09-30-2007 10:42 PM
Hi,
I have a pix firewall with vpn configured recently. As the tunnel is not up i have enabled debug crypto isakmp and able to see the attached messages.
I have confirmed the pre-shared keys in both end and found same.
Please advice on where could be the problem. The other end firewall is not a pix which is configured with the same similar parameters.
Please help on this...
PIX Version 6.3(4)
Pix-506
regards
Rajesh
10-04-2007 03:03 AM
Hi Graham
Basically the part about proxy identities ie.
=============================================
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= remote_ip, src= this_ip,
dest_proxy= remote_local_subnet/255.255.255.0/0/0 (type=4),
src_proxy= user_local_subnet/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
=============================================
For Phase 2 to complete both ends must agree on the local and remote networks they are encrypting traffic for.
Jon
10-04-2007 04:46 AM
Nice one Jon
5 points to you!
10-05-2007 04:05 AM
Hi All,
So, basically its a crypto ACL issue i hope..isn't it ?
regards
Rajesh P
10-05-2007 05:39 AM
Hi Rajesh
It does look like it from the debugs you provided.
Jon
10-08-2007 12:21 AM
Hi all,
Can someone help me please
An inside server (192.168.92.6) need to access to a remote network 192.168.31.0.
A VPN site to site is established between Pix outside (192.168.111.6) and Multitech Firewall (192.168.111.200).
Now my inside server should connect to the remote network with this IP 172.20.20.6. So I have to Nat my inside server IP (192.168.92.6) to 172.20.20.6.
The remote network should connect to inside network by the 172.20.20.6.
My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.
The weird thing is I can ping from both network each other.
This is my config below
access-list Outside_1_cryptomap extended permit ip 172.20.20.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list Inside_nat_static extended permit ip host I92.168.92.6 192.168.31.0 255.255.255.0
static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 192.168.111.200
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
service-policy global_policy global
tunnel-group 192.168.111.200 type ipsec-l2l
tunnel-group 192.168.111.200 ipsec-attributes
pre-shared-key *
Thanks for answers
10-08-2007 10:28 PM
Hi All,
vpn problem has been resolved. its an ACL issue (crypto)
Thanks for the support.
regards
Rajesh P
10-08-2007 10:31 PM
Hi Rajesh
Glad to hear you got it working and thanks for letting us know the outcome.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: