[c-nsp] Problem with cisco VPN, help please
Kenny Sallee
k_sallee at yahoo.com
Thu Aug 11 16:38:27 EDT 2005
Try and use a different ACL for the encryption policy
and nonat ACL. Add the command 'isakmp identity
address'.
Also I see private IP's on the outside interface - are
you NAT'd somewhere? Is it static nat? Are your
isakmp key statements on each end reflecting the
actual public IP's? Are you sure your encryption
policies and ACL's match on both sides (encryption
ACL's should be inverse of each other)....
Kenny
--- Mohamed Sadok MOUHA <ms_mouha at yahoo.fr> wrote:
> hi to all,
>
> I have a probleme with my cisco PIX 501. I'm trying
> to establish a site
> 2 site VPN connection but still blocked in phase 1.
> any help please ?
>
> config file and debug output : (NB: xxx.xxx.xxx.xxx
> is the remote vpn
> gateway)
> -- config
>
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password ************* encrypted
> passwd ************* encrypted
> hostname *************
> domain-name *************
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list 101 permit ip host 192.168.98.120
> 192.168.101.0
> 255.255.255.0
> access-list 101 permit ip 192.168.98.0 255.255.255.0
> 192.168.101.0
> 255.255.255.0
> access-list 102 permit ip 192.168.98.0 255.255.255.0
> 172.45.130.0
> 255.255.255.0
> access-list tc permit ip host 192.168.98.12 host
> 172.45.130.223
> access-list tc permit ip host 192.168.98.13 host
> 172.45.130.223
> pager lines 24
> logging buffered debugging
> icmp permit xxx.xxx.xxx.xxx 255.255.255.248 outside
> icmp permit 192.168.99.0 255.255.255.0 outside
> mtu outside 1500
> mtu inside 1500
> ip address outside 192.168.99.250 255.255.255.0
> ip address inside 192.168.98.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 192.168.98.0 255.255.255.0 inside
> pdm location 192.168.1.0 255.255.255.0 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list tc
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) 192.168.99.250 192.168.98.13
> netmask
> 255.255.255.255 0 0
> route outside 0.0.0.0 0.0.0.0 192.168.99.1 1
> route outside 172.45.130.0 255.255.255.0
> xxx.xxx.xxx.xxx 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
> sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication telnet console LOCAL
> aaa authentication ssh console LOCAL
> aaa authorization command LOCAL
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> http 192.168.98.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set strong esp-3des
> esp-md5-hmac
> crypto ipsec transform-set STRONG esp-3des
> esp-md5-hmac
> crypto map tns 30 ipsec-isakmp
> crypto map tns 30 match address tc
> crypto map tns 30 set peer xxx.xxx.xxx.xxx
> crypto map tns 30 set transform-set STRONG
> crypto map tns 30 set security-association lifetime
> seconds 3600
> kilobytes 4608000
> crypto map tns interface outside
> isakmp enable outside
> isakmp key ******** address xxx.xxx.xxx.xxx netmask
> 255.255.255.248
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> telnet timeout 5
> ssh 192.168.98.0 255.255.255.0 inside
> ssh timeout 15
>
>
> -- debug
>
> PEER_REAPER_TIMER
> P1RETRANS_TIMER
> ISAKMP (0): retransmitting phase 1 (0)...
> send_response:
> isakmp_send: ip xxx.xxx.xxx.xxx, port 500
> PEER_REAPER_TIMERIPSEC(key_engine): request timer
> fired: count = 1,
> (identity) local= 192.168.99.250, remote=
> xxx.xxx.xxx.xxx,
> local_proxy= 192.168.98.12/255.255.255.255/0/0
> (type=1),
> remote_proxy= 172.45.130.223/255.255.255.255/0/0
> (type=1)
> IPSEC(key_engine_sa_req): setting timer running
> retry <2>
>
>
> crypto_ke_process_block:
> KEYENG_IKMP_SA_SPEC
> gen_cookie:
> ipsec_db_get_ipsec_sa_list:
> ipsec_db_get_ipsec_sa_list:
> P1RETRANS_TIMER
> ISAKMP (0): retransmitting phase 1 (1)...
> send_response:
> isakmp_send: ip xxx.xxx.xxx.xxx, port 500
> PEER_REAPER_TIMER
> QM_TIMER
> ISAKMP (0): deleting SA: src 192.168.99.250, dst
> xxx.xxx.xxx.xxx
> REAPER_TIMER
> ISADB: reaper checking SA 0xa8e2dc, conn_id = 0
> DELETE IT!
>
> crypto_gen_isakmp_delete:
> isadb_free_isakmp_sa:
> VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx/500
> not found - peers:0
>
> ipsec_db_delete_sa_list_entry:
> ipsec_db_free_ipsec_sa_list:
> PEER_REAPER_TIMERIPSEC(key_engine): request timer
> fired: count = 2,
> (identity) local= 192.168.99.250, remote=
> xxx.xxx.xxx.xxx,
> local_proxy= 192.168.98.12/255.255.255.255/0/0
> (type=1),
> remote_proxy= 172.45.130.223/255.255.255.255/0/0
> (type=1)
>
> crypto_ke_process_block:
>
crypto_gen_ipsec_isakmp_delete:IPSEC(key_engine_sa_req):
> setting timer
> running retry <1>
>
>
> crypto_ke_process_block:
> KEYENG_IKMP_SA_SPEC
> isadb_create_sa:
> crypto_isakmp_init_phase1_fields: initiator
> is_auth_policy_configured: auth 4
> gen_cookie:
> ipsec_db_add_sa_req:
> ipsec_db_get_ipsec_sa_list:
> ipsec_db_add_ipsec_sa_list:
> ipsec_db_get_ipsec_sa_list:
> is_auth_policy_configured: auth 4
> construct_header: message_id 0x0
> construct_isakmp_sa: auth 1
> set_proposal: protocol 0x1, proposal_num 1,
> extra_info 0x1
> init_set_oakley_atts:
> begin phase one
> sa->state 0x0
> ISAKMP (0): beginning Main Mode exchange
> throw: mess_id 0x0
> send_response:
> isakmp_send: ip xxx.xxx.xxx.xxx, port 500
> PEER_REAPER_TIMER
> P1RETRANS_TIMER
>
=== message truncated ===
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
More information about the cisco-nsp
mailing list