[c-nsp] IPSec troubles

Sam Hall SamHall at wiseman-dairies.co.uk
Tue Jun 17 06:21:34 EDT 2008


Hi 

I am trying to set up a VPN between a PIX-515E v7.0(7) and a Checkpoint 
NG.  Phase 1 and 2 are up, but traffic isnt going out of the PIX i.e mtr's 
show traffic going out onto the internet and not across the VPN

sh crypto ipsec sa detail | b FW2 - shows a temporary access list 
"access-list OO_temp_IPSEC11" - permit ip host FW1 host FW2 - instead I 
would have expected ACL1 as per other VPN's we have i.e permit ip 
object-group 400 host REMOTE. 

Any help would be appreciated...

Thanks



IP address/schematic:

LAN (NAT) > FW1 > IPSec > FW2 > REMOTE (class C real IP)



object-group network 400
 network-object host LAN
!
access-list IPSec extended permit tcp any any eq 21
access-list IPSec extended permit tcp any any eq 11551
access-list IPSec extended permit tcp any any eq 3305
access-list IPSec extended permit icmp any any echo
access-list IPSec extended permit esp host FW2 host FW1
access-list IPSec extended permit udp host FW2 host FW1 eq 500
access-list IPSec extended deny ip any any log
!
access-list ACL1 extended permit ip object-group 400 host REMOTE
access-list ACL1 extended deny ip any any log
!
crypto ipsec transform-set ACL1_IPSEC esp-aes-256 esp-sha-hmac
!
crypto map IPSEC 11 match address ACL1
crypto map IPSEC 11 set connection-type originate-only
crypto map IPSEC 11 set peer FW2
crypto map IPSEC 11 set transform-set ACL1_IPSEC
crypto map IPSEC 11 set security-association lifetime seconds 3600
crypto map IPSEC 11 set reverse-route
crypto map IPSEC interface outside
!
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption aes-256
isakmp policy 11 hash sha
isakmp policy 11 group 2
isakmp policy 11 lifetime 64800
isakmp nat-traversal 1000
isakmp identity address
isakmp enable outside
!
group-policy ACL1 internal
group-policy ACL1 attributes
 vpn-filter value IPSec
!
tunnel-group FW2 general-attributes
 default-group-policy ACL1
tunnel-group FW2 type ipsec-l2l
tunnel-group FW2 ipsec-attributes
 isakmp keepalive disable
 pre-shared-key KEY
!
access-list OSPF_ONLY standard permit host REMOTE
!
route-map OSPF_ONLY permit 10
 match ip address OSPF_ONLY
!
router ospf 2
 redistribute static subnets route-map OSPF_ONLY





sh crypto isakmp sa detail | b FW2
3   IKE Peer: FW2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes-256         Hash    : SHA
    Auth    : preshared       Lifetime: 64800
    Lifetime Remaining: 64770





 sh vpn-sessiondb l2l

Connection   : FW2
Index        : 2                      IP Addr      : FW2
Protocol     : IPSecLAN2LAN           Encryption   : AES256
Hashing      : SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 15:48:48 UTC Mon Jun 16 2008
Duration     : 0h:04m:46s
Filter Name  : GXS_IPSec





pix-SP-1# sh crypto ipsec sa detail | b FW2 
      access-list OO_temp_IPSEC11 permit ip host FW1 host FW2
      local ident (addr/mask/prot/port): (FW1/255.255.255.255/0/0) 
      remote ident (addr/mask/prot/port): (FW2/255.255.255.255/0/0) 
      current_peer: FW2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 
      #pkts compressed: 0, #pkts decompressed: 0 
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 
0 
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0 
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0 
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 
      #pkts replay failed (rcv): 0 
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 
      #pkts internal err (send): 0, #pkts internal err (rcv): 0 

      local crypto endpt.: FW1, remote crypto endpt.: FW2

      path mtu 1500, ipsec overhead 74, media mtu 1500 
      current outbound spi: 61270EDA 

    inbound esp sas: 
      spi: 0x7C043FC7 (2080653255) 
         transform: esp-aes-256 esp-sha-hmac none 
         in use settings ={L2L, Tunnel, } 
         slot: 0, conn_id: 4210, crypto-map: IPSEC 
         sa timing: remaining key lifetime (kB/sec): (3825000/2844) 
         IV size: 16 bytes 
         replay detection support: Y 
    outbound esp sas: 
      spi: 0x61270EDA (1629949658) 
         transform: esp-aes-256 esp-sha-hmac none 
         in use settings ={L2L, Tunnel, } 
         slot: 0, conn_id: 4210, crypto-map: IPSEC 
         sa timing: remaining key lifetime (kB/sec): (3825000/2844) 
         IV size: 16 bytes 
         replay detection support: Y 

    Crypto map tag: ras_map, seq num: 6, local addr: FW1 






Sam
----
Sam Hall
Robert Wiseman & Sons
Ext: 6655
Tel: +44 (0)1355 270655
samhall at wiseman-dairies.co.uk
www.wiseman-dairies.co.uk
159 Glasgow Road, East Kilbride, Glasgow, G74 4PA

*********************************************************************************
Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman & Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman & Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company.

Robert Wiseman & Sons Limited reserves the right to monitor all e-mail communications through its network.

This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files.

ROBERT WISEMAN & SONS LIMITED
Registered Number: 87376 Scotland
Registered Office: 159 Glasgow Road,
East Kilbride, Glasgow, G74 4PA

********************************************************************************


More information about the cisco-nsp mailing list