07-26-2006 03:05 AM
i ve got a pix 501 and once i get one vpn site to site working, immediately after 5 minutes all vpn clients are dropped. And my copnfig looks good...
sysopt connection permit-ipsec
crypto ipsec transform-set DeCloudOfficeLandCrypt esp-3des esp-sha-hmac
crypto ipsec transform-set UKCloudDataWareHouseCrypt esp-3des esp-sha-hmac
crypto ipsec transform-set RasSet esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set RasSet
crypto map VPNList 10 ipsec-isakmp
crypto map VPNList 10 match address DeCloudOfficeLandVPN
crypto map VPNList 10 set pfs group2
crypto map VPNList 10 set peer y.y.y.y
crypto map VPNList 10 set transform-set DeCloudOfficeLandCrypt
crypto map VPNList 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map VPNList 20 ipsec-isakmp
crypto map VPNList 20 match address DataWarehouseVPN
crypto map VPNList 20 set pfs group2
crypto map VPNList 20 set peer x.x.x.x
crypto map VPNList 20 set transform-set UKCloudDataWareHouseCrypt
crypto map VPNList 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map VPNList 6000 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNList client authentication vpnauth
crypto map VPNList interface outside
isakmp enable outside
isakmp key dasdsdasdas address <ip-address> netmask 255.255.255.255
isakmp key dasdsadsaddf address <ip-address2> netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 28800
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption des
isakmp policy 60 hash md5
isakmp policy 60 group 2
isakmp policy 60 lifetime 28800
vpngroup UKVPNUSER address-pool UKDialInIP2
vpngroup UKVPNUSER dns-server 192.168.20.3
vpngroup UKVPNUSER wins-server 192.168.20.3
vpngroup UKVPNUSER default-domain corp-thecloud.net
vpngroup UKVPNUSER split-tunnel UKUserAccessVPN2
vpngroup UKVPNUSER idle-time 1800
vpngroup UKVPNUSER password dsadsad
access-list InsideNetNAT permit ip object-group UKCloudOfficePrivate any
access-list UKVPNUSER_splitTunnelAcl permit ip 192.168.20.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 10.5.248.0 255.255.255.128
access-list OutsideACL remark ## Specifies what to allow in from the Internet
access-list OutsideACL permit object-group TunnelProtocols any object-group UKCloudOfficePublicaccess-list InsideNetRouting permit ip 192.168.20.0 255.255.255.0 10.5.248.0 255.255.255.128
access-list DeCloudOfficeLandVPN permit ip object-group UKCloudOfficePrivate object-group DeCloudOfficeLandPrivate
access-group OutsideACL in interface outside
global (outside) 1 interface
nat (inside) 0 access-list InsideNetRouting
nat (inside) 1 access-list InsideNetNAT 0 0
access-group OutsideACL in interface outside
and if i try to get connected again i get
ISAKMP (0): Total payload length: 26
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:public_ip, dest:outside_ip spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for public_ip/500 not found - peers:1
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (2)...
I really don t unsderstand why i get this issue i tried to change the crypto map priority from 6000 to 1 but still doesn't work. thanks for your help
08-01-2006 05:36 AM
This URL should help you:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide