Re: Ipsec Vpn Site to Site config help needed

david.santel · ‎07-24-2011

I am trying to get my Pix 501 and 2502 to establish a ipsec site to site tunnel. I can't get it to work.

I think I am close....Can someone tell me what im doing worng! Please! Code below pretty simple! What am i doing wrong????

[inside=10.10.10.2]------[outside 1.1.1.2]<------------------------->[outside 1.1.1.3]------------[inside 192.168.1.1]

router 2502 pix 501

I can ping 1.1.1.2 from pix but not from 192.168.1.2(my pc)

I can ping 1.1.1.3 from router

I can't ping 10.10.10.2 from PIx

pixfirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.10.10.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.3 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-m
ode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.5-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:b5a0a14091f25fdee748a6a77e3d638c
: end
pixfirewall#

=======================================================================

Current configuration : 1358 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname outoffice
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.3
!
!
crypto ipsec transform-set Petaluma_VPN ah-md5-hmac esp-des
!
!
crypto map Petaluma_1 1 ipsec-isakmp
set peer 1.1.1.3
set transform-set Petaluma_VPN
match address 100
!
!
!
!
interface Ethernet0
ip address 1.1.1.2 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map Petaluma_1
!
interface Serial0
ip address 10.10.10.2 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
ip kerberos source-interface any
ip classless
ip route 192.168.1.0 255.255.255.0 1.1.1.3
no ip http server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
transport input none
line aux 0
transport input all
line vty 0 4
login
!
end

outoffice#

==========================================================

outoffice#sh crypto ipsec sa

interface: Ethernet0
Crypto map tag: Petaluma_1, local addr. 1.1.1.2

   local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 1.1.1.3
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.3
     path mtu 1500, media mtu 1500
     current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

outoffice#

outoffice#sh crypto isakmp sa
dst src state conn-id slot

outoffice#

outoffice#sh crypto ipsec t

outoffice#sh crypto ipsec transform-set

Transform set Petaluma_VPN: { ah-md5-hmac }

will negotiate = { Tunnel, },

{ esp-des }

will negotiate = { Tunnel, },

=================================================================

pixfirewall# sh crypto isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

pixfirewall#

pixfirewall# sh crypto ipsec sa

interface: outside
Crypto map tag: outside_map, local addr. 1.1.1.3

   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   current_peer: 1.1.1.2:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 154, #recv errors 0

     local crypto endpt.: 1.1.1.3, remote crypto endpt.: 1.1.1.2
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

inbound esp sas:

inbound ah sas:

<--- More --->

pixfirewall# sh crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall#

pixfirewall# sh crypto ipsec sa

interface: outside
Crypto map tag: outside_map, local addr. 1.1.1.3

   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   current_peer: 1.1.1.2:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 154, #recv errors 0

     local crypto endpt.: 1.1.1.3, remote crypto endpt.: 1.1.1.2
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Richard Burts · ‎07-24-2011

David

This is an unusual setup to have the IPSec peer connection over the Ethernet interface of the router and to have the "interesting traffic" being generated from the serial interface of the router. Not that it can not work this way, but I wonder if there is a reason for doing it this way?

I do see a couple of issues in your config:

- the pix static default route of

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1

which specifies that the next hop address is the address of the pix itself. I would expect that the next hop should be the IP of the router. This would certainly explain one reason why your PC can not ping 1.1.1.2.

- the pix nat 0 refers to an access list

nat (inside) 0 access-list inside_outbound_nat0_acl

but I do not see that access list in the configuration. If the access list is missing then you will be trying to translate the traffic going over the tunnel and you do not want to do that.

- perhaps the biggest issue is that the ISAKMP policies do not match. Your pix has this

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

while the router has this

crypto ipsec transform-set Petaluma_VPN ah-md5-hmac esp-des

they agree that the encryption will be esp-des but they do not agree on the hash. Either they must both do esp-md5-hmac or they must both do ah-md5-hmac.

HTH

Rick

HTH

Rick

david.santel · ‎07-25-2011

Hi Rick,

I corrected the above mistakes still no tunnel built. I have run debug and only get debug info when a PC is attached? I get no debug errors when pinging from pix console. I have reset keys to make sure thats not issue. What else could it be? Im close!!!!!

==========================================================

outoffice#
01:32:06: ISAKMP (0:0): received packet from 1.1.1.3 (N) NEW SA
01:32:06: ISAKMP: local port 500, remote port 500
01:32:06: ISAKMP (0:4): processing SA payload. message ID = 0
01:32:06: ISAKMP (0:4): found peer pre-shared key matching 1.1.1.3
01:32:06: ISAKMP (0:4): Checking ISAKMP transform 1 against priority 2 policy
01:32:06: ISAKMP:      encryption DES-CBC
01:32:06: ISAKMP:      hash MD5
01:32:06: ISAKMP:      default group 1
01:32:06: ISAKMP:      auth pre-share
01:32:06: ISAKMP:      life type in seconds
01:32:06: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
01:32:06: ISAKMP (0:4): atts are not acceptable. Next payload is 0
01:32:06: ISAKMP (0:4): Checking ISAKMP transform 1 against priority 65535 polic
y
01:32:06: ISAKMP:      encryption DES-CBC
01:32:06: ISAKMP:      hash MD5
01:32:06: ISAKMP:      default group 1
01:32:06: ISAKMP:      auth pre-share
01:32:06: ISAKMP:      life type in seconds
01:32:06: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
01:32:06: ISAKMP (0:4): atts are not acceptable. Next payload is 0
01:32:06: ISAKMP (0:4): no offers accepted!
01:32:06: ISAKMP (0:4): phase 1 SA not acceptable!
01:32:06: ISAKMP (0:4): incrementing error counter on sa: construct_fail_ag_init

01:32:06: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer
at 1.1.1.3
01:32:06: ISAKMP (0:4): sending packet to 1.1.1.3 (R) MM_NO_STATE
01:32:13: ISAKMP (0:2): purging SA.
01:32:13: CryptoEngine0: delete connection 2

======================================================================================

Debug Output when trying to ping 10.10.10.2 from my PC on 192.168.1.3

pixfirewall# sh isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
         1.1.1.2          1.1.1.3    MM_NO_STATE   0           0
pixfirewall# IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 1.1.1.3, remote= 1.1.1.2,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 1.1.1.3, dst 1.1.1.2
ISADB: reaper checking SA 0xa2e694, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 1.1.1.2/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 1.1.1.3, remote= 1.1.1.2,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)

============================================================

Debug Output when trying to ping 10.10.10.2 from my PC on 192.168.1.3

pixfirewall#
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:1.1.1.2, dest:1.1.1.3 spt:500 dpt:500
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: cou
nt = 1,
(identity) local= 1.1.1.3, remote= 1.1.1.2,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 1.1.1.3, dst 1.1.1.2
ISADB: reaper checking SA 0xa2e694, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 1.1.1.2/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 1.1.1.3, remote= 1.1.1.2,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:1.1.1.2, dest:1.1.1.3 spt:500 dpt:500
return status is IKMP_NO_ERR_NO_TRANS

=============================================================

How can we troubleshoot this? This is a lab and I would really like to get tunnel to work? I am running debug crypto ipsec and debug crypto ipsec and I get 0 output when I ping the router ip 10.10.10.2. Its like the traffic isnt making it to tunnel?

Are my Nat statements ok?

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1

0.0 255.255.255.0

====================================================

pixfirewall# sh crypto map

Crypto Map: "outside_map" interfaces: { outside }

Crypto Map "outside_map" 20 ipsec-isakmp
        Peer = 1.1.1.2
        access-list outside_cryptomap_20; 1 elements
        access-list outside_cryptomap_20 line 1 permit ip 192.168.1.0 255.255.25
5.0 10.10.10.0 255.255.255.0 (hitcnt=0)
        Current peer: 1.1.1.2
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ Petaluma_VPN, }
pixfirewall#

nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1
0.0 255.255.255.0

========================

rypto Map "Petaluma_1" 1 ipsec-isakmp
        Peer = 1.1.1.3
        Extended IP access list 100
            access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

        Current peer: 1.1.1.3
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ Petaluma_VPN, }
        Interfaces using crypto map Petaluma_1:
                Ethernet0

=========================================================

outoffice#sh run
Building configuration...

Current configuration : 1356 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname outoffice
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.3
!
!
crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-des
!
crypto map Petaluma_1 1 ipsec-isakmp
set peer 1.1.1.3
set transform-set Petaluma_VPN
match address 100
!
!
!
!
interface Ethernet0
ip address 1.1.1.2 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map Petaluma_1
!
interface Serial0
ip address 10.10.10.2 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
ip kerberos source-interface any
ip classless
ip route 192.168.1.0 255.255.255.0 1.1.1.3
no ip http server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
transport input none
line aux 0
transport input all
line vty 0 4
login
!
end

==================================================

pixfirewall# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1

0.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.10.10.0

255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 1.1.1.3 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.10.10.0 255.255.255.0 inside

pdm location 10.10.10.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set Petaluma_VPN ah-md5-hmac esp-des

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 1.1.1.2

crypto map outside_map 20 set transform-set Petaluma_VPN

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-m

ode

sakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.5-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:8e68352443165c4c2827cfca1b3543fe

: end

pixfirewall#

pixfirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1
0.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.10.10.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.3 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set Petaluma_VPN ah-md5-hmac esp-des
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set transform-set Petaluma_VPN
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-m
ode

sakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.5-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:8e68352443165c4c2827cfca1b3543fe
: end
pixfirewall#

Richard Burts · ‎07-26-2011

David

First - you ask how to troubleshoot this. My first suggestion is to use debug crypto isakmp and when the isakmp negotiation works then use debug crypto ipsec.

You say that you corrected the above errors. But I see this in the output:

01:32:06: ISAKMP (0:4): atts are not acceptable. Next payload is 0

01:32:06: ISAKMP (0:4): no offers accepted!

01:32:06: ISAKMP (0:4): phase 1 SA not acceptable!

So I looked in the configs that you posted and I found this:

crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-des

from the router and I found this from the pix:

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

Pay close attention to the hmac and tell us if they are are same or are different???

HTH

Rick

HTH

Rick