Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
1
Replies

SIte-to-Site VPN problem

niro
Level 1
Level 1

‎05-13-2007 09:11 AM - edited ‎02-21-2020 03:03 PM

I'm having a problem with a site-to-site VPN. I'm attaching the basic diagram (public IP's excluded).

I'm trying to set up a lan-to-lan tunnel between the two pix firewalls, and the only way I can get communication goin between the two sites is if I initiate traffic from both sites at the same time (before the tunenl times out)...once that's done as long as I have traffic going accross it's fine, but if I stop sending traffic I have to recreate the tunnel by re-initiating traffic from both site. I'm guessing it's a problem with the edge routers...on the london side I'm getting this error (note this router is only supposed to forward traffic to the pix, no tunnel is supposed to be created on this router):

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has

invalid spi for

destaddr=*.*.*.*, prot=50, spi=0x354F6836(894396470), srcaddr=*.*.*.*

Here are the relevent configs:

London Router:

ip nat inside source static tcp 172.16.70.100 500 *.*.*.* 500 extendable

Europe Router:

ip nat inside source static udp 172.16.71.100 500 *.*.*.* 500 extendable

London PIX 6.3:

nat (inside) 0 access-list 101

access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

access-list london permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map hongkongvpn 5 ipsec-isakmp

crypto map hongkongvpn 5 match address hk

crypto map hongkongvpn 5 set peer ***public ip of europe router***

crypto map hongkongvpn 5 set transform-set london

crypto map hongkongvpn 5 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map hongkongvpn interface outside

isakmp enable outside

isakmp key ******** address ***** netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

Europe PIX 7.0:

nat (inside) 0 access-list london-nat

access-list london-nat extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

access-list 101 extended permit ip 192.168.71.0 255.255.255.0 192.168.70.0 255.255.255.0

crypto ipsec transform-set RTS esp-3des esp-sha-hmac

crypto ipsec transform-set london esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map RTS 1 set peer ******

crypto map RTS 1 set transform-set RTS

crypto map RTS 1 set security-association lifetime seconds 28800

crypto map vpntunnel 21 match address 101

crypto map vpntunnel 21 set peer ***public ip of london router****

crypto map vpntunnel 21 set transform-set london

crypto map vpntunnel 21 set security-association lifetime seconds 28800

crypto map vpntunnel interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

tunnel-group RTS type ipsec-l2l

tunnel-group ****** type ipsec-l2l

tunnel-group ****** ipsec-attributes

pre-shared-key *

tunnel-group ***** type ipsec-l2l

tunnel-group ***** ipsec-attributes

pre-shared-key *

Any help would be appreciated!

Labels:
0 Helpful
1 Reply 1

niro
Level 1
Level 1

‎05-13-2007 09:27 AM

Forgot to attach the diagram...

24979-vpn.vsd
0 Helpful
Customers Also Viewed These Support Documents