Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
4
Replies

configuring vpn link via ssh on 501

nick.helms
Level 1
Level 1

‎10-04-2006 10:29 AM - edited ‎02-21-2020 02:38 PM

I've run into a frustrating problem on a 501. It's at a new remote site and I've not had direct access to the device, only via SSH. I was trying to configure their VPN for Pix to Pix access to the corporate office and can't get the link to come up. The site was originally configured with des only and I use 3des so I removed all the crypto statements and added the new connection configuration. I know the configuration works, I've tried it on a spare Pix we have at our corporate office and the link comes up fine. Does the application of the new crypto statements and change to 3des require a restart or can those changes be made on the fly? That's the only thing I haven't tried as I wasn't ready to save the config permanently yet. Here is the config I'm using:

sysopt connection permit-ipsec

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpn

crypto map vpn 20 ipsec-isakmp

crypto map vpn 20 match address 110

crypto map vpn 20 set peer x.x.x.x

crypto map vpn 20 set transform-set vpn

crypto map vpn 40 ipsec-isakmp dynamic dynmap

crypto map vpn interface outside

isakmp enable outside

isakmp key ****** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

Labels:
0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎10-04-2006 11:01 AM

Firstly - Is the configuration on both pix symmetrical? For example, if you are using 3DES on one pix then the other must also be using 3DES and the correct ISAKMP key / crypto ACL etc / transform-set etc?

If both pix have the correct setup then have you issued: clear crypto isakmp sa and also clear crypto ipsec sa on both peers?

Make sure that you have L3 (Network) connectivity between both peers ? if you can ping the outside IP address of your peer pix from your pix then this will confirm that you have L3 connectivity.

You are using isakmp group 1 on your pix, is the remote pix also using group 1 for ISAKMP?

For reference and troubleshooting, look at the following document for help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

From what you have posted (minus the crypto ACL and NAT 0 statement) it looks OK to me, but verify everything by using the above URL.

Let me know how get on or require further help and if it helps please rate post!

Jay

0 Helpful

nick.helms
Level 1
Level 1
In response to jmia

‎10-04-2006 01:03 PM

Jay,

I was able to get the configuration working by using the des config at the remote site and an configuring an extra pix I have. The script I posted worked fine then.

The sh ver indicates it's licensed for 3des but I can't get it to come up when I use the same config (with the 3des commands instead of des). Could 3des be incorrectly registered as enabled even if it's not installed?

I run two other VPN tunnels already on the main office Pix I was trying to connect to so I was using group 5 in my config, can I use group 1 concurrently on multiple connections?

I'll check the reference document you've posted as well.

thanks, nick

0 Helpful

mmorris11
Level 4
Level 4

‎10-04-2006 11:02 AM

does access list 110 exist?

0 Helpful

nick.helms
Level 1
Level 1
In response to mmorris11

‎10-04-2006 12:58 PM

it does, I just didn't include it with the crypto config commands. It translates traffic on the two networks.

0 Helpful
Customers Also Viewed These Support Documents