[c-nsp] Problem with cisco VPN, help please

Mohamed Sadok MOUHA ms_mouha at yahoo.fr
Thu Aug 11 11:23:33 EDT 2005


hi to all,

I have a probleme with my cisco PIX 501. I'm trying to establish a site
2 site VPN connection but still blocked in phase 1. any help please ?

config file and debug output : (NB: xxx.xxx.xxx.xxx is the remote vpn
gateway)
-- config

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************* encrypted
passwd ************* encrypted
hostname *************
domain-name *************
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip host 192.168.98.120 192.168.101.0
255.255.255.0
access-list 101 permit ip 192.168.98.0 255.255.255.0 192.168.101.0
255.255.255.0
access-list 102 permit ip 192.168.98.0 255.255.255.0 172.45.130.0
255.255.255.0
access-list tc permit ip host 192.168.98.12 host 172.45.130.223
access-list tc permit ip host 192.168.98.13 host 172.45.130.223
pager lines 24
logging buffered debugging
icmp permit xxx.xxx.xxx.xxx 255.255.255.248 outside
icmp permit 192.168.99.0 255.255.255.0 outside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.99.250 255.255.255.0
ip address inside 192.168.98.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.98.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list tc
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.99.250 192.168.98.13 netmask
255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.99.1 1
route outside 172.45.130.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.98.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
crypto map tns 30 ipsec-isakmp
crypto map tns 30 match address tc
crypto map tns 30 set peer xxx.xxx.xxx.xxx
crypto map tns 30 set transform-set STRONG
crypto map tns 30 set security-association lifetime seconds 3600
kilobytes 4608000
crypto map tns interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.248
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 192.168.98.0 255.255.255.0 inside
ssh timeout 15


-- debug

PEER_REAPER_TIMER
P1RETRANS_TIMER
ISAKMP (0): retransmitting phase 1 (0)...
send_response:
isakmp_send: ip xxx.xxx.xxx.xxx, port 500
PEER_REAPER_TIMERIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 192.168.99.250, remote= xxx.xxx.xxx.xxx,
    local_proxy= 192.168.98.12/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.45.130.223/255.255.255.255/0/0 (type=1)
IPSEC(key_engine_sa_req): setting timer running retry <2>


crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
gen_cookie:
ipsec_db_get_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
P1RETRANS_TIMER
ISAKMP (0): retransmitting phase 1 (1)...
send_response:
isakmp_send: ip xxx.xxx.xxx.xxx, port 500
PEER_REAPER_TIMER
QM_TIMER
ISAKMP (0): deleting SA: src 192.168.99.250, dst xxx.xxx.xxx.xxx
REAPER_TIMER
ISADB: reaper checking SA 0xa8e2dc, conn_id = 0  DELETE IT!

crypto_gen_isakmp_delete:
isadb_free_isakmp_sa:
VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500 not found - peers:0

ipsec_db_delete_sa_list_entry:
ipsec_db_free_ipsec_sa_list:
PEER_REAPER_TIMERIPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 192.168.99.250, remote= xxx.xxx.xxx.xxx,
    local_proxy= 192.168.98.12/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.45.130.223/255.255.255.255/0/0 (type=1)

crypto_ke_process_block:
crypto_gen_ipsec_isakmp_delete:IPSEC(key_engine_sa_req): setting timer
running retry <1>


crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
isadb_create_sa:
crypto_isakmp_init_phase1_fields: initiator
is_auth_policy_configured: auth 4
gen_cookie:
ipsec_db_add_sa_req:
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
is_auth_policy_configured: auth 4
construct_header: message_id 0x0
construct_isakmp_sa: auth 1
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x1
init_set_oakley_atts:
begin phase one
sa->state 0x0
ISAKMP (0): beginning Main Mode exchange
throw: mess_id 0x0
send_response:
isakmp_send: ip xxx.xxx.xxx.xxx, port 500
PEER_REAPER_TIMER
P1RETRANS_TIMER
ISAKMP (0): retransmitting phase 1 (0)...
send_response:
isakmp_send: ip xxx.xxx.xxx.xxx, port 500
PEER_REAPER_TIMERIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 192.168.99.250, remote= xxx.xxx.xxx.xxx,
    local_proxy= 192.168.98.12/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.45.130.223/255.255.255.255/0/0 (type=1)
IPSEC(key_engine_sa_req): setting timer running retry <2>


crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
gen_cookie:
ipsec_db_get_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
P1RETRANS_TIMER
ISAKMP (0): retransmitting phase 1 (1)...
send_response:

---
any help please? I'm blocked :(
thanx in advance



More information about the cisco-nsp mailing list