I don't see anything wrong in your config, even though I've had
situations in the past where the preshared key or the crypto map
"CISCO VPN engineers said' gets corrupted by adding and removing
commands in a certain order.
If you removed the map first replaced the key, and then reapplied the
map, that should have fixed the issue. For the sake of it, could you
please post isakmp debug from HQ as well?
As this is not a very elaborated vpn config, I also suggest to
completly remove it, write mem, reboot, and then past it again using
the cli.
Keep us posted
HTH
Julian Dragut
On 2/7/06, Joe Keegan <jkeegan_at_monstercable.com> wrote:
> Julian,
>
> Thanks for the response. I remove the passphrase are related configs and
> added a very simple pass phrase and I am receiving the same errors.
>
> Any other ideas?
>
> Thanks
>
> Joe
>
> > -----Original Message-----
> > From: Julian M D [mailto:julianmd_at_gmail.com]
> > Sent: Tuesday, February 07, 2006 2:36 PM
> > To: Horvath, Kevin M.
> > Cc: Joe Keegan; firewall-wizards_at_honor.icsalabs.com
> > Subject: Re: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
> >
> > Addition to the last post:
> >
> > on the HQ pix if you use the clear isakmp key, it is also
> > going to erase the existing vpn preshared key, so you better
> > removed with "no", rather than clear command.
> >
> > HTH
> >
> > On 2/7/06, Julian M D <julianmd_at_gmail.com> wrote:
> > > Hi there,
> > > This is most probably because of the corruption in the
> > preshared key,
> > > so my advice is to do this on both pixes:
> > >
> > > HQ PIX
> > >
> > > no crypto map VPN interface outside
> > > clear isakmp key
> > > isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255
> > > crypto map VPN interface outside
> > >
> > > REMOTE 501
> > >
> > > no crypto map VPN interface outside
> > > clear isakmp key
> > > isakmp key ******** address aa.bbb.194.253 netmask 255.255.255.255
> > > crypto map VPN interface outside
> > >
> > > wr mem
> > > clear crypto isakmp sa
> > > clear crypto ipsec sa
> > >
> > > Good luck,
> > >
> > > Julian Dragut
> > >
> > >
> > > please use the copy and paste when setting up the preshared key
> > >
> > > On 2/7/06, Horvath, Kevin M. <KEVIN.M.HORVATH_at_saic.com> wrote:
> > > >
> > > >
> > > >
> > > > isakmp key ******** address xxx.yyy.191.66 netmask 255.255.255.255
> > > >
> > > >
> > > >
> > > > Verify that the you can reach the HQ ip from the 501 via
> > udp 500 and verify that the key matches what you have in the
> > 501 config......reset both keys to (no spaces either) the same
> > passphrase and try again.
> > > >
> > > >
> > > >
> > > >
> > > > Kevin M. Horvath
> > > > CISSP,CCSP,INFOSEC,CCNA
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > >
> > > >
> > > > From: firewall-wizards-admin_at_honor.icsalabs.com
> > > > [mailto:firewall-wizards-admin_at_honor.icsalabs.com] On
> > Behalf Of Joe
> > > > Keegan
> > > > Sent: Monday, February 06, 2006 12:37 PM
> > > > To: firewall-wizards_at_honor.icsalabs.com
> > > > Subject: [fw-wiz] PIX to PIX IPSEC VPN IKE Phase 2 problem
> > > >
> > > >
> > > >
> > > >
> > > > I am trying to setup a branch office with a site-to-site
> > VPN to our HQ office. The HQ PIX is a 515E with an existing
> > VPN to an existing router at another site. The branch office
> > has a PIX 501.
> > > >
> > > > The debug crypto isakmp looks ok on the 501 except it
> > looks to me that it is not completing IKE Phase 2.
> > > >
> > > > ISAKMP (0): processing SA payload. message ID = 3634014145
> > > >
> > > > ISAKMP : Checking IPSec proposal 1
> > > >
> > > > ISAKMP: transform 1, ESP_AES
> > > > ISAKMP: attributes in transform:
> > > > ISAKMP: encaps is 1
> > > > ISAKMP: SA life type in seconds
> > > > ISAKMP: SA life duration (basic) of 3600
> > > > ISAKMP: SA life type in kilobytes
> > > > ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
> > > > ISAKMP: authenticator is HMAC-SHA
> > > > ISAKMP: key length is 128
> > > > ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA
> > > > not acceptable!
> > > > ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is
> > > > IKMP_ERR_NO_RETRANS
> > > > ISAKMP: No cert, and no keys (public or pre-shared) with
> > remote peer
> > > > aa.bbb.194.253 VPN Peer:ISAKMP: Peer Info for
> > aa.bbb.194.253/500 not
> > > > found - peers:1
> > > >
> > > > I believe this would be caused by an issue in a
> > mismatched transform-set, but everything looks OK to me.
> > > >
> > > > Pertinent config info is below. Any help or ideas would
> > be great. thanks!
> > > >
> > > > HQ PIX 515E
> > > >
> > > > access-list VPN-IRL remark Prevent any VoIP traffic to be routed
> > > > over the VPN to IRL access-list VPN-IRL deny ip 10.10.0.0
> > > > 255.255.0.0 172.18.0.0 255.255.0.0 access-list VPN-IRL
> > remark Allow
> > > > VPN connection to IRL access-list VPN-IRL permit ip 10.0.0.0
> > > > 255.192.0.0 172.18.0.0 255.255.0.0 access-list VPN-HIL
> > remark Allow
> > > > VPN connection to HIL access-list VPN-HIL permit ip 10.0.0.0
> > > > 255.192.0.0 172.20.0.0 255.255.0.0 access-list NO-NAT
> > remark Don't
> > > > NAT traffic sent to IRL access-list NO-NAT permit ip 10.0.0.0
> > > > 255.192.0.0 172.18.0.0 255.255.0.0 access-list NO-NAT
> > remark Don't
> > > > NAT traffic sent to HIL access-list NO-NAT permit ip 10.0.0.0
> > > > 255.192.0.0 172.20.0.0 255.255.0.0 nat (inside) 0
> > access-list NO-NAT
> > > > sysopt connection permit-ipsec crypto ipsec transform-set
> > > > ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec
> > security-association
> > > > lifetime seconds 3600 crypto map VPN 100 ipsec-isakmp
> > crypto map VPN
> > > > 100 match address VPN-IRL crypto map VPN 100 set peer
> > ccc.dd.154.114
> > > > crypto map VPN 100 set transform-set ESP-AES-SHA crypto
> > map VPN 200
> > > > ipsec-isakmp crypto map VPN 200 match address VPN-HIL
> > crypto map VPN
> > > > 200 set peer xxx.yyy.191.66 crypto map VPN 200 set transform-set
> > > > ESP-AES-SHA crypto map VPN interface outside isakmp
> > enable outside
> > > > isakmp key ******** address ccc.dd.154.114 netmask
> > 255.255.255.255
> > > > isakmp key ******** address xxx.yyy.191.66 netmask
> > 255.255.255.255
> > > > isakmp identity address isakmp policy 100 authentication
> > pre-share
> > > > isakmp policy 100 encryption aes isakmp policy 100 hash
> > sha isakmp
> > > > policy 100 group 2 isakmp policy 100 lifetime 3600
> > > >
> > > > Branch PIX 501
> > > >
> > > > access-list VPN permit ip 172.20.0.0 255.255.0.0 10.0.0.0
> > > > 255.192.0.0 access-list NO-NAT permit ip 172.20.0.0 255.255.0.0
> > > > 10.0.0.0 255.192.0.0 nat (inside) 0 access-list NO-NAT sysopt
> > > > connection permit-ipsec crypto ipsec transform-set ESP-AES-SHA
> > > > esp-aes esp-sha-hmac crypto ipsec security-association lifetime
> > > > seconds 3600 crypto map VPN 100 ipsec-isakmp crypto map VPN 100
> > > > match address VPN crypto map VPN 100 set peer
> > aa.bbb.194.253 crypto
> > > > map VPN 100 set transform-set ESP-AES-SHA crypto map VPN
> > interface
> > > > outside isakmp enable outside isakmp key ******** address
> > > > aa.bbb.194.253 netmask 255.255.255.255 isakmp identity address
> > > > isakmp policy 100 authentication pre-share isakmp policy 100
> > > > encryption aes isakmp policy 100 hash sha isakmp policy
> > 100 group 2
> > > > isakmp policy 100 lifetime 3600
> > > >
> > > > I can post the entire debug session from both firewalls
> > if it will help.
> > > >
> > > > IP's for the two devices are as follows
> > > >
> > > > HQ PIX IP = aa.bbb.194.253
> > > > Branch PIX IP = xxx.yyy.191.66
> > > >
> > > > Thanks
> > > >
> > > > Joe
> > > >
> > > > ---------------------------------------------
> > > > Joe Keegan IT Systems Architect
> > > > (415) 330-2676 jkeegan_at_monstercable.com
> > >
> >
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 08 2006
Intro
