cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2220
Views
0
Helpful
10
Replies

pix site to site tunnel issues

darron
Level 1
Level 1

We have configured an IPSec tunnel between two PIX 501 firewall's at different locations over a PTP ethernet connection.  PIX-1 Outside Interface is 172.16.92.20 and PIX-2 Outside Interface is X.X.X.106. The error I am getting on the debug isakmp on PIX-1;

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 172.16.92.20, remote= X.X.X.106,
    local_proxy= 192.168.251.200/255.255.255.248/0/0 (type=4),
    remote_proxy= 192.168.251.12/255.255.255.252/0/0 (type=4)

ISAKMP (0): deleting SA: src 172.16.92.20, dst X.X.X.106
ISADB: reaper checking SA 0xad73dc, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for X.X.X.106/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 172.16.92.20, remote= X.X.X.106,
    local_proxy= 192.168.251.200/255.255.255.248/0/0 (type=4),
    remote_proxy= 192.168.251.12/255.255.255.252/0/0 (type=4)

Both PIX's are able to ping each other.

10 Replies 10

deibertmark
Community Member

172.16.254.254

I don't understand your reply? Please clarify.

waqas0612147
Level 1
Level 1

Can you share configuration for both PIX 

All,

I have attached configurations for both PIX's.

Can you share output of "show ver" command?

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

FW1 up 6 days 16 hours

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0011.211c.XXXX, irq 9
1: ethernet1: address is 0011.211c.XXXX, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                50
Throughput:                  Unlimited
IKE peers:                   10

Hi Darron,

How is pix1 (172.16.92.20) connected with other PIX?  Are you doing static NAT for 172.16.92.20 (being aprivate IP)? if so than will you ensure if NAT-T is enabled on both firewalls. As I can see in the logs on 172.16.92.20 it is not able to connect with X.X.X.106/500 (port 500).It happens when we have nat factor in between these 2 firewalls.

Hello Darron,

you have problem with IKE phase I, try these configurations on both sides

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

HTH

kazim

Made these changes to both sides. No luck so far...

I think your pix 1 is behind the nat, so make sure you have configured properly this machine which is used for natting in front of pix1.


ip nat inside source static udp x.x.x.x 4500 interface FastEthernet1/1 4500 (for pat)
ip nat inside source static udp x.x.x.x 500 interface FastEthernet1/1 500     (isakmp)

 

HTH