Re: Add VPN client configuration to site-to-site config.

jzsides · ‎04-10-2003

I have a PIX515E v6.22 that is configured for two site to site VPNs(Crypto map 10 and 20 and Isakmp policy 10). I'm trying to add a configuration for a VPN client connection. With the following configuration, the VPN client 3.6 will establish the connection, but I can't ping the outside interface or anything in the 10.0.0.0 subnet or the 192.168.254.0 subnet. The pix adds the access lists when a connection is made, but they do not show any hits when I attempt to make connections to internal addresses. The internal hosts do have a route back to the PIX. Does anyone see what I'm doing wrong?

Debuging output is listed below

Thanks

Josh

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password lui78Uo/LBYLTriJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname sepix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit ip 10.0.0.0 255.255.255.0 k.l.m.0 255.255.255.0

access-list 100 permit ip 10.0.0.0 255.255.255.0 host n.o.p.129

access-list 100 permit ip 10.0.0.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list 100 permit ip 192.168.254.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list 101 permit ip 10.0.0.0 255.255.255.0 k.l.m.0 255.255.255.0

access-list 102 permit ip 10.0.0.0 255.255.255.0 host n.o.p.129

pager lines 24

logging console debugging

logging monitor debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside h.i.j.5 255.255.255.0

ip address inside 192.168.254.198 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool 192.168.200.1-192.168.200.254

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 100

route outside 0.0.0.0 0.0.0.0 h.i.j.1 1

route inside 10.0.0.0 255.255.255.0 192.168.254.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set noAH esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set noAH

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer a.b.c.133

crypto map newmap 10 set transform-set noAH

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 102

crypto map newmap 20 set peer d.e.f.140

crypto map newmap 20 set transform-set noAH

crypto map newmap 30 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

isakmp enable outside

isakmp key ******** address a.b.c.133 netmask 255.255.255.255

isakmp key ******** address d.e.f.140 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup sevpn address-pool bigpool

vpngroup sevpn dns-server 10.0.0.253 10.0.0.252

vpngroup sevpn default-domain stoneeagle.net

vpngroup sevpn idle-time 1800

vpngroup sevpn password ********

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:b628547b3ef71a02b5b7b6f12f44aca6

: end

[OK]

Here is the output for Debug crypto isakmp. It looks like it never gets to my priority 20 policy. Anybody know what I'm doing wrong?

crypto_isakmp_process_block: src h.i.j.50, dest h.i.j.5

VPN Peer: ISAKMP: Added new peer: ip:h.i.j.50 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:h.i.j.50 Ref cnt incremented to:1 Total VPN Peers:

2

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

crypto_isakmp_process_block: src h.i.j.50, dest h.i.j.5

OAK_QM exchange

gfullage · ‎04-10-2003

Already answered on VPN - General forum.