02-18-2005 10:52 AM
I am trying to connect a L2L VPN using a PIX 515 and a 3005. I have the configurations set but am getting this result for the sh crypto ipsec sa which shows that traffic is received but not sent.
Crypto map tag: xxxxx, local addr. x.x.x.x
local ident (addr/mask/prot/port): (x.x.x.x/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.0.0/0/0)
current_peer: xxx.xxx.xxx.xxx
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 892, #pkts decrypt: 892, #pkts verify 892
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 4ada3bee
inbound esp sas:
spi: 0xd84f6f1(226817777)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: xxxxx
sa timing: remaining key lifetime (k/sec): (4607971/27993)
IV size: 8 bytes
replay detection support: Y
Along with this I have also seen this entry in the 3000 log file.
55031 02/18/2005 08:32:58.050 SEV=4 BMGT/29 RPT=11
Attempting to specify an Aggregate Group reservation [ 961150977 bps ] on Group
[ x.x.x.x ] Interface [ 2 ] which is outside the range of a minimum of [ 80
00 bps ] to a maximum of [ 100000000 bps ] (note: the true max is dependant upon
the interface link rate to which the group is applied).
I do NOT have BW management enabled on the 3005 and was wondering if anyone could point me in the right direction for fixing this issue. My 3000 is sending traffic but the PIX is not.
Thanks,
Terry
02-19-2005 06:37 PM
Please post the relevant parts of the config at the pix end. I am interested in the crypto map config, the ike policies, the acl that is referenced in the crypto map and any nat/global/static configs that you have listed. Is the pix expecting to nat and see nat'ed traffic across the ipsec vpn connection?
02-21-2005 04:57 AM
access-list inside_outbound_nat0_acl permit ip 10.5.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list outside_cryptomap_20 permit ip 10.5.0.0 255.255.0.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set peer x.x.x.x
crypto map mymap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide