cisco pix vpn to cyberguard vpn

kmgonzalez · ‎02-01-2007

I have a site to site tunnel but can't get it to the QM_idle status. Keeps erroring with OAK_ADDR. What does this mean? I think I am not negogiating the ipsec correctly?

5220 · ‎02-04-2007

Hi, something is not configured properly.

Can you post your config?

Regards,

Daniel

kmgonzalez · ‎02-05-2007

Can I start with my edit statements? Not too comfortable with submitting whole config.

access-list XXXX permit ip 172.17.40.112 255.255.255.240 172.17.1.0 255.255.255.0

static (inside,outside) 172.17.40.114 172.20.80.230

static (inside,outside) 172.17.40.115 172.20.80.232

static (inside,outside) 172.17.40.116 172.20.80.234

crypto ipsec transform-set transset esp-3des esp-sha-hmac

crypto map vpnpacs 17 ipsec-isakmp

crypto map vpnpacs 17 match address XXXX

crypto map vpnpacs 17 set peer 69.238.9.XX

crypto map vpnpacs 17 set transform-set transset

isakmp key ********** address 69.238.9.XX

isakmp identity address

isakmp keepalive 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ggilbert · ‎02-05-2007

Configuration seems to be ok. Except, I do not see the crypto map applied to any interface, unless you forgot to paste it.

deb cry isa

deb cry ipsec

Can you run those two debugs and put them in the forum.

Thanks

Gilbert

kmgonzalez · ‎02-06-2007

I have this statement that I did not paste is this what you are looking for?

crypto map vpnpacs interface outside

Will run the debugs as well...

ggilbert · ‎02-06-2007

Thanks -

Let me know about the debugs.

Gilbert

kmgonzalez · ‎02-06-2007

here is the output from the debugs: need to send separately.

deb cry isa:

VPN Peer: ISAKMP: Added new peer: ip:69.238.9.15/500 Total VPN Peers:8

VPN Peer: ISAKMP: Peer ip:69.238.9.15/500 Ref cnt incremented to:1 Total VPN Peers:8

crypto_isakmp_process_block:src:69.238.9.15, dest:outside_int spt:500 dpt:500

OAK_QM exchange

ISAKMP (0:0): Need config/address

ISAKMP (0:0): initiating peer config to 69.238.9.15. ID = 1630960744 (0x61367c68)

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:69.238.9.15, dest:outside_int spt:500 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

ISAKMP (0): retransmitting Config Mode Request...

crypto_isakmp_process_block:src:69.238.9.15, dest:outside_int spt:500 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): deleting SA: src 69.238.9.15, dst outside_int

ISADB: reaper checking SA 0x35955fc, conn_id = 0

ISADB: reaper checking SA 0x2eccb6c, conn_id = 0

ISADB: reaper checking SA 0x3584834, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:69.238.9.15/500 Ref cnt decremented to:0 Total VPN Peers:8

VPN Peer: ISAKMP: Deleted peer: ip:69.238.9.15/500 Total VPN peers:7

ISADB: reaper checking SA 0x35955fc, conn_id = 0

ISADB: reaper checking SA 0x2eccb6c, conn_id = 0

ISADB: reaper checking SA 0x3593ac4, conn_id = 0

ISADB: reaper checking SA 0x364175c, conn_id = 0

ISADB: reaper checking SA 0x3595d84, conn_id = 0

ISADB: reaper checking SA 0x358f574, conn_id = 0

ISADB: reaper checking SA 0x3571d5c, conn_id = 0

ISADB: reaper checking SA 0x35724e4, conn_id = 0

crypto_isakmp_process_block:src:69.238.9.15, dest:outside_int spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 10 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 7200

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:69.238.9.15, dest:outside_int spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:69.238.9.15, dest:outside_int spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

kmgonzalez · ‎02-06-2007

here is the deb cry ipsec:

deb cry ipsec:

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 69.238.9.15

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 69.238.9.15

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 208.51.30.231, src= outside_int,

dest_proxy= 172.20.80.154/255.255.255.255/0/0 (type=1),

src_proxy= 150.2.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x780d8cac(2014153900) for SA

from 208.51.30.231 to outside_int for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= outside_int, src= 208.51.30.231,

dest_proxy= 172.20.80.154/0.0.0.0/0/0 (type=1),

src_proxy= 150.2.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x780d8cac(2014153900), conn_id= 19, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= outside_int, dest= 208.51.30.231,

src_proxy= 172.20.80.154/0.0.0.0/0/0 (type=1),

dest_proxy= 150.2.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x3fbb025b(1069220443), conn_id= 20, keysize= 0, flags= 0x4

IPSEC(add_sa): peer asks for new SAs -- expire current in 30 sec.,

(sa) sa_dest= outside_int, sa_prot= 50,

sa_spi= 0x469d655(74045013),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4,

(identity) local= outside_int, remote= 208.51.30.231,

local_proxy= 172.20.80.154/255.255.255.255/0/0 (type=1),

remote_proxy= 150.2.0.0/255.255.0.0/0/0 (type=4)

IPSEC(add_sa): peer asks for new SAs -- expire current in 30 sec.,

(sa) sa_dest= 208.51.30.231, sa_prot= 50,

sa_spi= 0xd6062d29(3590729001),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3,

(identity) local= outside_int, remote= 208.51.30.231,

local_proxy= 172.20.80.154/255.255.255.255/0/0 (type=1),

remote_proxy= 150.2.0.0/255.255.0.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 69.238.9.15

alisha_rascon01 · ‎05-11-2019

In Cisco Secure PIX Firewall software release 6.3 and later, the new international encryption standard AES is supported for securing site-to-site and remote access VPN connections.