07-22-2005 02:23 AM
I have set a VPN L2L connection between a Cisco Pix 515 v.7 and a VPN concentrator 3005.
The Tunnel works fine when the Pix part initiates the connection but there is no way to start the tunnel from the concentrator side.
I get the following errors:
Concentrator side:
40936 07/22/2005 12:16:43.040 SEV=4 IKE/41 RPT=7451 80.33.221.49
IKE Initiator: New Phase 1, Intf 2, IKE Peer 80.33.221.49
local Proxy Address 172.22.1.26, remote Proxy Address 172.200.0.2,
SA (L2L: zzzz)
40939 07/22/2005 12:16:43.110 SEV=5 IKEDBG/64 RPT=8056 80.33.221.49
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: True
40941 07/22/2005 12:16:43.680 SEV=4 IKE/119 RPT=14967 80.33.221.49
Group [80.33.221.49]
PHASE 1 COMPLETED
40942 07/22/2005 12:16:43.690 SEV=4 AUTH/22 RPT=13415
User [80.33.221.49] Group [80.33.221.49] connected, Session Type: IPSec/LAN-to-L
AN
40944 07/22/2005 12:16:43.690 SEV=4 AUTH/84 RPT=3696
LAN-to-LAN tunnel to headend device 80.33.221.49 connected
40945 07/22/2005 12:16:43.780 SEV=5 IKE/68 RPT=2120 80.33.221.49
Group [80.33.221.49]
Received non-routine Notify message: Invalid ID info (18)
40946 07/22/2005 12:16:43.790 SEV=5 IKE/50 RPT=19961 80.33.221.49
Group [80.33.221.49]
Connection terminated for peer 80.33.221.49.
Reason: Peer Terminate
Remote Proxy N/A, Local Proxy N/A
40949 07/22/2005 12:16:43.800 SEV=4 AUTH/23 RPT=3705 80.33.221.49
User [80.33.221.49] Group [80.33.221.49] disconnected: duration: 0:00:00
Pix side:
Jul 22 2005 12:16:33 : %PIX-3-713119: Group = 195.53.213.2, IP = 195.53.213.2, PHASE 1 COMPLETED
Jul 22 2005 12:16:33 : %PIX-5-713904: QM IsRekeyed old sa not found by addr
Jul 22 2005 12:16:33 : %PIX-3-713061: Group = 195.53.213.2, IP = 195.53.213.2, Tunnel rejected: Crypto Map Policy not found for Src:172.22.1.26, Dst: 172.200.0.2!
Jul 22 2005 12:16:33 : %PIX-3-713902: QM FSM error (P2 struct &0x204c058, mess id 0xedeedb50)!
Jul 22 2005 12:16:33 : %PIX-3-713902: Group = 195.53.213.2, IP = 195.53.213.2, Removing peer from correlator table failed, no match!
Jul 22 2005 12:16:33 : %PIX-4-113019: Group = 195.53.213.2, Username = 195.53.213.2, IP = 195.53.213.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Jul 22 2005 12:16:33 : %PIX-5-713904: IP = 195.53.213.2, Received encrypted packet with no matching SA, dropping
07-25-2005 09:45 PM
This looks like your access-lists don't match on both sides, they need to be the EXACT opposite of each other.
On the VPN3000 L2L config you have 172.22.1.26 configured as the Local Network, and 172.200.0.2 as the Remote Network.
This means your PIX crypto ACL should be something like:
access-list crypto permit ip host 172.200.0.2 host 172.22.1.26
Check both sets of access/network lists and make sure they're the exact opposite of each other.
07-26-2005 12:40 AM
Hello,
thank you for your reply. That is exactly what I thought at first, but both access lists are exact opposites of each other. Otherwise the tunnel would not work at all. And the problem I have is that it does work when the host on the pix's side starts de connection but it does not work when it is the concentrator's side who starts the connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide