09-30-2007 10:42 PM
Hi,
I have a pix firewall with vpn configured recently. As the tunnel is not up i have enabled debug crypto isakmp and able to see the attached messages.
I have confirmed the pre-shared keys in both end and found same.
Please advice on where could be the problem. The other end firewall is not a pix which is configured with the same similar parameters.
Please help on this...
PIX Version 6.3(4)
Pix-506
regards
Rajesh
09-30-2007 11:54 PM
Hi Rajesh
I appreciate that you have checked the keys but this message is the one seen when the keys do not match.
Could you change the key to something really simple like "test" just to make sure.
Jon
10-01-2007 01:56 AM
10-01-2007 06:42 AM
Rajesh,
If you have already checked the pre shared keys on both the pixes, can you type "isakmp identity address" on the pixes and bring up the tunnel.
I hope it helps.
Regards,
Arul
10-03-2007 12:05 AM
Hi Arul,
Thanks for your reply.
Actually i have enabled the command "isakmp identity address".
You may find the below config too..
//user configured ACL
access-list 101 permit ip remote_local_subnet 255.255.255.0 user_local_subnet 255.255.255.0
access-list vpnacl permit ip host user_test_machine_ip remote_local_subnet 255.255.255.0
//ACL for vpn configured by me
access-list vpnacl permit ip remote_local_subnet 255.255.255.0 host user_test_machine_ip
nat (inside) 0 access-list vpnacl
access-group 101 in interface outside
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address vpnacl
crypto map outside_map 20 set peer remote_ip
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key key123 address remote_ip netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
Even i restarted my this end firewall after configuring the preshared key.
Pls let me know some tips...
regards
Rajesh
10-03-2007 12:15 AM
Hi Rajesh
Could you
1) turn on the following debugging
debug crypto isa
debug crypto ipsec
2) Clear any existing Phase 1 & 2 connections for this VPN.
3) Try and initiate the connection and then post the output of the debug together with firewall config (minus any sensitive info).
Jon
10-03-2007 02:18 AM
10-03-2007 02:34 AM
Rajesh
Coud you post configs of both firewalls or alternatively can you check the crypto map access-lists to make sure they agree on the local and remote subnets.
Jon
10-03-2007 02:56 AM
Hi Jon,
Shall i send you tomorrow morning @ 10am.
since i have to go to the client place and send it.
regards
Rajesh
10-03-2007 03:36 AM
Hi Rajesh
Yes that will be fine.
Jon
10-03-2007 06:14 AM
Rajesh,
Based on the debugs, the proxy identities are not matching, meaning the Crypto access-lists are not mirror images of each other.
Make sure that if you have a crypto acl on pix A:
access-list vpnacl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Then Remote Side Pix B:
access-list vpnacl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
Regards,
Arul
10-03-2007 06:17 AM
Hi Arul
Agreed which is why i wanted to see the configs from both ends to make sure the local and remote networks match.
Jon
10-03-2007 07:07 AM
Got it John. You Rock :-)
Lets get this VPN Rock and Rollin for Rajesh.
Regards,
Arul
10-04-2007 02:11 AM
Hi Jon/Arul,
The scenario is like this. This end we use Pix firewall where as the other end its another vendor firewall where in there is no access lists configured for vpn specifically. Remote end firewall is basically GUI based, and i could not see any ACL configuration. I knew that both the end should have mirrored ACLs. Remote end has already two VPNs up and running and they want to configure one more. In the access list option i could see only one accesslist-button-check-box which is already checked and apart from that no options... I think i need to inform customer to configure the other end by his own with VPN-ACL. But client should not say how the other two Vpns are working without ACL..Unforunately i do not have the remote end config. Please find the attached config of thie end firewall
regards
Rajesh P
10-04-2007 02:56 AM
Hi
What was the spefic debug message that points to the ACL's not mirroring each other?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide