Announcement

Collapse
No announcement yet.

Issue with 2nd vpn setup on cisco 1801 > PIX

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue with 2nd vpn setup on cisco 1801 > PIX

    Hi guys,

    i've got a cisco 1801/k9 setup at remote site (94.200.99.62) talking back to an ASA5510 which is the central hub for our company (212.140.27.20).

    our users at remote site now want to talk to another office that has a PIX515E firewall with 2600 series router off that (213.42.89.2).

    Tried to setup another vpn but getting the following error logs which leads me to a mismatch in acl for crypto but need some assistance as totally stuck!

    I've attached config for 1801 as it is before setting up new vpn.

    i've attached config of PIX that has the new tunnel properties for 1801.

    I've also attached 'changes to 1801 for new vpn' which is what i think i need to do to get it working.

    Currently i'm getting the following logs from the 1801 with current setup:

    *May 12 13:05:36.309: ISAKMP: received packet from 213.42.89.2 dport 500 sport 500 Global (R) QM_IDLE
    *May 12 13:05:36.309: ISAKMP: set new node 1294010265 to QM_IDLE
    *May 12 13:05:36.309: ISAKMP2236): processing HASH payload. message ID = 1294010265
    *May 12 13:05:36.313: ISAKMP: processing SA payload. message ID = 1294010265
    *May 12 13:05:36.313: ISAKMP:Checking IPSec proposal 1
    *May 12 13:05:36.313: ISAKMP: transform 1, ESP_AES
    *May 12 13:05:36.313: ISAKMP: attributes in transform:
    *May 12 13:05:36.313: ISAKMP: encaps is 1 (Tunnel)
    *May 12 13:05:36.313: ISAKMP: SA life type in seconds
    *May 12 13:05:36.313: ISAKMP: SA life duration (basic) of 28800
    *May 12 13:05:36.313: ISAKMP: SA life type in kilobytes
    *May 12 13:05:36.313: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    *May 12 13:05:36.313: ISAKMP: authenticator is HMAC-MD5
    *May 12 13:05:36.313: ISAKMP: key length is 128
    *May 12 13:05:36.313: ISAKMP:atts are acceptable.
    *May 12 13:05:36.313: ISAKMP: IPSec policy invalidated proposal with error 64
    *May 12 13:05:36.313: ISAKMP: phase 2 SA policy not acceptable! (local 94.200.99.62 remote 213.42.89.2)
    *May 12 13:05:36.313: ISAKMP: set new node 474133668 to QM_IDLE
    *May 12 13:05:36.313: ISAKMP:Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 2224566456, message ID = 474133668
    *May 12 13:05:36.313: ISAKMP: sending packet to 213.42.89.2 my_port 500 peer_port 500 (R) QM_IDLE
    *May 12 13:05:36.313: ISAKMP:Sending an IKE IPv4 Packet.
    *May 12 13:05:36.313: ISAKMP purging node 474133668
    *May 12 13:05:36.313: ISAKMP:deleting node 1294010265 error TRUE reason "QM rejected"
    *May 12 13:05:36.313: ISAKMP:Node 1294010265, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    *May 12 13:05:36.313: ISAKMP:Old State = IKE_QM_READY New State = IKE_QM_READY
    *May 12 13:05:37.233: ISAKMP: set new node -113941516 to QM_IDLE
    *May 12 13:05:37.233: ISAKMP:Sending NOTIFY DPD/R_U_THERE protocol 1
    spi 2224566904, message ID = -113941516
    *May 12 13:05:37.233: ISAKMP: seq. no 0x34092454
    *May 12 13:05:37.233: ISAKMP: sending packet to 213.42.89.2 my_port 500 peer_port 500 (R) QM_IDLE
    *May 12 13:05:37.233: ISAKMP:Sending an IKE IPv4 Packet.
    *May 12 13:05:37.233: ISAKMP purging node -113941516
    *May 12 13:05:37.233: ISAKMP:Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
    *May 12 13:05:37.233: ISAKMP:Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

    Thanks In Advance
    Attached Files

  • #2
    Re: Issue with 2nd vpn setup on cisco 1801 > PIX

    further to this, if i do a 'sh crypto ipsec sa' on the 1801 i get the following:

    protected vrf: (none)
    local ident (addr/mask/prot/port): (10.32.4.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (10.32.0.0/255.255.255.0/0/0)
    current_peer 212.140.247.20 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 94.200.99.62, remote crypto endpt.: 212.140.247.20
    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
    current outbound spi: 0x0(0)
    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:
    local crypto endpt.: 94.200.99.62, remote crypto endpt.: 213.42.89.2
    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
    current outbound spi: 0x0(0)
    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:

    I wouldnt expect to see anything for 212.140.247.20 as the new vpn is only going between 213.42.89.2 and 94.200.99.62 despite both being able to talk back to 212.140.247.20?

    Comment


    • #3
      Re: Issue with 2nd vpn setup on cisco 1801 > PIX

      Not sure but looks like missmatching access-list's.
      They have to match for phase 2 to work...

      Comment


      • #4
        Re: Issue with 2nd vpn setup on cisco 1801 > PIX

        hi,

        thanks, thats what I was thinking just not sure how to amend it?

        The PIX used to have just the implicit outbound 'any any' rule before i'm adding the new vpn.

        These are the ACL's on the PIX:

        access-list 120 permit tcp any host 213.42.89.13 eq smtp
        access-list 120 permit tcp DMZ-NET 255.255.0.0 any
        access-list 121 permit ip 10.32.0.0 255.255.255.0 10.20.0.0 255.255.0.0
        access-list 121 permit ip 10.32.0.0 255.255.255.0 10.21.0.0 255.255.0.0
        access-list 121 permit ip 10.32.0.0 255.255.255.0 10.22.0.0 255.255.0.0
        access-list 121 permit ip 10.32.0.0 255.255.255.0 10.25.0.0 255.255.0.0
        access-list 121 permit ip 10.32.0.0 255.255.255.0 10.60.0.0 255.255.255.0
        access-list 121 permit ip 10.32.0.0 255.255.255.0 10.99.1.0 255.255.255.0
        access-list 121 permit ip 10.32.0.0 255.255.255.0 DMZ-NET 255.255.0.0
        access-list 121 permit ip 10.32.0.0 255.255.255.0 Arenco-Tower 255.255.255.0
        access-list 122 permit ip 10.32.0.0 255.255.255.0 10.20.0.0 255.255.0.0
        access-list 122 permit ip 10.32.0.0 255.255.255.0 10.21.0.0 255.255.0.0
        access-list 122 permit ip 10.32.0.0 255.255.255.0 10.22.0.0 255.255.0.0
        access-list 122 permit ip 10.32.0.0 255.255.255.0 10.25.0.0 255.255.0.0
        access-list 122 permit ip 10.32.0.0 255.255.255.0 10.60.0.0 255.255.255.0
        access-list 122 permit ip 10.32.0.0 255.255.255.0 10.99.1.0 255.255.255.0
        access-list 122 permit ip 10.32.0.0 255.255.255.0 DMZ-NET 255.255.0.0
        access-list outside_cryptomap_40 permit ip 10.32.0.0 255.255.255.0 Arenco-Tower 255.255.255.0
        access-list inside_access_in permit ip any any
        access-list inside_access_in permit tcp 10.32.0.0 255.255.255.0 Arenco-Tower 255.255.255.0

        I have no reference to 212.140.247.20 or 94.200.99.62?

        These are the ACL's on the 1801:

        Extended IP access list 101
        10 permit ip any 94.200.99.0 0.0.0.255
        Extended IP access list 130
        10 permit ip 10.32.4.0 0.0.0.255 10.20.0.0 0.0.255.255 (2619 matches)
        20 permit ip 10.32.4.0 0.0.0.255 10.21.0.0 0.0.255.255 (62554 matches)
        30 permit ip 10.32.4.0 0.0.0.255 10.22.0.0 0.0.255.255 (435406 matches)
        40 permit ip 10.32.4.0 0.0.0.255 10.25.0.0 0.0.255.255 (14056 matches)
        50 permit ip 10.32.4.0 0.0.0.255 10.60.0.0 0.0.0.255 (1701 matches)
        60 permit ip 10.32.4.0 0.0.0.255 10.61.0.0 0.0.0.255
        70 permit ip 10.32.4.0 0.0.0.255 10.99.1.0 0.0.0.255
        80 permit ip 10.32.4.0 0.0.0.255 10.250.0.0 0.0.255.255 (1337 matches)
        90 permit ip 10.32.4.0 0.0.0.255 10.250.11.0 0.0.0.255
        100 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255
        Extended IP access list 140
        10 deny ip 10.32.4.0 0.0.0.255 10.20.0.0 0.0.255.255 (2994 matches)
        20 deny ip 10.32.4.0 0.0.0.255 10.21.0.0 0.0.255.255 (94530 matches)
        30 deny ip 10.32.4.0 0.0.0.255 10.22.0.0 0.0.255.255 (477567 matches)
        40 deny ip 10.32.4.0 0.0.0.255 10.25.0.0 0.0.255.255 (19860 matches)
        50 deny ip 10.32.4.0 0.0.0.255 10.250.0.0 0.0.255.255 (1299 matches)
        60 deny ip 10.32.4.0 0.0.0.255 10.250.11.0 0.0.0.255
        70 deny ip 10.32.4.0 0.0.0.255 10.60.0.0 0.0.0.255 (2304 matches)
        80 deny ip 10.32.4.0 0.0.0.255 10.61.0.0 0.0.0.255
        90 deny ip 10.32.4.0 0.0.0.255 10.99.1.0 0.0.0.255
        100 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255 (2746 matches)
        110 permit ip 10.32.4.0 0.0.0.255 any (27312 matches)
        Extended IP access list 150
        10 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255
        Extended IP access list 160
        10 permit ip 10.32.4.0 0.0.0.255 10.20.0.0 0.0.255.255
        20 permit ip 10.32.4.0 0.0.0.255 10.21.0.0 0.0.255.255
        30 permit ip 10.32.4.0 0.0.0.255 10.22.0.0 0.0.255.255
        40 permit ip 10.32.4.0 0.0.0.255 10.25.0.0 0.0.255.255
        50 permit ip 10.32.4.0 0.0.0.255 10.60.0.0 0.0.0.255
        60 permit ip 10.32.4.0 0.0.0.255 10.61.0.0 0.0.0.255
        70 permit ip 10.32.4.0 0.0.0.255 10.99.1.0 0.0.0.255
        80 permit ip 10.32.4.0 0.0.0.255 10.250.0.0 0.0.255.255
        90 permit ip 10.32.4.0 0.0.0.255 10.250.11.0 0.0.0.255
        100 permit udp host 212.140.247.20 any eq non500-isakmp
        110 permit udp host 212.140.247.20 any eq isakmp (14298 matches)
        120 permit esp host 212.140.247.20 any (100231 matches)
        130 permit ahp host 212.140.247.20 any
        140 permit ip 10.32.0.0 0.0.0.255 10.32.4.0 0.0.0.255
        150 permit udp host 213.42.89.2 any eq non500-isakmp
        160 permit udp host 213.42.89.2 any eq isakmp (19800 matches)
        170 permit esp host 213.42.89.2 any
        180 permit ahp host 213.42.89.2 any

        190 deny ip any any log (12657 matches)

        Comment


        • #5
          Re: Issue with 2nd vpn setup on cisco 1801 > PIX

          Here is an example:
          Networks you want to protect ( send into tunnel )
          Router side network 10.32.4.0/24, PIX side network 10.32.0.0/24

          Router acl:
          access-list 130 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.255.255

          PIX acl:
          access-list 121 permit ip 10.32.0.0 255.255.255.0 10.32.4.0 255.255.255.0

          You are using these?:
          Router:
          access-list 150 permit ip 10.34.2.0 0.0.0.255 10.32.2.0 0.0.0.255 (do you have a typo on this?)

          PIX:
          name 10.32.4.0 Arenco-Towe
          access-list 121 permit ip 10.32.0.0 255.255.255.0 Arenco-Tower 255.255.255.0

          Comment


          • #6
            Re: Issue with 2nd vpn setup on cisco 1801 > PIX

            hi,

            well spotted thanks, made the change.

            now if i run a 'show crypto ipsec sa' i get the following:

            protected vrf: (none)
            local ident (addr/mask/prot/port): (10.32.4.0/255.255.255.0/0/0)
            remote ident (addr/mask/prot/port): (10.32.0.0/255.255.255.0/0/0)
            current_peer 213.42.89.2 port 500
            PERMIT, flags={}
            #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
            #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
            #pkts compressed: 0, #pkts decompressed: 0
            #pkts not compressed: 0, #pkts compr. failed: 0
            #pkts not decompressed: 0, #pkts decompress failed: 0
            #send errors 0, #recv errors 122
            local crypto endpt.: 94.200.99.62, remote crypto endpt.: 213.42.89.2
            path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
            current outbound spi: 0x4F348980(1328843136)
            inbound esp sas:
            spi: 0x53FE62D6(1409180374)
            transform: esp-aes esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 261, flow_id: Motorola SEC 2.0:261, crypto map: Dubtower
            sa timing: remaining key lifetime (k/sec): (9588/28231)
            IV size: 16 bytes
            replay detection support: Y
            Status: ACTIVE
            inbound ah sas:
            inbound pcp sas:
            outbound esp sas:
            spi: 0x4F348980(1328843136)
            transform: esp-aes esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 262, flow_id: Motorola SEC 2.0:262, crypto map: Dubtower
            sa timing: remaining key lifetime (k/sec): (9604/28231)
            IV size: 16 bytes
            replay detection support: Y
            Status: ACTIVE
            outbound ah sas:
            outbound pcp sas:
            protected vrf: (none)
            local ident (addr/mask/prot/port): (10.32.4.0/255.255.255.0/0/0)
            remote ident (addr/mask/prot/port): (10.32.0.0/255.255.0.0/0/0)
            current_peer 212.140.247.20 port 500
            PERMIT, flags={origin_is_acl,}
            #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
            #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
            #pkts compressed: 0, #pkts decompressed: 0
            #pkts not compressed: 0, #pkts compr. failed: 0
            #pkts not decompressed: 0, #pkts decompress failed: 0
            #send errors 0, #recv errors 0
            local crypto endpt.: 94.200.99.62, remote crypto endpt.: 212.140.247.20
            path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
            current outbound spi: 0x0(0)
            inbound esp sas:
            inbound ah sas:
            inbound pcp sas:
            outbound esp sas:
            outbound ah sas:
            outbound pcp sas:

            Pardon my brain but this to me shows the tunnel is up?

            Thanks again

            Comment


            • #7
              Re: Issue with 2nd vpn setup on cisco 1801 > PIX

              I still cant ping devices between sites though.

              Can I clarify the wildcard mask I need on the 1801 for 10.32.0.0 ?

              I have a different setting on ACL 130 that I do for the others and not sure what it should be.

              Extended IP access list 130
              100 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.255.255 (568 matches)
              Extended IP access list 140
              100 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255 (3542 matches)
              Extended IP access list 150
              10 permit ip 10.32.4.0 0.0.0.255 10.32.0.0 0.0.0.255 (8 matches)
              Extended IP access list 160
              140 permit ip 10.32.0.0 0.0.0.255 10.32.4.0 0.0.0.255

              I would imagine 0.0.0.255 as the ASA has 255.255.255.0?

              Thanks
              Chris

              Comment

              Working...
              X