07-24-2011 11:45 AM - edited 02-21-2020 05:28 PM
I am trying to get my Pix 501 and 2502 to establish a ipsec site to site tunnel. I can't get it to work.
I think I am close....Can someone tell me what im doing worng! Please! Code below pretty simple! What am i doing wrong????
[inside=10.10.10.2]------[outside 1.1.1.2]<------------------------->[outside 1.1.1.3]------------[inside 192.168.1.1]
router 2502 pix 501
I can ping 1.1.1.2 from pix but not from 192.168.1.2(my pc)
I can ping 1.1.1.3 from router
I can't ping 10.10.10.2 from PIx
pixfirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.10.10.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.3 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-m
ode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.5-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:b5a0a14091f25fdee748a6a77e3d638c
: end
pixfirewall#
=======================================================================
Current configuration : 1358 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname outoffice
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.3
!
!
crypto ipsec transform-set Petaluma_VPN ah-md5-hmac esp-des
!
!
crypto map Petaluma_1 1 ipsec-isakmp
set peer 1.1.1.3
set transform-set Petaluma_VPN
match address 100
!
!
!
!
interface Ethernet0
ip address 1.1.1.2 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map Petaluma_1
!
interface Serial0
ip address 10.10.10.2 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
ip kerberos source-interface any
ip classless
ip route 192.168.1.0 255.255.255.0 1.1.1.3
no ip http server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
transport input none
line aux 0
transport input all
line vty 0 4
login
!
end
outoffice#
==========================================================
outoffice#sh crypto ipsec sa
interface: Ethernet0
Crypto map tag: Petaluma_1, local addr. 1.1.1.2
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.3
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.3
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
outoffice#
outoffice#sh crypto isakmp sa
dst src state conn-id slot
outoffice#
outoffice#sh crypto ipsec t
outoffice#sh crypto ipsec transform-set
Transform set Petaluma_VPN: { ah-md5-hmac }
will negotiate = { Tunnel, },
{ esp-des }
will negotiate = { Tunnel, },
=================================================================
pixfirewall# sh crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall#pixfirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. 1.1.1.3
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 1.1.1.2:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 154, #recv errors 0
local crypto endpt.: 1.1.1.3, remote crypto endpt.: 1.1.1.2
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
<--- More --->
pixfirewall# sh crypto isakmp sa
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
07-24-2011 06:58 PM
David
This is an unusual setup to have the IPSec peer connection over the Ethernet interface of the router and to have the "interesting traffic" being generated from the serial interface of the router. Not that it can not work this way, but I wonder if there is a reason for doing it this way?
I do see a couple of issues in your config:
- the pix static default route of
route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
which specifies that the next hop address is the address of the pix itself. I would expect that the next hop should be the IP of the router. This would certainly explain one reason why your PC can not ping 1.1.1.2.
- the pix nat 0 refers to an access list
nat (inside) 0 access-list inside_outbound_nat0_acl
but I do not see that access list in the configuration. If the access list is missing then you will be trying to translate the traffic going over the tunnel and you do not want to do that.
- perhaps the biggest issue is that the ISAKMP policies do not match. Your pix has this
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
while the router has this
crypto ipsec transform-set Petaluma_VPN ah-md5-hmac esp-des
they agree that the encryption will be esp-des but they do not agree on the hash. Either they must both do esp-md5-hmac or they must both do ah-md5-hmac.
HTH
Rick
07-25-2011 06:35 PM
Hi Rick,
I corrected the above mistakes still no tunnel built. I have run debug and only get debug info when a PC is attached? I get no debug errors when pinging from pix console. I have reset keys to make sure thats not issue. What else could it be? Im close!!!!!
==========================================================
outoffice#
01:32:06: ISAKMP (0:0): received packet from 1.1.1.3 (N) NEW SA
01:32:06: ISAKMP: local port 500, remote port 500
01:32:06: ISAKMP (0:4): processing SA payload. message ID = 0
01:32:06: ISAKMP (0:4): found peer pre-shared key matching 1.1.1.3
01:32:06: ISAKMP (0:4): Checking ISAKMP transform 1 against priority 2 policy
01:32:06: ISAKMP: encryption DES-CBC
01:32:06: ISAKMP: hash MD5
01:32:06: ISAKMP: default group 1
01:32:06: ISAKMP: auth pre-share
01:32:06: ISAKMP: life type in seconds
01:32:06: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
01:32:06: ISAKMP (0:4): atts are not acceptable. Next payload is 0
01:32:06: ISAKMP (0:4): Checking ISAKMP transform 1 against priority 65535 polic
y
01:32:06: ISAKMP: encryption DES-CBC
01:32:06: ISAKMP: hash MD5
01:32:06: ISAKMP: default group 1
01:32:06: ISAKMP: auth pre-share
01:32:06: ISAKMP: life type in seconds
01:32:06: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
01:32:06: ISAKMP (0:4): atts are not acceptable. Next payload is 0
01:32:06: ISAKMP (0:4): no offers accepted!
01:32:06: ISAKMP (0:4): phase 1 SA not acceptable!
01:32:06: ISAKMP (0:4): incrementing error counter on sa: construct_fail_ag_init
01:32:06: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer
at 1.1.1.3
01:32:06: ISAKMP (0:4): sending packet to 1.1.1.3 (R) MM_NO_STATE
01:32:13: ISAKMP (0:2): purging SA.
01:32:13: CryptoEngine0: delete connection 2
======================================================================================
Debug Output when trying to ping 10.10.10.2 from my PC on 192.168.1.3
pixfirewall# sh isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
1.1.1.2 1.1.1.3 MM_NO_STATE 0 0
pixfirewall# IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 1.1.1.3, remote= 1.1.1.2,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): deleting SA: src 1.1.1.3, dst 1.1.1.2
ISADB: reaper checking SA 0xa2e694, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 1.1.1.2/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 1.1.1.3, remote= 1.1.1.2,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)
============================================================
Debug Output when trying to ping 10.10.10.2 from my PC on 192.168.1.3
pixfirewall#
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:1.1.1.2, dest:1.1.1.3 spt:500 dpt:500
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: cou
nt = 1,
(identity) local= 1.1.1.3, remote= 1.1.1.2,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): deleting SA: src 1.1.1.3, dst 1.1.1.2
ISADB: reaper checking SA 0xa2e694, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 1.1.1.2/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 1.1.1.3, remote= 1.1.1.2,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:1.1.1.2, dest:1.1.1.3 spt:500 dpt:500
return status is IKMP_NO_ERR_NO_TRANS
=============================================================
How can we troubleshoot this? This is a lab and I would really like to get tunnel to work? I am running debug crypto ipsec and debug crypto ipsec and I get 0 output when I ping the router ip 10.10.10.2. Its like the traffic isnt making it to tunnel?
Are my Nat statements ok?
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1
0.0 255.255.255.0
====================================================
pixfirewall# sh crypto map
Crypto Map: "outside_map" interfaces: { outside }
Crypto Map "outside_map" 20 ipsec-isakmp
Peer = 1.1.1.2
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 192.168.1.0 255.255.25
5.0 10.10.10.0 255.255.255.0 (hitcnt=0)
Current peer: 1.1.1.2
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ Petaluma_VPN, }
pixfirewall#
nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1
0.0 255.255.255.0
========================
rypto Map "Petaluma_1" 1 ipsec-isakmp
Peer = 1.1.1.3
Extended IP access list 100
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 1.1.1.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ Petaluma_VPN, }
Interfaces using crypto map Petaluma_1:
Ethernet0
=========================================================
outoffice#sh run
Building configuration...
Current configuration : 1356 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname outoffice
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.3
!
!
crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-des
!
crypto map Petaluma_1 1 ipsec-isakmp
set peer 1.1.1.3
set transform-set Petaluma_VPN
match address 100
!
!
!
!
interface Ethernet0
ip address 1.1.1.2 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map Petaluma_1
!
interface Serial0
ip address 10.10.10.2 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
ip kerberos source-interface any
ip classless
ip route 192.168.1.0 255.255.255.0 1.1.1.3
no ip http server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
transport input none
line aux 0
transport input all
line vty 0 4
login
!
end
==================================================
pixfirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1
0.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.10.10.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.3 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set Petaluma_VPN ah-md5-hmac esp-des
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set transform-set Petaluma_VPN
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-m
ode
sakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.5-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:8e68352443165c4c2827cfca1b3543fe
: end
pixfirewall#
pixfirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1
0.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.10.10.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.3 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set Petaluma_VPN ah-md5-hmac esp-des
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set transform-set Petaluma_VPN
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-m
ode
sakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.5-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:8e68352443165c4c2827cfca1b3543fe
: end
pixfirewall#
07-26-2011 08:07 PM
David
First - you ask how to troubleshoot this. My first suggestion is to use debug crypto isakmp and when the isakmp negotiation works then use debug crypto ipsec.
You say that you corrected the above errors. But I see this in the output:
01:32:06: ISAKMP (0:4): atts are not acceptable. Next payload is 0
01:32:06: ISAKMP (0:4): no offers accepted!
01:32:06: ISAKMP (0:4): phase 1 SA not acceptable!
So I looked in the configs that you posted and I found this:
crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-des
from the router and I found this from the pix:
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
Pay close attention to the hmac and tell us if they are are same or are different???
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide