05-13-2002 08:04 AM - edited 02-21-2020 11:44 AM
am having trouble getting a PIX to PIX vpn working. It's between a pix-506 firmware 6.1(1) and a pix-506 firmware 5.1(1). This is what I get when I have debug crypto ipsec, and debug crypto isakmp enabled and I try to ping from pixA to pixB:
VPN Peer: ISAKMP: Added new peer: ip:65.114.226.162 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:65.114.226.162 Ref cnt incremented to:1 Total VPN Peer
s:1
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src 65.114.226.162, dest 63.230.113.162
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 65.114.226.162, dest 63.230.113.162
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 27
ISAKMP (0): Total payload length: 31
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 65.114.226.162, dest 63.230.113.162
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1838113416:92709d78IPSEC(key
_engine): got a queue event...
IPSEC(spi_response): getting spi 0x97b8112(159088914) for SA
from 65.114.226.162 to 63.230.113.162 for prot 3
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 65.114.226.162, dest 63.230.113.162
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2456853880
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
(key eng. msg.) dest= 65.114.226.162, src= 63.230.113.162,
dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (0): processing NONCE payload. message ID = 2456853880
ISAKMP (0): processing ID payload. message ID = 2456853880
ISAKMP (0): processing ID payload. message ID = 2456853880
ISAKMP (0): Creating IPSec SAs
inbound SA from 65.114.226.162 to 63.230.113.162 (proxy 192.168.1.
0 to 192.168.0.0)
has spi 159088914 and conn_id 4 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
outbound SA from 63.230.113.162 to 65.114.226.162 (proxy 192.168.0
.0 to 192.168.1.0)
has spi 1010433820 and conn_id 3 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 63.230.113.162, src= 65.114.226.162,
dest_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x97b8112(159088914), conn_id= 4, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= 63.230.113.162, dest= 65.114.226.162,
src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x3c39ff1c(1010433820), conn_id= 3, keysize= 0, flags= 0x4
VPN Peer: IPSEC: Peer ip:65.114.226.162 Ref cnt incremented to:2 Total VPN Peers
:1
VPN Peer: IPSEC: Peer ip:65.114.226.162 Ref cnt incremented to:3 Total VPN Peers
:1
return status is IKMP_NO_ERROR
As far as I can tell everything looks good, but for some reason I get Request times out's.
Here is the output when I type show crypto ipsec sa:
interface: outside
Crypto map tag: transam, local addr. 63.230.113.162
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 65.114.226.162
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 63.230.113.162, remote crypto endpt.: 65.114.226.162
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 3c39ff1c
inbound esp sas:
spi: 0x97b8112(159088914)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: transam
sa timing: remaining key lifetime (k/sec): (4608000/27276)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3c39ff1c(1010433820)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: transam
sa timing: remaining key lifetime (k/sec): (4607999/27249)
IV size: 8 bytes
replay detection support: Y
As you can see I get a send error, I can't figure out what I am doing wrong.
I used this website to set this up, I didn't deviate except for IP addresses:
http://www.cisco.com/warp/public/110/38.html
Any assistance would be much appreciated.
Thanks,
Chris
05-20-2002 05:51 AM
Try upgrading your 5.1(1) to 6.1(1).
05-20-2002 06:57 AM
I already tried this and it still doesn't work. I did notice one thing that disturbs me. When I type "show route" I get this entry among others:
inside 192.168.0.0 255.255.255.0 192.168.1.1 1 CONNECT static
192.168.0.0 is the network that I am trying to connect to, I think this route is screwing the routing up. I try to remove the route but it keeps saying,
"route already exists". Any Ideas on how to get rid of this route?
05-23-2002 09:35 AM
I finally figured it out. There was nothing wrong with the VPN configuration, it ended up being a problem with the subnet mask on the internal interface of the remote PIX I was trying to connect to. The interface had a subnet mask of 255.255.252.0, which was causing the PIX to have a static CONNECT route of 192.168.0.0 rather then 192.168.1.0. Because the route was 192.168.0.0 and the internal interface of my PIX was also using a route of 192.168.0.0 the remote PIX wasn't routing anything back through the VPN. So I changed the subnet mask to 255.255.255.0 and everything is working great.
05-29-2002 08:35 PM
I hope by now you have found the answer but if not check your ACLs for allowing PING. Setup a CONDUIT to allow all ICMP or something. There is also a command called DEBUG ICMP TRACE I have found useful for allowing me to see if the ping is at least going out. You may see it gets out to the destination but is not returned. A clue. It could just be a routing issue or someone along the way filtering it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide