Re: Site to Site and user to site VPN configuration.

kbozung · ‎01-05-2005

Hello,

I have a customer that needs to have the ability for remote users to access the network as well as setup a site to site VPN. I have a configuration that is nearly complete however I'm only able to have one of the two setups active at any one given time because of the following command:

crypto map user2site interface outside

Has anybody done this or have any tips? Thanks! See config below:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******** encrypted

passwd ******** encrypted

hostname CA-PIX

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_in permit icmp any anyaccess-list user2site permit ip 192.168.17.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list site2site permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 64.***.***.34 255.255.255.248

ip address inside 192.168.17.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN 172.16.1.1-172.16.1.100

pdm location 192.168.17.0 255.255.255.255 inside

pdm location 192.168.17.60 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list user2site

nat (inside) 2 access-list site2site 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 64.***.***.35 192.168.17.60 netmask 255.255.255.255 0 0

static (inside,outside) 64.***.***.36 192.168.17.61 netmask 255.255.255.255 0 0

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.***.***.33 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.17.0 255.255.255.0 inside

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set CAtransform esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set CAtransform

crypto map user2site 10 ipsec-isakmp dynamic dynmap

crypto map user2site interface outside

crypto map toMiami 20 ipsec-isakmp

crypto map toMiami 20 match address site2site

crypto map toMiami 20 set peer 65.***.***.127

crypto map toMiami 20 set transform-set CAtransform

isakmp enable outside

isakmp key caFL-MI address 65.***.***.127 netmask 255.255.255.255

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup PIX501 address-pool VPN

vpngroup PIX501 dns-server 192.168.17.60

vpngroup PIX501 wins-server 192.168.17.60

vpngroup PIX501 split-tunnel user2site

vpngroup PIX501 idle-time 1800

vpngroup PIX501 password ********

telnet 192.168.17.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

terminal width 80

Patrick Iseli · ‎01-05-2005

Use the same crypto map name for both and it will work.

sincerely

Patrick

Patrick Iseli · ‎01-05-2005

See example of my other post:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd710ac

kbozung · ‎01-06-2005

Patrick,

Thank you for your help. I think it's really close now. I'm merged your recommendations with my configuration. PIX takes everything without any problems. For some reason I'm unable to connect from my Cisco VPN client now. The reason from the log is "reason = DEL_REASON_IKE_NEG_FAILED."

See config below:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******** encrypted

passwd ******** encrypted

hostname CA-PIX

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_in permit icmp any any

access-list VPN permit ip 192.168.17.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list VPN permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list user2site permit ip 192.168.17.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list site2site permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 68.***.***.52 255.255.255.248

ip address inside 192.168.17.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN 172.16.1.1-172.16.1.100

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 64.***.***.35 192.168.17.60 netmask 255.255.255.255 0 0

static (inside,outside) 64.***.***.36 192.168.17.61 netmask 255.255.255.255 0 0

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.136.239.33 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set CAtransform esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 20 match address user2site

crypto dynamic-map dynmap 20 set transform-set CAtransform

crypto map VPN 20 ipsec-isakmp dynamic dynmap

crypto map VPN interface outside

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address site2site

crypto map VPN 10 set peer 65.***.***.127

crypto map VPN 10 set transform-set CAtransform

isakmp enable outside

isakmp key ******** address 65.***.***.127 netmask 255.255.255.255

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup PIX501 address-pool VPN

vpngroup PIX501 dns-server 192.168.17.60

vpngroup PIX501 wins-server 192.168.17.60

vpngroup PIX501 split-tunnel user2site

vpngroup PIX501 idle-time 1800

vpngroup PIX501 password ********

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

terminal width 80

I've tried using using crypto map VPN 65535... as in your example also.

Patrick Iseli · ‎01-06-2005

Add:

crypto map VPN 65535 ipsec-isakmp dynamic dynmap

crypto map VPN client authentication LOCAL

Add a local username and password for the authentication:

username vpnclient password vpnclient-password

You may have to reset the Security Assiciation with:

conf t

clear isakmp sa

clear ipsec sa

Take care that resets also the VPN site 2 Site !!!!

Not a good idea in production time.

sincerely

Patrick

kbozung · ‎01-06-2005

Thanks again. That didn't seem to make a difference. It does cause a username and password prompt to appear from the VPN client but still disconnects. See log file below:

236 15:33:48.228 01/06/05 Sev=Info/4 CM/0x63100002

Begin connection process

237 15:33:48.238 01/06/05 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

238 15:33:48.238 01/06/05 Sev=Info/4 CM/0x63100024

Attempt connection with server "68.***.***.52"

239 15:33:48.268 01/06/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 68.***.***.52

240 15:33:48.308 01/06/05 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

241 15:33:48.308 01/06/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

242 15:33:48.619 01/06/05 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 68.***.***.52

243 15:33:48.629 01/06/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 68.***.***.52

244 15:33:48.629 01/06/05 Sev=Info/4 IKE/0x63000082

IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

245 15:33:48.629 01/06/05 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

246 15:33:48.629 01/06/05 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 68.***.***.52

247 15:33:48.629 01/06/05 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 68.***.***.52

248 15:33:48.629 01/06/05 Sev=Info/4 CM/0x63100015

Launch xAuth application

249 15:33:51.283 01/06/05 Sev=Info/4 CM/0x63100017

xAuth application returned

250 15:33:51.283 01/06/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 68.***.***.52

251 15:33:51.283 01/06/05 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 68.***.***.52

252 15:33:51.283 01/06/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 68.***.***.52

253 15:33:51.293 01/06/05 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=D6A443ED34B09EC5 R_Cookie=8D058AAA56DE67DF) reason = DEL_REASON_WE_FAILED_AUTH

254 15:33:51.293 01/06/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 68.***.***.52

255 15:33:51.844 01/06/05 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=D6A443ED34B09EC5 R_Cookie=8D058AAA56DE67DF) reason = DEL_REASON_WE_FAILED_AUTH

256 15:33:51.844 01/06/05 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "68.***.***.52" because of "DEL_REASON_WE_FAILED_AUTH"

257 15:33:51.864 01/06/05 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

258 15:33:52.344 01/06/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

259 15:33:52.344 01/06/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

260 15:33:52.344 01/06/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

261 15:33:52.344 01/06/05 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Patrick Iseli · ‎01-06-2005

A login promt appears that means that the policy negotiation was ok and the first preshared key was accepted.

Looks like authentication your local user authentication failed ! Try to add again a new VPN client profile, reenter the VPN Preshared key

from your VPN group and use the username and password that you defined localy on the PIX.

I suggest you to use the debug commands on the PIX if possible as this gives a much more usefull output.

But take care because this gives a lof of output on the PIX console but that should not crash the PIX !

debug isakmp sa

debug ipsec sa

sincerely

Patrick

Patrick Iseli · ‎01-06-2005

Your config looks good the only thing that is not correct is the Split Tunnel Access-list.

access-list SplitTunnelACL permit ip vpnpool-net 255.255.255.0 any

vpngroup VPNGroup split-tunnel SplitTunnelACL

I personaly have no example for AES with sha and I never have tryed that is use usually 3DES, Md5 with DH Group 2.

sincerely

Patrick

carlogon · ‎01-13-2005

looking at your initial configuration , you have to cryptomaps names, but you only have one crypto apply

to the interfcace , you need to use the same crytpo only with different policies

crypto ipsec transform-set CAtransform esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set CAtransform

crypto map user2site 10 ipsec-isakmp dynamic dynmap

crypto map user2site interface outside

crypto map toMiami 20 ipsec-isakmp

crypto map toMiami 20 match address site2site

crypto map toMiami 20 set peer 65.***.***.127

crypto map toMiami 20 set transform-set CAtransform

this crypto is not apply to the interface

you need something like this

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

!--- Use the crypto-map sequence 10 command for PIX to PIX.

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set peer 209.165.202.129

crypto map mymap 10 set transform-set myset

!--- Use the crypto-map sequence 20 command for PIX to VPN Client.

crypto map mymap 20 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication mytacacs

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 209.165.202.129 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

!--- ISAKMP policy for VPN Client running 3.x code needs to be DH group 2.

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

!--- IPSec group configuration for VPN Client.

vpngroup vpn3000 address-pool mypool

vpngroup vpn3000 dns-server 10.48.66.129

vpngroup vpn3000 wins-server 10.48.66.129

vpngroup vpn3000 default-domain cisco.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

hope this helps

more info at

http://www.cisco.com/warp/public/110/37.html