Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Debugging a tunnel issue.

Status
Not open for further replies.
NetworkDOC

NetworkDOC

MIS
May 19, 2004
212
US
I am trying to connect to a VPN concentrator.

On my side I have a PIX 515 and theirs is a VPNC (not sure which model).

I have the pix configured to connect to their vpnc and thus far we cannot get it working. I will paste my crypto stuff and the concentrator log.

access-list nonat permit ip 10.0.0.0 255.255.255.0 10.101.101.48 255.255.255.240
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.101.101.48 255.255.255.240
access-list 101 permit icmp any any

nat (inside) 0 access-list nonat

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 101
crypto map mymap 30 set peer x.x.x.70
crypto map mymap 30 set transform-set myset2
crypto map mymap interface outside
isakmp enable outside

isakmp key mykeyhere address x.x.x.70 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

Log entries for VPNC:

1718 06/27/2006 15:30:50.060 SEV=5 IKE/35 RPT=371 x.x.x.162
Group [x.x.x.162]
Received remote IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 1, Port 0

1721 06/27/2006 15:30:50.060 SEV=9 IKEDBG/1 RPT=272 x.x.x.162
Group [x.x.x.162]
Processing ID

1722 06/27/2006 15:30:50.060 SEV=5 IKE/34 RPT=8279 x.x.x.162
Group [x.x.x.162]
Received local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 1, Port 0

1725 06/27/2006 15:30:50.060 SEV=8 IKEDBG/83 RPT=22408 x.x.x.162
Group [x.x.x.162]
QM IsRekeyed old sa not found by addr

1726 06/27/2006 15:30:50.060 SEV=4 IKE/61 RPT=36184 x.x.x.162
Group [x.x.x.162]
Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 0.0.0.0!

ANY IDEAS?????
 
Sort by date Sort by votes
Got the answer... I am willing to share so that others may grow from this too.

It appears that the PIX had an issue when talking to the VPNC. It kept showing the source addy as the inside network from which it had no policy. Adding a temp policy of 10.0.0.0 /24 worked and the tunnel came up fine.

It was also discovered that the ip address of the resource they were trying to get to was 10.0.0.160, the source of the subnet trying to reach that resource was 10.0.0.0 /24. Hmmmm Ya think that may be a problem?

So… In a nutshell, I ended up natting the 10.0.0.0 /24 behind the external IP of the pix. The other folks had already natted their resource 10.0.0.160 to 10.102.1.160 this resolved the problem.

It’s also great to know “ALL” the pieces up front.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
295
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
764
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
287
Russtoleum
Russtoleum
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
638
Sparrow4
Sparrow4

Part and Inventory Search

Sponsor

Back
Top