06-18-2010 01:53 AM
I am playing around with setting up pix to pix nem vpn link for a client for their voip system. I have a Pix 515E 8.0(3) running as the vpn server and a Pix 506E 6.3(5) as the ezyvpn client. i have tried the basic configuration cisco has on their website and i can't get the laptops i have connect to the inside interfaces to ping each other. I have logged on via asdm and pdm and they both tell me the vpn is connected. My cisco skills a pretty rusty and i need a little help. I have laptops plugged into the inside port of each pix and both outside ports plugged into a switch. Attached are the configs i have loaded into them
PIX515E - VPN Server
interface Ethernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.22.1.1 255.255.255.0
!
!--- Output Suppressed
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
!--- This access list is used for a nat zero command that prevents
!--- traffic, which matches the access list, so it does
!--- not undergo network address translation (NAT).
access-list no-nat extended permit ip 172.22.1.0 255.255.255.0
!--- This access list is used to define the traffic
!--- that should pass through the tunnel.
!--- It is bound to the group policy, which defines
!--- a dynamic crypto map.
access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
http server enable
http 0.0.0.0 0.0.0.0 inside
no asdm history enable
arp timeout 14400
!--- Specify the NAT configuration.
!--- NAT 0 prevents NAT for the ACL defined in this configuration.
!--- The nat 1 command specifies NAT for all other traffic.
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- A single DES encryption with
!--- the md5 hash algorithm is used.
crypto ipsec transform-set mySET esp-des esp-md5-hmac
!--- This command defines a dynamic crypto map
!--- with the specified encryption settings.
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
!--- This command binds the dynamic map to
!--- the IPsec/ISAKMP process.
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
!--- This command specifies the interface to be used
!--- with the settings defined in this configuration.
crypto map myMAP interface outside
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 1.
!--- Policy 65535 is included in the default
!--- configuration. These configuration commands
!--- define the Phase 1 policies that are used.
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
!--- This defines the group policy you use with Easy VPN.
!--- Specify the networks that should pass through
!--- the tunnel and that you want to
!--- use network extension mode.
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
!--- The username and password associated with
!--- this VPN connection are defined here. You
!--- can also use AAA for this function.
username user password 1234
!--- The tunnel-group commands bind the configurations
!--- defined in this configuration to the tunnel that is
!--- used for Easy VPN. This tunnel name is the one
!--- specified on the remote side.
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
!--- The pre-shared-key used is "cisco".
pre-shared-key cisco
PIX506E - Pix Ezyvpn Client
interface ethernet0 auto
interface ethernet1 auto
!--- Assign the interface names.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname erky
domain-name phaseshift
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500
!--- Assign the interface IP addresses.
ip address outside 10.10.10.2 255.255.255.0
ip address inside 172.22.1.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
!--- Set the standard NAT configuration.
!--- EasyVPN provides the NAT exceptions needed.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!--- Specify the default route.
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
!--- EasyVPN Client Configuration ---!
!--- Specify the IP address of the VPN server.
vpnclient server 10.10.10.1
!--- This example uses network extension mode.
vpnclient mode network-extension-mode
!--- Specify the group name and the pre-shared key.
vpnclient vpngroup mytunnel password cisco
!--- Specify the authentication username and password.
vpnclient username user password 1234
!---- After you issue this command, the tunnel is established.
vpnclient enable
06-18-2010 04:47 AM
The 2 LAN on client and server sites can't be in the same subnet. They need to be unique subnet, and the nonat ACL and the split tunnel ACL needs to be modified accordingly. Currently both LANs are configured in the same subnet of 172.22.1.0/24 subnet. Change either the server or the client LAN to some other unique subnet.
Split tunnel ACL (ezvpn1) also needs to be standard ACL instead of extended ACL.
To check if the VPN tunnel is actually connected, please share the output of:
show crypto isa sa
show crypto ipsec sa
from the server end after the above changes.
Hope that helps.
06-20-2010 10:35 PM
almost there, have got them working on the same network but now have issues getting both the server and the client working behind cisco adsl modems. Have tried connecting to the server using the cisco vpn client over the internet and cannot connect to the server. I am pretty sure it is related to port forwarding and tried to setup the server in the dmz but that didn't work. Any suggestions?
06-21-2010 03:35 AM
Not sure how the ADSL is configured, is it forwarding everything to the PIX outside interface? Not sure if the ADSL modem is NATing the packet again, or it's just forwarding the traffic in bridge mode.
06-21-2010 03:51 PM
The modem isn't in bride mode.
my setup looks like this (clientlaptop)172.16.1.2<-->172.16.1.1(pix506enem)192.168.0.4<-->192.168.0.1(linksys modem)dyanmicip<---->(internetz)
(internetz)<-->150.XXX.XXX.XXX(adsl modem)192.168.0.1<--->192.168.0.3(pix515eserver)172.22.1.1<--->172.22.1.2(otherlaptop)
I have port forwarded on both routers 1701 udp, 4500 udp, 500 udp and 1723 tcp. I also tried putting them both in the dmz but didn't help much. I have used the vpn client on my laptop from the client network and get a password prompt when i try and connect remotely (thats obviously bypassing the pix506). Both of the linksys routers have vpn passtrhough enabled on them. I am fairly sure it's a nat issue as it works when plugged into the same switch. I have attached the configs i am now using
Pix 515E VPN Server
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.0.3 255.255.255.0
no shut
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.22.1.1 255.255.255.0
no shut
!
!--- Output Suppressed
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
!--- This access list is used for a nat zero command that prevents
!--- traffic, which matches the access list, so it does
!--- not undergo network address translation (NAT).
access-list no-nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
!--- This access list is used to define the traffic
!--- that should pass through the tunnel.
!--- It is bound to the group policy, which defines
!--- a dynamic crypto map.
access-list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
http server enable
http 0.0.0.0 0.0.0.0 inside
no asdm history enable
arp timeout 14400
!--- Specify the NAT configuration.
!--- NAT 0 prevents NAT for the ACL defined in this configuration.
!--- The nat 1 command specifies NAT for all other traffic.
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- A single DES encryption with
!--- the md5 hash algorithm is used.
crypto ipsec transform-set mySET esp-des esp-md5-hmac
!--- This command defines a dynamic crypto map
!--- with the specified encryption settings.
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
!--- This command binds the dynamic map to
!--- the IPsec/ISAKMP process.
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
!--- This command specifies the interface to be used
!--- with the settings defined in this configuration.
crypto map myMAP interface outside
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 1.
!--- Policy 65535 is included in the default
!--- configuration. These configuration commands
!--- define the Phase 1 policies that are used.
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
!--- This defines the group policy you use with Easy VPN.
!--- Specify the networks that should pass through
!--- the tunnel and that you want to
!--- use network extension mode.
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
!--- The username and password associated with
!--- this VPN connection are defined here. You
!--- can also use AAA for this function.
username user password 1234
!--- The tunnel-group commands bind the configurations
!--- defined in this configuration to the tunnel that is
!--- used for Easy VPN. This tunnel name is the one
!--- specified on the remote side.
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
!--- The pre-shared-key used is "cisco".
pre-shared-key cisco
PIX 506E Vpn Nem Client
interface ethernet0 auto
interface ethernet1 auto
!--- Assign the interface names.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
mtu outside 1500
mtu inside 1500
!--- Assign the interface IP addresses.
ip address outside 192.168.0.4 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
!--- Set the standard NAT configuration.
!--- EasyVPN provides the NAT exceptions needed.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!--- Specify the default route.
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
!--- EasyVPN Client Configuration ---!
!--- Specify the IP address of the VPN server.
vpnclient server 150.XXX.XXX.XXX
!--- This example uses network extension mode.
vpnclient mode network-extension-mode
!--- Specify the group name and the pre-shared key.
vpnclient vpngroup mytunnel password cisco
!--- Specify the authentication username and password.
vpnclient username user password 1234
!---- After you issue this command, the tunnel is established.
vpnclient enable
06-22-2010 03:47 AM
IPSEC uses the following protocols:
1) UDP/500
2) ESP --> this is protocol, not UDP or TCP with port numbers.
Hence ESP is a protocol, port forwarding on the modem will not work.
You can enable NAT-T on the headend PIX so the ESP packet is encapsulated in UDP/4500:
crypto isakmp nat-traversal 15
Hope that helps.
06-22-2010 04:03 AM
i have tried crypto isakmp nat-traversal 20 but didn't seems to work.
06-22-2010 04:05 AM
Please run the following debugs to see where it's actually failing:
debug crypto isa
debug crypto ipsec
Also, while it's trying to connect, please also get the following show output:
show crypto isa sa
show crypto ipsec sa
06-22-2010 06:25 AM
Here is the debug for the client, can't get to the server until tomorrow.
debug crypto isa
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): DPD: peer not responding!
ISAKMP (0): deleting SA: src 192.168.0.4, dst 150.xxx.xxx.xxx
ISAKMP (0): ID payload
next-payload : 13
type : 11
protocol : 17
port : 0
length : 12
ISAKMP (0:0): Setting UDP ENC peer struct 0xf9e1c4 sa= 0xdfb6e4
ISAKMP (0): Total payload length: 16
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Aggressive Mode exchange
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65001 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65002 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65003 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65004 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65005 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65006 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65007 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65008 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 9 against priority 65009 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP: no pre-shared key for 192.168.0.3
ISADB: reaper checking SA 0xf08ef4, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:150.xxx.xxx.xxx/4500 Ref cnt decremented to:1 Total VPN Peers:1IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 150.xxx.xxx.xxx
ISAKMP: Unlocking UDP ENC struct 0xf9e1c4 from isadb_free_isakmp_sa, count 1
ISADB: reaper checking SA 0xdfb6e4, conn_id = 0
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
ISAKMP: phase 1 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
ISAKMP: phase 1 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
ISAKMP: phase 1 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): sending NOTIFY message 36136 protocol 1
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:150.xxx.xxx.xxx, dest:192.168.0.4 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
ISAKMP (0): sending NOTIFY message 36136 protocol 1
debug crypto ipsec
erky# IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 150.xxx.xxx.xxx
06-22-2010 06:43 AM
Based on the debug outputs:
ISAKMP: no pre-shared key for 192.168.0.3
There is no preshared key for 192.168.0.3. You might want to double check if both end has preshared key configured (group password configured).
Here is a sample configuration to double confirm the config (it also includes debug and show command to check which phase it's breaking):
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml
06-22-2010 09:29 PM
after plugging them both into the same switch and issuing "vpnclient server 192.168.0.3" on the 506E they work fine, so that would rule out the issue for having the wrong shared key. I have attached the debug from the 506E whilst they are setup through the switch and have the vpn client server changed.
sh crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, local addr. 192.168.0.4
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
current_peer: 192.168.0.3:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.0.4, remote crypto endpt.: 192.168.0.3
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: c7f300af
inbound esp sas:
spi: 0xc5485093(3309850771)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: _vpnc_cm
<--- More --->
sa timing: remaining key lifetime (k/sec): (4607999/28768)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xc7f300af(3354591407)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: _vpnc_cm
sa timing: remaining key lifetime (k/sec): (4607999/28768)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
<--- More --->
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.0.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.0.3/255.255.255.255/0/0)
current_peer: 192.168.0.3:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.0.4, remote crypto endpt.: 192.168.0.3
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: ded6362b
inbound esp sas:
spi: 0x41f75ada(1106729690)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: _vpnc_cm
sa timing: remaining key lifetime (k/sec): (4608000/28750)
<--- More --->
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xded6362b(3738580523)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: _vpnc_cm
sa timing: remaining key lifetime (k/sec): (4608000/28741)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
<--- More --->
local ident (addr/mask/prot/port): (192.168.0.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
current_peer: 192.168.0.3:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.0.4, remote crypto endpt.: 192.168.0.3
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 99770485
inbound esp sas:
spi: 0xcd35a70c(3442845452)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: _vpnc_cm
sa timing: remaining key lifetime (k/sec): (4608000/28719)
IV size: 8 bytes
<--- More --->
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x99770485(2574713989)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: _vpnc_cm
sa timing: remaining key lifetime (k/sec): (4608000/28719)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
<--- More --->
erky(config)# debug crypto isa
erky(config)#
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 3276157040
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP: Deleting peer node for 150.xxx.xxx.xxx
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 1157973989
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 2549749615
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 2612143680
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 1405545498
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 971900628
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.3, dest:192.168.0.4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 4059649852n
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.3
06-23-2010 05:53 AM
Great, looks like it's working now.
Traffic is being encrypted and decrypted between 172.16.1.0/24 subnet and 172.22.1.0/24 subnet.
07-05-2010 08:54 PM
All fixed now, initial ping problem was due to not having the routes set up properly on the local networks. I bypassed the adsl/nat issue by setting up the 515 as a pppoe client and putting the adsl modem in bridge mode. Thanks everyone for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide