IPSEC VPN and PPPOE - PIX 501

alan.morris · ‎10-27-2004

I have a PIX 501 connected to a non cisco ADSL router. My ISP has allocated me a fixed IP assigned by PPPOa of say 1.1.1.1. In addition I have a bank of 4 ips say 2.2.2.1-2.2.2.4. IP 2.2.2.1 was assigned to the outside of the PIX and 2.2.2.2 to the inside of the router.

All of this worked fine including a site to site VPN. The far end of which is a cisco 837b router which has my peer address set to 1.1.1.1 - ie the (fixed) IP auto allocated by PPPOA (& ISP).

I want to replace the ADSL router with a Dlink DSL-300g+ ADSL modem which supports RFC 1843 bridge mode. The ultimate ADSL provider is BT and I have been told that it is possible to use PPPOE in this case. So I have configured the DLink as a bridge and PIX with the correct PPOE configuration & credentials and lo and behold it all works - well nearly! All that is except the site to site vpn, which does not get established.

SHO INT shows that the outside of the PIX correctly been assigned 1.1.1.1 by PPPOE.

ISAKMP debug shows that ISAKMP never gets beyond phase 1.

A packet sniffer on the outside reveals the pix is sending a ISAKMP Main Mode packet to the IP of the peer via the assigned remote MAC address and gets back (from the peer via the assigned remote MAC) an ICMP "destination unreachable".

I have tried reducing the MTU size on the pix to 1300 to no avail - this does seem to have fixed problems with some web sites but not with the VPN.

Anyone able to cast any light on how to get around this?

I regret that my knowledge of PPPOA and PPPOE and the like isn't great (understatement), so I may be missing something very basic.

All help appreciated.

amaitre · ‎10-28-2004

Hello Alan,

my first thought is that your problem is not with your PPPoE configuration but probably with your site to site VPN config.

When you enable PPPoE with

"ip address outside pppoe setroute"

it sets automatically the interface MTU to 1492, so you should not have to modify this value. The problem you might have with MTU is with data going through the tunnel.

I have the same config and I'm able to connect with the VPN Client. You should check your isakmp settings.

Antoine

alan.morris · ‎10-30-2004

Antoine,

Many thanks your reply. The site to site VPN works fine if I use an ADSL router rather than the bridge mode modem on the outside. The only difference is in the PIX outside address.

In the case of the router configuration the router negotiates using PPPOA and is assigned address "a.a.a.a" (a fixed address). The outside address I use on the PIX is one of the block I have been assigned say "b.b.b.b" and the inside of the router being "c.c.c.c" also one of that block. All this works fine.

In the case of the bridged modem configuration, the PIX negotiates using PPPOE and its outside is assigned the same "a.a.a.a" address. The VPN config is unchanged.

In both cases address "a.a.a.a" is used as the peer address in the far end router (an 837).

I must admit to not quite understanding how the former works, it was arrived at by a little trial and error. What is not clear to me is that the far end of the tunnel uses a peer address which is not that of the PIX outside - but it works! The latter case seems more logical but it doesn't work.

I think I must be missing something obvious, so if you have any further suggestions I would welcome hearing them.

In the mean time I plan to put a sniffer on the subnet between the router and the pix in the former case and see what is happening.

Regards.