cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
738
Views
0
Helpful
4
Replies

VPN pix 515e to 3005 concentrator cant get pass phase1

bob
Level 1
Level 1

My access list vpn is increasing so i know thats correct. Im currently testing this with ping. Debug and configurations follow. Attempting to connect remote location via VPN with DES. Thanks to anyone who can assist. Its failing at phase one which to me means configuration mess up but i cant find a miss-match? Maybe ive been looking at this to long.

Pix515e config:

----------------

crypto ipsec transform-set aptset esp-des esp-md5-hmac

crypto map aptmap 10 ipsec-isakmp

crypto map aptmap 10 match address vpn

crypto map aptmap 10 set peer yyy.xxx.xxx.131

crypto map aptmap 10 set transform-set aptset

crypto map aptmap interface outside

isakmp enable outside

isakmp key ******** address yyy.xxx.xxx.131 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Debugs ipsec, isakmp, ca

-------------------------

VPN Peer: ISAKMP: Added new peer: ip:yyy.xxx.xxx.131 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:yyy.xxx.xxx.131 Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= zzz.xxx.xxx.226, remote= yyy.xxx.xxx.131,

local_proxy= 192.168.33.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.65.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src zzz.xxx.xxx.226, dst yyy.xxx.xxx.131

ISADB: reaper checking SA 0x81377ad8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:yyy.xxx.xxx.131 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:yyy.xxx.xxx.131 Total VPN peers:0

results of "show crypto isamkp sa"

-----------------------------------

Total : 1

Embryonic : 1

dst src state pending created

yyy.xxx.xxx.131 zzz.xxx.xxx.226 MM_NO_STATE 0 0

Error msgs on the 3005 concentrator

------------------------------------

57 07/01/2004 11:14:47.640 SEV=4 IKE/48 RPT=23 yyy.xxx.xxx.226

Error processing payload: Payload ID: 1

58 07/01/2004 11:15:02.770 SEV=4 IKE/48 RPT=24 yyy.xxx.xxx.226

Error processing payload: Payload ID: 1

3005 concentrator settings from Lan-To-Lan page

-----------------------

Enabled

External Interface

Answer-Only

Peer yyy.xxx.xxx.226

Digital cert:None (use preshared keys)

Cert Transmission: (Entire certification chain)

Preshared Key: {same as on pix}

Auth: esp/md5/hmac-128

encryption: des-56

ike proposal: IKE-DES-MD5

Filter: none

IPSec NAT-T not checked

No bandwidth policy

routing: none

1 Accepted Solution

Accepted Solutions

ehirsel
Level 6
Level 6

I noted that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with des - though I am not positive, as I have only used it with 3des. DH group 1 should work with single des.

At any rate, double check the vpn 3000 config to see if a group and a lifetime were speced on its config. If not, or if you cannot be sure, then remove both off of the pix and run the clear cry sa command on the pix. Then retry and let me know what you find.

View solution in original post

4 Replies 4

ehirsel
Level 6
Level 6

I noted that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with des - though I am not positive, as I have only used it with 3des. DH group 1 should work with single des.

At any rate, double check the vpn 3000 config to see if a group and a lifetime were speced on its config. If not, or if you cannot be sure, then remove both off of the pix and run the clear cry sa command on the pix. Then retry and let me know what you find.

Yea i was following a tutorial and just now catching up with reading about what exactly each command does =|

What you suggested helpd get passed one hurdle and now another one has appeard =) Nthe pix or concentrator report an active tunnel. THe pix shows the bellow.. Thanks for the help

VPN Peer: ISAKMP: Added new peer: ip:yyy.xxx.xxx.131 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:yyy.xxx.xxx.131 Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src yyy.xxx.xxx.131, dest zzz.xxx.xxx.226

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src yyy.xxx.xxx.131, dest zzz.xxx.xxx.226

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 21

ISAKMP (0): Total payload length: 25

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src yyy.xxx.xxx.131, dest zzz.xxx.xxx.226

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 1453675096:56a55258IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xcbc58ba1(3418721185) for SA

from yyy.xxx.xxx.131 to zzz.xxx.xxx.226 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending INITIAL_CONTACT notify

crypto_isakmp_process_block: src yyy.xxx.xxx.131, dest zzz.xxx.xxx.226

ISAKMP (0): processing DELETE payload. message ID = 4225164110

ISAKMP (0): deleting SA: src zzz.xxx.xxx.226, dst yyy.xxx.xxx.131

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x81377ad8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:yyy.xxx.xxx.131 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:yyy.xxx.xxx.131 Total VPN peers:0IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with yyy.xxx.xxx.131

hey the tunnel is up!! However im only able to ping, i believe in my book marks somewhere i ran across a thread stating the same problem... So hopefully by time you read this i will have a fully operational tunnel =)

added route to point to the concentrator on the other side and it works great! Thanks buddy!