PIX - 3000 L2L VPN errors

tostrander · ‎02-18-2005

I am trying to connect a L2L VPN using a PIX 515 and a 3005. I have the configurations set but am getting this result for the sh crypto ipsec sa which shows that traffic is received but not sent.

Crypto map tag: xxxxx, local addr. x.x.x.x

local ident (addr/mask/prot/port): (x.x.x.x/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (x.x.x.x/255.255.0.0/0/0)

current_peer: xxx.xxx.xxx.xxx

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 892, #pkts decrypt: 892, #pkts verify 892

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 4ada3bee

inbound esp sas:

spi: 0xd84f6f1(226817777)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: xxxxx

sa timing: remaining key lifetime (k/sec): (4607971/27993)

IV size: 8 bytes

replay detection support: Y

Along with this I have also seen this entry in the 3000 log file.

55031 02/18/2005 08:32:58.050 SEV=4 BMGT/29 RPT=11

Attempting to specify an Aggregate Group reservation [ 961150977 bps ] on Group

[ x.x.x.x ] Interface [ 2 ] which is outside the range of a minimum of [ 80

00 bps ] to a maximum of [ 100000000 bps ] (note: the true max is dependant upon

the interface link rate to which the group is applied).

I do NOT have BW management enabled on the 3005 and was wondering if anyone could point me in the right direction for fixing this issue. My 3000 is sending traffic but the PIX is not.

Thanks,

Terry

ehirsel · ‎02-19-2005

Please post the relevant parts of the config at the pix end. I am interested in the crypto map config, the ike policies, the acl that is referenced in the crypto map and any nat/global/static configs that you have listed. Is the pix expecting to nat and see nat'ed traffic across the ipsec vpn connection?

tostrander · ‎02-21-2005

access-list inside_outbound_nat0_acl permit ip 10.5.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list outside_cryptomap_20 permit ip 10.5.0.0 255.255.0.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address outside_cryptomap_20

crypto map mymap 20 set peer x.x.x.x

crypto map mymap 20 set transform-set myset

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash md5

isakmp policy 40 group 1

isakmp policy 40 lifetime 86400