My set up is this. pix 501 using VPN wizard and PDM to make config changes. the Other end of the IPsec Tunnel is an SMC 7004FW.
the smc has the ability to do manual key which is how I finally got the two to start talking. however now I can't appear to figure out what the heck is up with the spi.
I can change the spi on the smc quite easily. but I'm confused about the crypto ipsec command and would like some clarification/validation.
as the tunnel stands right now. it's active MD5 DES when I attempt to ping an address from my network to the SMC I get this.
then if I perform a ping from the smc side of the network I get this.
here's the part of my config to help illuminate what's going on.
heres the show crypto sa
here's the show crypto map
What can you suggest?
Martin
If the sky is blue and the Sun is yellow.... Why isn't the air Green?
the smc has the ability to do manual key which is how I finally got the two to start talking. however now I can't appear to figure out what the heck is up with the spi.
I can change the spi on the smc quite easily. but I'm confused about the crypto ipsec command and would like some clarification/validation.
as the tunnel stands right now. it's active MD5 DES when I attempt to ping an address from my network to the SMC I get this.
Code:
702303: sa_request, (key eng. msg.) src= x.x.x.x, dest= lofy_wan, src_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4), dest_proxy= lofy/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004then if I perform a ping from the smc side of the network I get this.
Code:
402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=esp, spi=0x200(131072)here's the part of my config to help illuminate what's going on.
Code:
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer lofy_wan
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address lofy_wan netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400heres the show crypto sa
Code:
interface: outside
Crypto map tag: outside_map, local addr. x.x.x.x
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (lofy/255.255.255.0/0/0)
current_peer: lofy_wan:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 31, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: lofy_wan
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:here's the show crypto map
Code:
Crypto Map: "outside_map" interfaces: { outside }
Crypto Map "outside_map" 20 ipsec-isakmp
Peer = lofy_wan
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 172.16.1.0 255.255.255
.0 lofy 255.255.255.0 (hitcnt=31)
Current peer: lofy_wan
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-DES-MD5, }What can you suggest?
Martin
If the sky is blue and the Sun is yellow.... Why isn't the air Green?