Hi all, thanks for reading this thread.
I have question regards to site to site vpn using 2 pix. Currently I have a remote site with PIX 5153 version 7.0 (ASDM) installed, and is vpn to main site PIX 520 version 6.3.4. The remote site is able to initiate the vpn tunnel fine if the traffic is go to main site as destination. The problem I am having is: 1. My tunnel will terminated if there is no interest packet transmitted between two sites. 2. I can not initiate the vpn tunnel from main to remote if the tunnel already got terminated. Such as ping the remote site node still not able to establish tunnel.
I used this document as my guideline for my configuration:
Many thanks,
SL
Following are show configuration from both remote and main site.
aaa – remote site, xxx – main site
=======
From remote PIX:
show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: xxx.xxx.xxx.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
show crypto ipsec sa
interface: outside
Crypto map tag: colo, seq num: 20, local addr: aaa.aaa.aaa.130
access-list 100 permit ip 192.aaa.aaa.0 255.aaa.aaa.0 10.xxx.xxx.0 255.xxx.xxx.0
local ident (addr/mask/prot/port): (192.aaa.aaa.0/255.aaa.aaa.0/0/0)
remote ident (addr/mask/prot/port): (10.xxx.xxx.0/255.xxx.xxx.0/0/0)
current_peer: xxx.xxx.xxx.1
#pkts encaps: 25064, #pkts encrypt: 25064, #pkts digest: 25064
#pkts decaps: 22323, #pkts decrypt: 22323, #pkts verify: 22323
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 25064, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: aaa.aaa.aaa.130, remote crypto endpt.: xxx.xxx.xxx.1
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 6A313184
inbound esp sas:
spi: 0xF9AA2745 (4188677957)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: colo
sa timing: remaining key lifetime (kB/sec): (4274790/27086)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x6A313184 (1781608836)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: colo
sa timing: remaining key lifetime (kB/sec): (4274641/27086)
IV size: 8 bytes
replay detection support: Y
==============================================================
From Main PIX:
show crypto isakmp sa
Total : 8
Embryonic : 0
dst src state pending created
....
xxx.xxx.xxx.1 aaa.aaa.aaa.130 QM_IDLE 0 2
....
show crypto ipsec sa
local ident (addr/mask/prot/port): (10.xxx.xxx.0/255.xxx.xxx.0/0/0)
remote ident (addr/mask/prot/port): (192.aaa.aaa.0/255.aaa.aaa.0/0/0)
current_peer: aaa.aaa.aaa.130:500
PERMIT, flags={}
#pkts encaps: 20822, #pkts encrypt: 20822, #pkts digest 20822
#pkts decaps: 23131, #pkts decrypt: 23131, #pkts verify 23131
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.1, remote crypto endpt.: aaa.aaa.aaa.130
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: f9aa2745
inbound esp sas:
spi: 0x6a313184(1781608836)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 18, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607738/27573)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xf9aa2745(4188677957)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 17, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607876/27557)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
I have question regards to site to site vpn using 2 pix. Currently I have a remote site with PIX 5153 version 7.0 (ASDM) installed, and is vpn to main site PIX 520 version 6.3.4. The remote site is able to initiate the vpn tunnel fine if the traffic is go to main site as destination. The problem I am having is: 1. My tunnel will terminated if there is no interest packet transmitted between two sites. 2. I can not initiate the vpn tunnel from main to remote if the tunnel already got terminated. Such as ping the remote site node still not able to establish tunnel.
I used this document as my guideline for my configuration:
Many thanks,
SL
Following are show configuration from both remote and main site.
aaa – remote site, xxx – main site
=======
From remote PIX:
show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: xxx.xxx.xxx.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
show crypto ipsec sa
interface: outside
Crypto map tag: colo, seq num: 20, local addr: aaa.aaa.aaa.130
access-list 100 permit ip 192.aaa.aaa.0 255.aaa.aaa.0 10.xxx.xxx.0 255.xxx.xxx.0
local ident (addr/mask/prot/port): (192.aaa.aaa.0/255.aaa.aaa.0/0/0)
remote ident (addr/mask/prot/port): (10.xxx.xxx.0/255.xxx.xxx.0/0/0)
current_peer: xxx.xxx.xxx.1
#pkts encaps: 25064, #pkts encrypt: 25064, #pkts digest: 25064
#pkts decaps: 22323, #pkts decrypt: 22323, #pkts verify: 22323
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 25064, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: aaa.aaa.aaa.130, remote crypto endpt.: xxx.xxx.xxx.1
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 6A313184
inbound esp sas:
spi: 0xF9AA2745 (4188677957)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: colo
sa timing: remaining key lifetime (kB/sec): (4274790/27086)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x6A313184 (1781608836)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: colo
sa timing: remaining key lifetime (kB/sec): (4274641/27086)
IV size: 8 bytes
replay detection support: Y
==============================================================
From Main PIX:
show crypto isakmp sa
Total : 8
Embryonic : 0
dst src state pending created
....
xxx.xxx.xxx.1 aaa.aaa.aaa.130 QM_IDLE 0 2
....
show crypto ipsec sa
local ident (addr/mask/prot/port): (10.xxx.xxx.0/255.xxx.xxx.0/0/0)
remote ident (addr/mask/prot/port): (192.aaa.aaa.0/255.aaa.aaa.0/0/0)
current_peer: aaa.aaa.aaa.130:500
PERMIT, flags={}
#pkts encaps: 20822, #pkts encrypt: 20822, #pkts digest 20822
#pkts decaps: 23131, #pkts decrypt: 23131, #pkts verify 23131
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.1, remote crypto endpt.: aaa.aaa.aaa.130
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: f9aa2745
inbound esp sas:
spi: 0x6a313184(1781608836)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 18, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607738/27573)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xf9aa2745(4188677957)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 17, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607876/27557)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas: