Re: Pix-vpn site-to-site - Page 2

secureIT · ‎09-30-2007

Hi,

I have a pix firewall with vpn configured recently. As the tunnel is not up i have enabled debug crypto isakmp and able to see the attached messages.

I have confirmed the pre-shared keys in both end and found same.

Please advice on where could be the problem. The other end firewall is not a pix which is configured with the same similar parameters.

Please help on this...

PIX Version 6.3(4)

Pix-506

regards

Rajesh

Jon Marshall · ‎10-04-2007

Hi Graham

Basically the part about proxy identities ie.

=============================================

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= remote_ip, src= this_ip,

dest_proxy= remote_local_subnet/255.255.255.0/0/0 (type=4),

src_proxy= user_local_subnet/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

=============================================

For Phase 2 to complete both ends must agree on the local and remote networks they are encrypting traffic for.

Jon

grahambartlett · ‎10-04-2007

Nice one Jon

5 points to you!

secureIT · ‎10-05-2007

Hi All,

So, basically its a crypto ACL issue i hope..isn't it ?

regards

Rajesh P

Jon Marshall · ‎10-05-2007

Hi Rajesh

It does look like it from the debugs you provided.

Jon

fallkaired · ‎10-08-2007

Hi all,

Can someone help me please

An inside server (192.168.92.6) need to access to a remote network 192.168.31.0.

A VPN site to site is established between Pix outside (192.168.111.6) and Multitech Firewall (192.168.111.200).

Now my inside server should connect to the remote network with this IP 172.20.20.6. So I have to Nat my inside server IP (192.168.92.6) to 172.20.20.6.

The remote network should connect to inside network by the 172.20.20.6.

My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.

The weird thing is I can ping from both network each other.

This is my config below

access-list Outside_1_cryptomap extended permit ip 172.20.20.0 255.255.255.0 192.168.31.0 255.255.255.0

access-list Inside_nat_static extended permit ip host I92.168.92.6 192.168.31.0 255.255.255.0

static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer 192.168.111.200

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

service-policy global_policy global

tunnel-group 192.168.111.200 type ipsec-l2l

tunnel-group 192.168.111.200 ipsec-attributes

pre-shared-key *

Thanks for answers

secureIT · ‎10-08-2007

Hi All,

vpn problem has been resolved. its an ACL issue (crypto)

Thanks for the support.

regards

Rajesh P

Jon Marshall · ‎10-08-2007

Hi Rajesh

Glad to hear you got it working and thanks for letting us know the outcome.

Jon