[c-nsp] Problem with IPSEC VPN
Robert Hass
robhass at gmail.com
Sun Jan 22 11:17:09 EST 2006
Hello
I have problem with site-to-site connection between two PIXes. Network
diagram
looking like this:
PIX501---------- Internet -------------------- PIX515E
| |
| |
| |
192.168.4.1/24 192.168.0.1/24
The VPN connection is established, but:
1) If I pinging host 192.168.4.10 from network 192.168.0.10 - OK
2) If I pinging host 192.168.0.10 from network 192.168.4.10 - error
Jan 22 2006 14:13:17: %PIX-3-713042: IKE Initiator unable to find policy:
Intf 1, Src: 192.168.0.10, Dst: 192.168.4.10
Jan 22 2006 14:13:18: %PIX-3-713042: IKE Initiator unable to find policy:
Intf 1, Src: 192.168.0.10, Dst: 192.168.4.10
The communications from 192.168.4.10 to 192.168.0.10 only working when
192.168.0.10 starts send packets.
Any ideas or recommendations ???
Below configurations of both PIXes:
PIX-515E running OS 7.0(4)
interface Ethernet0
nameif outside
security-level 0
ip address 195.22.16.2 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 195.22.16.1 1
same-security-traffic permit intra-interface
access-list VPN extended permit ip 192.168.0.0 255.255.255.0 192.168.4.0
255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0
255.255.0.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set TransSet esp-3des esp-md5-hmac
crypto map VPN 20 match address VPN
crypto map VPN 20 set peer 195.22.17.2
crypto map VPN 20 set transform-set TransSet
crypto map VPN 20 set nat-t-disable
crypto map VPN interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 195.22.17.2 type ipsec-l2l
tunnel-group 195.22.17.2 ipsec-attributes
pre-shared-key *
PIX-501 running OS 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 195.22.17.2 255.255.255.252
ip address inside 192.168.4.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 195.22.17.1 1
access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list VPN permit ip 192.168.4.0 255.255.255.0 192.168.0.0
255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set TransSet esp-3des esp-md5-hmac
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address VPN
crypto map VPN 20 set peer 195.22.16.2
crypto map VPN 20 set transform-set TransSet
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 195.22.16.2 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Regards,
Robert
More information about the cisco-nsp
mailing list