255.255.255.0 172.17.5.0 255.255.255.0

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list 101 permit ip 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

access-list hk permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list hk permit icmp 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list hk permit ip 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ny esp-des esp-md5-hmac

crypto ipsec transform-set europe esp-3des esp-md5-hmac

crypto map vpntunnel 1 ipsec-isakmp

crypto map vpntunnel 1 match address 102

crypto map vpntunnel 1 set peer ******

crypto map vpntunnel 1 set transform-set ny

crypto map europe 5 ipsec-isakmp

crypto map europe 5 match address hk

crypto map europe 5 set peer ******

crypto map europe 5 set transform-set london

crypto map europe interface outside

isakmp enable outside

isakmp key ******** address ****** netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 10000

isakmp policy 6 authentication pre-share

isakmp policy 6 encryption 3des

isakmp policy 6 hash md5

isakmp policy 6 group 2

isakmp policy 6 lifetime 86400

The tunnel seems to come up normal when I initiate it from the london side, but not from the europe side. Also even though the tunnel is up, no traffic seems to be going through, I'm not able to connect to any devices on the other side:

Europe:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: *******

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

London:

Total : 1

Embryonic : 0

dst src state pending created

****** 172.16.70.100 QM_IDLE 0 1

any ideas what I'm doing wrong here??

niro · ‎05-10-2007

Ok this is starting to drive me crazy I think. It looks like I have to initiate interesting traffic from both ends before the connection actually works. On the London router (not the FW) I'm getting these messages:

May 10 17:16:42.170: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has

invalid spi for

destaddr=*.*.*.*, prot=50, spi=0x354F6836(894396470), srcaddr=*.*.*.*

I'm using a static nat on that router for the fw (the public IP is the same as the outside interface):

ip nat inside source static tcp 172.16.70.100 500 217.196.246.234 500 extendable

hoogen_82 · ‎05-10-2007

OKay i will try to rebuild your configuration also for your case do try to clear crypto ipsec sa and clear crypto isakmp sa and try setting up the tunnel and see if traffic is flowing through.

!

hostname europe

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list nonat extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

!

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

!

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

!

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

!

$$$$$$$$

!

hostname europe

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list nonat extended permit 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

!

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

!

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

!

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

!

###########################################

One thing to notice the extra intresting traffic from London to europe PIX, if you notice in Europe you dont have it marked as interesting.

HTH

Hoogen

hoogen_82 · ‎05-10-2007

Oops lots of changes before i could post mine. Well do you have a diagram and what are you trying to achieve..

-Hoogen

niro · ‎05-10-2007

Here's a diagram I just put together of the setup. All I want to do is have the London LAN communicate with the Europe LAN.

hoogen_82 · ‎05-10-2007

Okay this should be your config

!

hostname europe

enable password xxx

names

!

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list nonat extended permit ip 10.20.1.0 255.255.255.0 192.168.70.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 xx.x.x.x 1(Make sure your routing is good)

!

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer 172.16.70.100

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

!

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

!

tunnel-group 172.16.70.100 type ipsec-l2l

tunnel-group 172.16.70.100 ipsec-attributes

pre-shared-key *

!

$$$$$$$$

!

hostname europe

enable password xxx

names

!

access-list 100 extended permit ip any any

access-list nonat extended permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list nonat extended permit 192.168.70.0 255.255.255.0 10.20.1.0 255.255.255.0

icmp permit any outside

icmp permit any inside

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.71.253

!

crypto ipsec transform-set RTS esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address nonat

crypto map forsberg 21 set peer 172.16.71.100

crypto map forsberg 21 set transform-set RTS

crypto map forsberg interface outside

!

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

!

tunnel-group 172.16.71.100 type ipsec-l2l

tunnel-group 172.16.71.100 ipsec-attributes

pre-shared-key *

!

###########################################

THe above config should work good. Just confused about the Ip'S on your routers though, let your routers only do routing, leave the firewall portforwarding tunnel stuff to the pix.

HTH

Hoogen

niro · ‎05-10-2007

Yea the tunnel is created on the pix...the only relevent lines in the routers are:

London:

ip nat inside source static tcp 172.16.70.100 500 *.*.*.* 500 extendable

Europe:

ip nat inside source static udp 172.16.71.100 500 *.*.*.* 500 extendable

Because the target public IP for the tunnel is the same as the public IP of the outside (which it's overloading).

I'll compare my configs with yours and see what's missing.

niro · ‎05-10-2007

Nope I still got the same issue...here's my configs:

Europe:

nat (inside) 0 access-list london-nat

access-list london-nat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list 101 extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

crypto ipsec transform-set RTS esp-3des esp-sha-hmac

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map RTS 1 set peer ******

crypto map RTS 1 set transform-set RTS

crypto map RTS 1 set security-association lifetime seconds 28800

crypto map vpntunnel 21 match address 101

crypto map vpntunnel 21 set peer ***public ip of london router****

crypto map vpntunnel 21 set transform-set london

crypto map vpntunnel 21 set security-association lifetime seconds 28800

crypto map vpntunnel interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

tunnel-group RTS type ipsec-l2l

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

tunnel-group ***** type ipsec-l2l

tunnel-group ***** ipsec-attributes

pre-shared-key *

London:

nat (inside) 0 access-list 101

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list london permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map hongkongvpn 5 ipsec-isakmp

crypto map hongkongvpn 5 match address hk

crypto map hongkongvpn 5 set peer ***public ip of europe router***

crypto map hongkongvpn 5 set transform-set london

crypto map hongkongvpn 5 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map hongkongvpn interface outside

isakmp enable outside

isakmp key ******** address ***** netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

When I initiate from Europe...I get this on the europe fw:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: ******

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

but nothing on the london FW, and vice versa. I need to initiate both connections before the tunnel times out to get any connectivity going.

niro · ‎05-10-2007

Forgot to attach the diagram with a little more clarity:)