cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1154
Views
0
Helpful
18
Replies

PIX 515e: more than one l2l vpn don't work

riccardoaccetta
Level 1
Level 1

Hello,

I have this initial config with one l2l vpn with a firewall Zyxel

Zywall 2plus

Logs on pix seems to be right, but no data (ping, ssh, http, or other)

comes from or goes to remote zywall.

18 Replies 18

andrew.prince
Level 10
Level 10

post the output of "sh crypto ipsec sa"

here it is the show crypto ipsec sa

OK - that vpn crypto is from your existing VPN peer #1.

Can you ping the #2 VPN peer and post the output of the show crypto ipsec sa again?>

When I ping 192.168.122.X, that is behind the first peer it works.

I'm not able to ping the 192.168.151.X that is behind the second peer.

Here it is the output of the command show crypto ipsec sa:

Result of the command: "show crypto ipsec sa"

interface: outside

Crypto map tag: outside_dyn_map, seq num: 1, local addr: 192.168.1.5

access-list outside_cryptomap_65535.1 permit ip 192.168.100.0 255.255.255.0 192.168.122.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 213.26.147.172

#pkts encaps: 842, #pkts encrypt: 842, #pkts digest: 842

#pkts decaps: 797, #pkts decrypt: 797, #pkts verify: 797

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 842, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.5, remote crypto endpt.: 213.26.147.172

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 1DC4349D

inbound esp sas:

spi: 0x9128E54D (2435376461)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 113, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 25835

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x1DC4349D (499397789)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 113, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 25835

IV size: 8 bytes

replay detection support: Y

Crypto map tag: outside_dyn_map, seq num: 1, local addr: 192.168.1.5

access-list outside_cryptomap_65535.1 permit ip 192.168.100.0 255.255.255.0 192.168.151.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 82.89.82.245

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.5, remote crypto endpt.: 82.89.82.245

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: FA91CC6A

inbound esp sas:

spi: 0x72B8A29F (1924702879)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 131, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28774

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xFA91CC6A (4203859050)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 131, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28774

IV size: 8 bytes

replay detection support: Y

Thank you for help.

On your previous config you posted:-access-list dmz_nat0_outbound extended permit ip 192.168.100.0

255.255.255.0 192.168.131.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.100.0

255.255.255.0 192.168.131.0 255.255.255.0

BUT in this post you have said "I'm not able to ping the 192.168.151.X that is behind the second peer" where is your no-nat and interesting traffic for 192.168.151.x

I think you have a config error, you have multiple acl's that do not match.

Check the remote end IP subnet - and configure you acl's accordingly.

HTH>

You are right,

I have made a mistake on posting the configuration in my first message,

here there is the right one, any way the problem is that when I make this configuration for the first tunnel it works, the second doesn't work,

I have noted that in the output of the show crypto isakmp sa command there is local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

is that normal or in the destination address there should be the address of my remote subnet ?

I attach again the configuration.

Thank you

The attached is just another jumble of config - can you post the current config, remove sensitive config.

just post the output of "sh run"

Attachedthe exact configuration that is running.

Thank you.

Regards

andrew.prince
Level 10
Level 10

The post is the same from the initial post - there is no consitancy.

I suggest you double check ALL your config with the remote end and submit your findings.

Hi,

what do you mean with there is not consistency, it could be exactly this my problem.

Thank You

Post the output of "show run" from your pix 515e as the config is right now please, remove any sensitive information.

This will help to identify if there are any config errors.

Attached the configuration file.

Thank you.

OK - so which one out of the 4 VPN tunnels does not work?

the only one that works is the first one, the 192.168.122.X

Thanks