Regarding VPN

gopikrish · ‎07-18-2006

HI Guys,

I am configuring site-to-site VPN tunnel

between the pix firewall 506 & VPN Concentrator 3015 (lan-to-lan). The pix is kept behind the DSL modem/Router.The DSL modem is only having public IP

We Dont have any IP we have open the ports UDP -500

UDP - 4500

TCP -10000

ESP protocol 50

Here the beauty is tunnel is established i am able to ping the host behind the pix firewall from VPN Concentrator . but from the PIX network we cant

IN Firewall i am getting

QM-IDLE state

in the COncentrator i am able to see the session and it is transmitting and receiving bytes

The session is up for 30 mins after its got disconnected

I have done everyting but no data traffic from the pix firewall

-----------

I think for lan-to-lan tunnel I have to assign a Dedicate Public ip for the pix outside interface ??

or it is possible to establish a vpn tunnel without any public ip.....

---------

Router is not doing any Natting

But pix outside interface on private ip

Concentrators outside is on public ip

Thanks

Krish

mpalardy · ‎07-18-2006

Hi Krish,

If your tunnel is on the internet, yes both peer must have a public ip (pix outside interface included)

Mike

gopikrish · ‎07-18-2006

hi Mike,

I accept with you but i am able to ping the PC behind

the pix from the VPN Concentrator

From the PC which kept behind the pix firewall

i am able to ping the Concentrators Internal Interface

In Concentrator session status it showing the tunnel is up and it sending and receiving bytes

mpalardy · ‎07-19-2006

mmmmh! interesting...

Could you post your pix config (removing sensitive information). Also a diagram would help my comprehension.

Is it possible there is an over-lapping subnet behind both peers?

Mike

gopikrish · ‎07-20-2006

Hi Mike,

Thankyou for your reply now the tunnel seems to be

working but it was getting disconnected every 30 min

then i have rebooted the pix it start works This same thing happen for 4 times

after i have enabled 'isakmp keepalive 10 2' Then it

starts working but inbetween its getting disconnected

but witin a 3to4 sec the tunnel is up (but this time the tunnel disconnected after 90min if there is no data traffic after when i start pinging its got up)

VPNBOX<------------>Router<----------->Pix<->LocalN/W

PubIP PubIP Private Private Private

IP IP IP

This is the Scenario I have As i told you the Router

is a DSLModem/Router/Firewall it is a Billion one

The Router is Forwading Traffic .

For Terminating Tunnel I have given the public IP of

Router in the VPN box

My problem is i want to make the tunnel up always

any idea?

gopikrish · ‎07-20-2006

Mike No ovelapping subnets

I have changed the ip address

and one more information now i noticed that in the concentrator session status i shows the tunnel was disconnected for a moment (after 1 hour,at the same

i had a remote Desktop session with the pc behind the pix firewall the session is fine!!!!)

I am sitting behind the Concentrator!!!

mpalardy · ‎07-20-2006

Hi Krish, hope you are doing well.

As you've explained, thing are going slight better, right?.

What do yo get on the pix when you do a "show isakmp sa" and a "show ipsec sa" ?

gopikrish · ‎07-20-2006

hi Mike,

Now the status is improved Now the tunnel is up for the last 14hrs

in sh isakmp sa

i am getting QM_IDLE

in sh ipsec sa

no errors its encrypting and Decrypting

and one more question

do i need to increase the threshold value

isakmp keepalive command??

because i have mentioned

isakmp keepalive 10 2

so this command allow the tunnel to become idle for

maximum of 10sec

so i think i have to increase this value to 3600sec

any idea

the firmware is 6.3(1)!!! is there any problem with this version ?

mike thankyou verymuch for your help

thanks

Krishna

mpalardy · ‎07-21-2006

Hi Krish, I've seen you have made some fine-tuning to improve tunnel scalability..

isakmp keepalive 10 2 just send pulse to the remote peer every 10 seconds w/a retry interval of 2 secs.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312

You may adjust these values to a max of 3600/10. Since the parameters 10/2 seem to be working fine I'd personnaly avoid changing this. It's up to you.

Personnaly I'd go with the latest a firmware available on cisco.com. 635 has been available for a while and has a much more stable code than an earlier release such as 631. But this might not be your case.

BTW 631 code is no more available on cisco.com. Experience has told me to avoid all released code ending with x.x(1)

Cisco has made a great amount of improvement with 7.x versions. Features from VPN-3000 code have been added to PIX 7.x code. This might also be an good option to an upgrade, and also check for compatibility w/ your present pix.

Mike

gopikrish · ‎07-22-2006

Hi Mike,

Once again thankyou verymuch for your reply

actually i am configuring pix from the remote end

we are configuring the pix for very less no of people

like 2 -3 .after i spoke to the user i found that he was disconnecting his PC from the pix by removing the cable then the pix got hung .once he reboot the pix it starts working fine .it seems like a bug in

6.3.1

---------------------------

recently we got a message from the user that the tunnel is up .but he was not able to connect any high end applications.mike any idea.....

my pix is 506 .so i can go upto 6.3.5...??

can you send me details like how to upgrade the firmware in pix?? (how to take the backup of Configuration file)

Thanks

Krish

mpalardy · ‎07-24-2006

Hello Krish,

For the user who is able to connect but cannot get into the network, are you able to enable this function: isakmp nat-traversal 20

In order, to perform an upgrade everything is explaned under these URL's:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/overvw.htm#wp1052724

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/upgrade.htm#

HTH

Mike

gopikrish · ‎07-24-2006

Hi mike,

now some new problems arises the user can access all the network but he cant access any one network

which is mentioned in intresting traffic

so i rebooted the pix and everything is ok for 15 min

after the same problem happening

today i have upgraded to 6.3.5 no improvement

my pix is 506

with restricted license

ex:

if the intresting traffic is like

access-list 100 permit ip 10.1.1.0 255.255.255.0 11.1.1.0 255.255.255.0

access-list 100 permit ip 10.1.1.0 255.255.255.0

12.1.1.0 255.255.255.0

access-list 100 permit ip 10.1.1.0 255.255.255.0 13.1.1.0 255.255.255.0

access-list 100 permit ip 10.1.1.0 255.255.255.0

14.1.1.0 255.255.255.0

access-list 100 permit ip 10.1.1.0 255.255.255.0 15.1.1.0 255.255.255.0

the user have access to 5 diff n/w

but he can access all networks at initially (once the pix is rebooted)

but after 15 min he cant access any one of the network whether 14.1.1.0 or 15.1.1.0

if 14.1.1.0 is ok 15.1.1.0 is not accessable

and viceversa

there is no routing issue

i am able to access all the n/w from the concentrator

if 15.1.1.0 is not accessable if i did a traceroute

i am getting reply like

traceroute 15.1.1.54

* * * request timed out

200ms 138ms 140ms 202.56.15.2

252ms 134ms 243ms 15.1.1.54(kaveri.future.com)

i am getting like this

any idea mike thanks for your help

please reply soon

thanks

krish

mpalardy · ‎07-25-2006

Hi Krish, sorry for my late response.

Did you ensure all SA's are matching between VPN peers?

gopikrish · ‎07-25-2006

yes mike i am sure that the sa are matching at both the ends for isakmp the lifetime is 86400

for ipsec 28800

these are the default values i think if the sa are not matching means then the tunnel will not come up

in my case i have 5 diff subnets outof those we can access 3 n/w any time only problem with the two networks if one is accessable other one is not accessable like vice versa

my configuration looklike this

isakmp enable outside

isakmp keepalive 10 2

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

iskamp key ***** address 10.1.1.1 netmask 255.255.255.255

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address 100

crypto map VPN 10 set peer 10.1.1.2

crypto map VPN 10 set transform-set myset

crypto map VPN interface outside

IN Concentrator i haven't made any changes for isakmp

and ipsec (default values)some othertunnel are already configured and it is working

-------------------

i am planing to change the configuration on Concentrator

like if pix is getting ip from DHCP

in that case we have to treat the pix as a remote VPN client

in Concentrator Base group option i have to configure that!!!

My Question is if i configured on base group does it affect my other remote VPN tunnel

( Because in Concentrator lot of users are connected they are Configured on Groups)

mike my email ID is gopikrish83@hotmail.com

thanks for your help

krish

pappy1111 · ‎07-27-2006

The situation is that we have the tunnel up, this is always so. We also have communication to 129.191 subnet, and this is always available, it is always active. What does happen is that we lose communication to 129.80 and 10.15.14 subnets, sometimes one and sometimes both. But we never loose communication to 129.191.

So the tunnel is up, and data is being transfered, however there seems to be a limited number of subnets to which data can be transfered without dropping connectivity to another subnet.

Today we tried a continuous ping to 129.80 and 10.15.14, as well as continuous connectivity to 129.191 subnet. When we opened connectivity to another subnet (129.155), 10.15.14 failed, and was restored, but 129.155 failed. Later 129.151 was connected, but 10.15.14 failed continuously.

So it would seem that only 3 subnets are reachable at any time.

Is this explainable?