Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX to PIX IPSEC VPN IKE Phase 2 problem

Status
Not open for further replies.
jjk3

jjk3

MIS
Nov 18, 2002
31
US
I am trying to setup a branch office with a site-to-site VPN to our HQ office. The HQ PIX is a 515E with an existing VPN to an existing router at another site. The branch office has a PIX 501.

The debug crypto isakmp looks ok on the 501 except it looks to me that it is not completing IKE Phase 2.

Code: 
ISAKMP (0): processing SA payload. message ID = 3634014145

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer  aa.bbb.194.253
VPN Peer:ISAKMP: Peer Info for aa.bbb.194.253/500 not found - peers:1

I believe this would be caused by an issue in a mismatched transform-set, but everything looks OK to me.

Pertinent config info is below. Any help or ideas would be great. thanks!

HQ PIX 515E
Code: 
access-list VPN-IRL remark Prevent any VoIP traffic to be routed over the VPN to IRL
access-list VPN-IRL deny ip 10.10.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list VPN-IRL remark Allow VPN connection to IRL
access-list VPN-IRL permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0
access-list VPN-HIL remark Allow VPN connection to HIL
access-list VPN-HIL permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0
access-list NO-NAT remark Don't NAT traffic sent to IRL
access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.18.0.0 255.255.0.0
access-list NO-NAT remark Don't NAT traffic sent to HIL
access-list NO-NAT permit ip 10.0.0.0 255.192.0.0 172.20.0.0 255.255.0.0
nat (inside) 0 access-list NO-NAT
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map VPN 100 ipsec-isakmp
crypto map VPN 100 match address VPN-IRL
crypto map VPN 100 set peer ccc.dd.154.114
crypto map VPN 100 set transform-set ESP-AES-SHA
crypto map VPN 200 ipsec-isakmp
crypto map VPN 200 match address VPN-HIL
crypto map VPN 200 set peer xxx.yyy.191.66
crypto map VPN 200 set transform-set ESP-AES-SHA
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address ccc.dd.154.114 netmask 255.255.255.255
isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255
isakmp identity address
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption aes
isakmp policy 100 hash sha
isakmp policy 100 group 2
isakmp policy 100 lifetime 3600

Branch PIX 501
Code: 
access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0
access-list NO-NAT permit ip 172.20.0.0 255.255.0.0 10.0.0.0 255.192.0.0
nat (inside) 0 access-list NO-NAT
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map VPN 100 ipsec-isakmp
crypto map VPN 100 match address VPN
crypto map VPN 100 set peer aa.bbb.194.253
crypto map VPN 100 set transform-set ESP-AES-SHA
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255
isakmp identity address
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption aes
isakmp policy 100 hash sha
isakmp policy 100 group 2
isakmp policy 100 lifetime 3600

I can post the entire debug session from both firewalls if it will help.

Thanks

Joe

---------------------------------------
Joe Keegan - Joe@jjk3.com
SANS GSEC & GCFW
CCSE, CCNA, CCSA & Sun Certified
 
Sort by date Sort by votes
Branch office 501:

crypto map VPN 100 set peer aa.bbb.194.253

Looks like you have the peer set as itself?

Change it to the remote Pix IP.
 
Upvote 0 Downvote
Thanks for the reply NetworkGhost, but that's not the case. I should have included IP info for the PIXs.

HQ PIX IP = aa.bbb.194.253
Branch PIX IP = xxx.yyy.191.66

Any other ideas?

---------------------------------------
Joe Keegan - Joe@jjk3.com
SANS GSEC & GCFW
CCSE, CCNA, CCSA & Sun Certified
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
806
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
840
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
761
nnaarrnn
nnaarrnn
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
350
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top