[c-nsp] IPSec troubles
Sam Hall
SamHall at wiseman-dairies.co.uk
Tue Jun 17 06:21:34 EDT 2008
Hi
I am trying to set up a VPN between a PIX-515E v7.0(7) and a Checkpoint
NG. Phase 1 and 2 are up, but traffic isnt going out of the PIX i.e mtr's
show traffic going out onto the internet and not across the VPN
sh crypto ipsec sa detail | b FW2 - shows a temporary access list
"access-list OO_temp_IPSEC11" - permit ip host FW1 host FW2 - instead I
would have expected ACL1 as per other VPN's we have i.e permit ip
object-group 400 host REMOTE.
Any help would be appreciated...
Thanks
IP address/schematic:
LAN (NAT) > FW1 > IPSec > FW2 > REMOTE (class C real IP)
object-group network 400
network-object host LAN
!
access-list IPSec extended permit tcp any any eq 21
access-list IPSec extended permit tcp any any eq 11551
access-list IPSec extended permit tcp any any eq 3305
access-list IPSec extended permit icmp any any echo
access-list IPSec extended permit esp host FW2 host FW1
access-list IPSec extended permit udp host FW2 host FW1 eq 500
access-list IPSec extended deny ip any any log
!
access-list ACL1 extended permit ip object-group 400 host REMOTE
access-list ACL1 extended deny ip any any log
!
crypto ipsec transform-set ACL1_IPSEC esp-aes-256 esp-sha-hmac
!
crypto map IPSEC 11 match address ACL1
crypto map IPSEC 11 set connection-type originate-only
crypto map IPSEC 11 set peer FW2
crypto map IPSEC 11 set transform-set ACL1_IPSEC
crypto map IPSEC 11 set security-association lifetime seconds 3600
crypto map IPSEC 11 set reverse-route
crypto map IPSEC interface outside
!
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption aes-256
isakmp policy 11 hash sha
isakmp policy 11 group 2
isakmp policy 11 lifetime 64800
isakmp nat-traversal 1000
isakmp identity address
isakmp enable outside
!
group-policy ACL1 internal
group-policy ACL1 attributes
vpn-filter value IPSec
!
tunnel-group FW2 general-attributes
default-group-policy ACL1
tunnel-group FW2 type ipsec-l2l
tunnel-group FW2 ipsec-attributes
isakmp keepalive disable
pre-shared-key KEY
!
access-list OSPF_ONLY standard permit host REMOTE
!
route-map OSPF_ONLY permit 10
match ip address OSPF_ONLY
!
router ospf 2
redistribute static subnets route-map OSPF_ONLY
sh crypto isakmp sa detail | b FW2
3 IKE Peer: FW2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 64800
Lifetime Remaining: 64770
sh vpn-sessiondb l2l
Connection : FW2
Index : 2 IP Addr : FW2
Protocol : IPSecLAN2LAN Encryption : AES256
Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 0
Login Time : 15:48:48 UTC Mon Jun 16 2008
Duration : 0h:04m:46s
Filter Name : GXS_IPSec
pix-SP-1# sh crypto ipsec sa detail | b FW2
access-list OO_temp_IPSEC11 permit ip host FW1 host FW2
local ident (addr/mask/prot/port): (FW1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (FW2/255.255.255.255/0/0)
current_peer: FW2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed:
0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: FW1, remote crypto endpt.: FW2
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 61270EDA
inbound esp sas:
spi: 0x7C043FC7 (2080653255)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4210, crypto-map: IPSEC
sa timing: remaining key lifetime (kB/sec): (3825000/2844)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x61270EDA (1629949658)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4210, crypto-map: IPSEC
sa timing: remaining key lifetime (kB/sec): (3825000/2844)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: ras_map, seq num: 6, local addr: FW1
Sam
----
Sam Hall
Robert Wiseman & Sons
Ext: 6655
Tel: +44 (0)1355 270655
samhall at wiseman-dairies.co.uk
www.wiseman-dairies.co.uk
159 Glasgow Road, East Kilbride, Glasgow, G74 4PA
*********************************************************************************
Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman & Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman & Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company.
Robert Wiseman & Sons Limited reserves the right to monitor all e-mail communications through its network.
This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files.
ROBERT WISEMAN & SONS LIMITED
Registered Number: 87376 Scotland
Registered Office: 159 Glasgow Road,
East Kilbride, Glasgow, G74 4PA
********************************************************************************
More information about the cisco-nsp
mailing list