[c-nsp] PIX - ISAKMP Policy Disappearing

ChrisSerafin chris at chrisserafin.com
Tue Dec 23 11:07:46 EST 2008


I'm trying to add/modify an isakmp policy map to match a remote VPN 
peer, and it keep deleting itself! :)

Here is the config:

! this section adds fine
access-list 100 permit ip any 172.25.101.0 255.255.255.0
access-list TO_RKON permit ip any 172.25.101.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map MAP 40 ipsec-isakmp
crypto map MAP 40 match address TO_RKON
crypto map MAP 40 set peer x.x.x.x
crypto map MAP 40 set transform-set ESP-3DES-MD5
isakmp key xxxxxx address x.x.x.x netmask 255.255.255.255 no-xauth 
no-config-mode

! this section keeps deleting itself after changing the authentication 
to PSK.
isakmp policy 40 authentication pre-share !as soon as I add this, policy 
40 deletes itself.
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

It doesn't matter, but the remote end is a Netscreen and a VPN WAS 
established just fine, but I'm 'breaking' it to expand the encrypted 
traffic traversing the VPN tunnel.When doing a 'sh crypto ipsec sa' I 
see that there are IPSEC SA's established for the OLD phase 2 networks 
(proxy ids in Netscreen). Maybe clear the crypto sa's? See below.

ELM-xxx(config)# sh cry isa sa
Total     : 3
Embryonic : 0
       dst               src        state     pending     created
   my.firewall  re.mo.t.e    QM_IDLE         0           1

ELM-xxx(config)# sh cry ips sa


interface: outside



  local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
  remote ident (addr/mask/prot/port): (172.25.101.0/255.255.255.0/0/0)
  current_peer: 205.234.155.253:500
    PERMIT, flags={}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
   #pkts decaps: 3273, #pkts decrypt: 3273, #pkts verify 3273
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress 
failed: 0
   #send errors 0, #recv errors 0

    local crypto endpt.: 65.166.255.1, remote crypto endpt.: 
205.234.155.253
    path mtu 1500, ipsec overhead 56, media mtu 1500
    current outbound spi: 27954c37

    inbound esp sas:
     spi: 0x55528ec4(1431473860)
       transform: esp-3des esp-md5-hmac ,
       in use settings ={Tunnel, }
       slot: 0, conn id: 10, crypto map: MAP
       sa timing: remaining key lifetime (k/sec): (4607643/446)
       IV size: 8 bytes
       replay detection support: Y


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:
     spi: 0x27954c37(664095799)
       transform: esp-3des esp-md5-hmac ,
       in use settings ={Tunnel, }
       slot: 0, conn id: 9, crypto map: MAP
       sa timing: remaining key lifetime (k/sec): (4608000/452)
       IV size: 8 bytes
       replay detection support: Y


    outbound ah sas:


    outbound pcp sas:



All comments welcome,
Chris Serafin
chris at chrisserafin.com







More information about the cisco-nsp mailing list