Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
0
Helpful
31
Replies

multiple VPN issue, cant get second vpn up.

dsingleterry
Level 1
Level 1

‎01-21-2003 10:50 AM - edited ‎02-21-2020 12:17 PM

I have 3 firewalls in 3 locations. the 515e is the main one that all the other locations need to connect to via VPN. I have one VPN working between a 501 and the 515e, and need to get the next one running as well.

so here's my current VPN config, the complication is this is my first multiple VPN setup.

515e:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

names

name x.x.71.8 ConstOffice

access-list acl_outbound permit ip host 192.168.50.10 any

access-list acl_outbound permit ip host 192.168.50.75 any

access-list acl_outbound permit ip host 192.168.50.201 any

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255. 255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host ConstOffice

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.52.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

icmp permit any outside

icmp permit any inside

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer x.x.81.11

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address x.x.81.11 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet ConstOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 outside

telnet x.x.81.11 255.255.255.255 outside

telnet 192.168.50.201 255.255.255.255 inside

telnet 192.168.50.202 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

501e:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7

access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0

access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any

access-list acl_inbound permit ip host x.x.71.7 any

interface ethernet0 10baset

interface ethernet1 10full

ip address outside x.x.81.11 255.0.0.0

ip address inside 192.168.52.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.52.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 9 ipsec-isakmp

crypto map vpn1 9 match address inside_nat0_outbound

crypto map vpn1 9 set pfs group2

crypto map vpn1 9 set peer x.x.71.7

crypto map vpn1 9 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address x.x.81.11 netmask 255.255.255.255

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

telnet 192.168.50.0 255.255.255.0 outside

telnet x.x.71.7 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:f4e78a76793783478f6e56f567e1f9cd

: end

So I must be missing something to get multiple VPN's up,

My debug info from the 515 is as follows:

ISAKMP (0): beginning Quick Mode exchange, M-ID of 299217336:11d5b1b8

crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 299217336

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-SHA

ISAKMP: group is 2

ISAKMP (0): atts are acceptable.

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7

ISAKMP (0): processing DELETE payload. message ID = 2059037963

ISAKMP (0): deleting SA: src x.x.71.7, dst x.x.81.11

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x813d3688, conn_id = 0

ISADB: reaper checking SA 0x813d65c8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.81.11 Ref cnt decremented to:0 Total VPN Peers:2

VPN Peer: ISAKMP: Deleted peer: ip:x.x.81.11 Total VPN peers:1

ISADB: reaper checking SA 0x813d3688, conn_id = 0

Thx,

Dave

Labels:
0 Helpful
31 Replies 31

dsingleterry
Level 1
Level 1
In response to kagodfrey

‎01-31-2003 03:03 PM

Ok, well if someone put it that way and I didnt interpret it properly, I apologize. I'm used to switches and some routing, this is my first set of PIXes, again, I greatly appreciate all of your help guys.

Dave

0 Helpful

b-pelphrey
Level 1
Level 1
In response to dsingleterry

‎01-31-2003 05:03 PM

At any rate...CONGRATS and I am glad it is over for you!!!

Until next time...

0 Helpful
Customers Also Viewed These Support Documents