07-01-2004 07:23 AM - edited 02-21-2020 01:13 PM
My access list vpn is increasing so i know thats correct. Im currently testing this with ping. Debug and configurations follow. Attempting to connect remote location via VPN with DES. Thanks to anyone who can assist. Its failing at phase one which to me means configuration mess up but i cant find a miss-match? Maybe ive been looking at this to long.
Pix515e config:
----------------
crypto ipsec transform-set aptset esp-des esp-md5-hmac
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address vpn
crypto map aptmap 10 set peer yyy.xxx.xxx.131
crypto map aptmap 10 set transform-set aptset
crypto map aptmap interface outside
isakmp enable outside
isakmp key ******** address yyy.xxx.xxx.131 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Debugs ipsec, isakmp, ca
-------------------------
VPN Peer: ISAKMP: Added new peer: ip:yyy.xxx.xxx.131 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:yyy.xxx.xxx.131 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= zzz.xxx.xxx.226, remote= yyy.xxx.xxx.131,
local_proxy= 192.168.33.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.65.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src zzz.xxx.xxx.226, dst yyy.xxx.xxx.131
ISADB: reaper checking SA 0x81377ad8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:yyy.xxx.xxx.131 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:yyy.xxx.xxx.131 Total VPN peers:0
results of "show crypto isamkp sa"
-----------------------------------
Total : 1
Embryonic : 1
dst src state pending created
yyy.xxx.xxx.131 zzz.xxx.xxx.226 MM_NO_STATE 0 0
Error msgs on the 3005 concentrator
------------------------------------
57 07/01/2004 11:14:47.640 SEV=4 IKE/48 RPT=23 yyy.xxx.xxx.226
Error processing payload: Payload ID: 1
58 07/01/2004 11:15:02.770 SEV=4 IKE/48 RPT=24 yyy.xxx.xxx.226
Error processing payload: Payload ID: 1
3005 concentrator settings from Lan-To-Lan page
-----------------------
Enabled
External Interface
Answer-Only
Peer yyy.xxx.xxx.226
Digital cert:None (use preshared keys)
Cert Transmission: (Entire certification chain)
Preshared Key: {same as on pix}
Auth: esp/md5/hmac-128
encryption: des-56
ike proposal: IKE-DES-MD5
Filter: none
IPSec NAT-T not checked
No bandwidth policy
routing: none
Solved! Go to Solution.
07-01-2004 10:12 AM
I noted that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with des - though I am not positive, as I have only used it with 3des. DH group 1 should work with single des.
At any rate, double check the vpn 3000 config to see if a group and a lifetime were speced on its config. If not, or if you cannot be sure, then remove both off of the pix and run the clear cry sa command on the pix. Then retry and let me know what you find.
07-01-2004 10:12 AM
I noted that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with des - though I am not positive, as I have only used it with 3des. DH group 1 should work with single des.
At any rate, double check the vpn 3000 config to see if a group and a lifetime were speced on its config. If not, or if you cannot be sure, then remove both off of the pix and run the clear cry sa command on the pix. Then retry and let me know what you find.
07-01-2004 11:03 AM
Yea i was following a tutorial and just now catching up with reading about what exactly each command does =|
What you suggested helpd get passed one hurdle and now another one has appeard =) Nthe pix or concentrator report an active tunnel. THe pix shows the bellow.. Thanks for the help
VPN Peer: ISAKMP: Added new peer: ip:yyy.xxx.xxx.131 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:yyy.xxx.xxx.131 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src yyy.xxx.xxx.131, dest zzz.xxx.xxx.226
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src yyy.xxx.xxx.131, dest zzz.xxx.xxx.226
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 21
ISAKMP (0): Total payload length: 25
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src yyy.xxx.xxx.131, dest zzz.xxx.xxx.226
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1453675096:56a55258IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xcbc58ba1(3418721185) for SA
from yyy.xxx.xxx.131 to zzz.xxx.xxx.226 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src yyy.xxx.xxx.131, dest zzz.xxx.xxx.226
ISAKMP (0): processing DELETE payload. message ID = 4225164110
ISAKMP (0): deleting SA: src zzz.xxx.xxx.226, dst yyy.xxx.xxx.131
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x81377ad8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:yyy.xxx.xxx.131 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:yyy.xxx.xxx.131 Total VPN peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with yyy.xxx.xxx.131
07-01-2004 12:38 PM
hey the tunnel is up!! However im only able to ping, i believe in my book marks somewhere i ran across a thread stating the same problem... So hopefully by time you read this i will have a fully operational tunnel =)
07-01-2004 01:09 PM
added route to point to the concentrator on the other side and it works great! Thanks buddy!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide