Announcement

Collapse
No announcement yet.

Cisco Pix 515e Version 8.04 - IPsec Site to Site

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco Pix 515e Version 8.04 - IPsec Site to Site

    Hi Guys

    I having some trouble configuring a VPN tunnel to a remote office and allowing the remote office to connect through the VPN to some remote networks.

    We have a Cisco 3750 configured with 3 Vlans.

    VLAN 1 = 10.0.0.1 255.255.255.0
    VLAN 2 = 10.0.2.1 255.255.255.0
    VLAN 3 = 10.0.4.1 255.255.255.0

    We have a Cisco Pix 515e as our internet Firewall/VPN end point located on VLAN1 with address 10.0.0.5.

    we have a Cisco Pix 505 located on Vlan 3 which is connect to a Cisco router which provides us with access to a Private organisations network, there IP's are 10.157.x.x 10.158.x.x

    internally from vlan1 i can connect everywhere no problem


    what i want to be able to do is connect our remote office 10.0.1.0 255.255.255.0 to our Cisco pix 515e Using Site to Site vpn.

    I have already configured this and have it working but i am only able to communicate from
    10.0.1.0 255.255.255.0 to 10.0.0.0 255.255.255.0

    i need remote office 10.0.1.0 to be able to comminicate with the all Vlans and private organisations network 10.157.x.x

    i have had this working by configuring the Cryptomap to protect 10.0.0.0 255.0.0.0 traffic as i can only specify 1 crypto map

    ##config##

    access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 84.45.153.53
    crypto map outside_map 1 set transform-set ESP-DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal

    ### config ####

    This config works but it not correct in my opinion

    our private network connected to a private organisation has other sites with non 10.x.x.x ranges that we need to connect to, so i wil need to change my crypto maps.

    i also try changing

    access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    to

    access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0

    But the VPN would not even come up i get

    Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x353b280, mess id 0xabd56a35)!

    Group = 84.45.153.53, IP = 84.45.153.53, All IPSec SA proposals found unacceptable!

    can you have more than 1 crypto map per vpn tunnel?

    the device at our remote office 10.0.1.0 is a Vigor 2600 i have configures this to device witht he necessary routes though the vpn but if i dont specify the remote network as 10.0.0.0 255.255.255.0 the SA do not negatiate, i tried setting 0.0.0.0 0.0.0.0, no luck.


    Hope some of you may be able to help.

    Thanks
    Last edited by ikon; 1st October 2009, 09:12.
    MCSE 2003; MCTS Vista; Sec+; CCNA
    Attitude Makes The Difference!
    in other words you got to WANT to do it..


  • #2
    Re: Cisco Pix 515e Version 8.04 - IPsec Site to Site

    Ok i changed my

    access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0

    and the Vigor router config is set remote network to 0.0.0.0 0.0.0.0

    the VPN has come up and Traffic is flowing nicely, however it seems very unstable, it disconnects sometime after a few minutes and i get errors like


    Code:
     
    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Error: Unable to remove PeerTblEntry 
     
    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:06m:43s, Bytes xmt: 2194552, Bytes rcv: 2497331, Reason: Phase 2 Mismatch 
     
    Oct 01 12:25:50 10.0.0.5 :Oct 01 12:25:50 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None) 
     
    Oct 01 12:25:55 10.0.0.5 :Oct 01 12:25:55 GMT/BDT: %PIX--4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3194 
     
    Oct 01 12:25:56 10.0.0.5 :Oct 01 12:25:56 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:00m:06s, Bytes xmt: 1138, Bytes rcv: 0, Reason: Unknown 
     
    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Freeing previously allocated memory for authorization-dn-attributes 
    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None) 
     
    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-ids-4-400010: IDS:2000 ICMP echo reply from 87.127.88.145 to 87.127.88.147 on interface outside 
    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-3-713902: Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x35a55d8, mess id 0x4da6d3e9)! 
     
    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-1-713900: Group = 84.45.153.53, IP = 84.45.153.53, construct_ipsec_delete(): No SPI to identify Phase 2 SA! 
     
    Oct 01 12:26:05 10.0.0.5 :Oct 01 12:26:05 GMT/BDT: %PIX--4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3242
    Then the VPN comes backup and all is well, using my old cryptomap acl to just allow 10.0.0.0 255.255.255.0 to 10.0.1.0 255.255.255.0 to be protected the vpn is very stable.

    any ideas on this or advice on how to set this up better?

    Thanks
    MCSE 2003; MCTS Vista; Sec+; CCNA
    Attitude Makes The Difference!
    in other words you got to WANT to do it..

    Comment


    • #3
      Re: Cisco Pix 515e Version 8.04 - IPsec Site to Site

      I noticed this: Reason: Phase 2 Mismatch
      Have you checked that Phase 2 are configured the same at both ends?
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Cisco Pix 515e Version 8.04 - IPsec Site to Site

        Everything is the same as far as the IKE negotiations go and IPsec SA's are the same.

        However i did notice i had Perfect Forward Security enabled on the Vigor and on the PIX it was not enabled, I have disabled it for now to see how it it goes, i will enable PFS after as i prefer it for security.

        But as for Phase 2 negotiations both IKE and IPSEC settings where identical, PFS must of caused the issue, we will see in a few minutes.

        Thanks
        MCSE 2003; MCTS Vista; Sec+; CCNA
        Attitude Makes The Difference!
        in other words you got to WANT to do it..

        Comment


        • #5
          Re: Cisco Pix 515e Version 8.04 - IPsec Site to Site

          So far so good!

          connected for 2 hours 16 mins

          Thanks
          MCSE 2003; MCTS Vista; Sec+; CCNA
          Attitude Makes The Difference!
          in other words you got to WANT to do it..

          Comment


          • #6
            Re: Cisco Pix 515e Version 8.04 - IPsec Site to Site

            Glad to hear. At both ends the configuration should be exactly the same.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment

            Working...
            X