Cisco Pix 515e Version 8.04 – IPsec Site to Site

Home Forums Networking Cisco Security – PIX/ASA/VPN Cisco Pix 515e Version 8.04 – IPsec Site to Site

This topic contains 5 replies, has 2 voices, and was last updated by Avatar ikon 10 years, 6 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • Avatar
    ikon
    Member
    #144846

    Hi Guys

    I having some trouble configuring a VPN tunnel to a remote office and allowing the remote office to connect through the VPN to some remote networks.

    We have a Cisco 3750 configured with 3 Vlans.

    VLAN 1 = 10.0.0.1 255.255.255.0
    VLAN 2 = 10.0.2.1 255.255.255.0
    VLAN 3 = 10.0.4.1 255.255.255.0

    We have a Cisco Pix 515e as our internet Firewall/VPN end point located on VLAN1 with address 10.0.0.5.

    we have a Cisco Pix 505 located on Vlan 3 which is connect to a Cisco router which provides us with access to a Private organisations network, there IP’s are 10.157.x.x 10.158.x.x

    internally from vlan1 i can connect everywhere no problem

    what i want to be able to do is connect our remote office 10.0.1.0 255.255.255.0 to our Cisco pix 515e Using Site to Site vpn.

    I have already configured this and have it working but i am only able to communicate from
    10.0.1.0 255.255.255.0 to 10.0.0.0 255.255.255.0

    i need remote office 10.0.1.0 to be able to comminicate with the all Vlans and private organisations network 10.157.x.x

    i have had this working by configuring the Cryptomap to protect 10.0.0.0 255.0.0.0 traffic as i can only specify 1 crypto map

    ##config##

    access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 84.45.153.53
    crypto map outside_map 1 set transform-set ESP-DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal

    ### config ####

    This config works but it not correct in my opinion

    our private network connected to a private organisation has other sites with non 10.x.x.x ranges that we need to connect to, so i wil need to change my crypto maps.

    i also try changing

    access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    to

    access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0

    But the VPN would not even come up i get

    Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x353b280, mess id 0xabd56a35)!

    Group = 84.45.153.53, IP = 84.45.153.53, All IPSec SA proposals found unacceptable!

    can you have more than 1 crypto map per vpn tunnel?

    the device at our remote office 10.0.1.0 is a Vigor 2600 i have configures this to device witht he necessary routes though the vpn but if i dont specify the remote network as 10.0.0.0 255.255.255.0 the SA do not negatiate, i tried setting 0.0.0.0 0.0.0.0, no luck.

    Hope some of you may be able to help.

    Thanks

    Avatar
    ikon
    Member
    #354221

    Re: Cisco Pix 515e Version 8.04 – IPsec Site to Site

    Ok i changed my

    access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0

    access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0

    and the Vigor router config is set remote network to 0.0.0.0 0.0.0.0

    the VPN has come up and Traffic is flowing nicely, however it seems very unstable, it disconnects sometime after a few minutes and i get errors like

    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Error: Unable to remove PeerTblEntry

    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:06m:43s, Bytes xmt: 2194552, Bytes rcv: 2497331, Reason: Phase 2 Mismatch

    Oct 01 12:25:50 10.0.0.5 :Oct 01 12:25:50 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)

    Oct 01 12:25:55 10.0.0.5 :Oct 01 12:25:55 GMT/BDT: %PIX–4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3194

    Oct 01 12:25:56 10.0.0.5 :Oct 01 12:25:56 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:00m:06s, Bytes xmt: 1138, Bytes rcv: 0, Reason: Unknown

    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Freeing previously allocated memory for authorization-dn-attributes
    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)

    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-ids-4-400010: IDS:2000 ICMP echo reply from 87.127.88.145 to 87.127.88.147 on interface outside
    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-3-713902: Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x35a55d8, mess id 0x4da6d3e9)!

    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-1-713900: Group = 84.45.153.53, IP = 84.45.153.53, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

    Oct 01 12:26:05 10.0.0.5 :Oct 01 12:26:05 GMT/BDT: %PIX–4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3242
    [/CODE]

    Then the VPN comes backup and all is well, using my old cryptomap acl to just allow 10.0.0.0 255.255.255.0 to 10.0.1.0 255.255.255.0 to be protected the vpn is very stable.

    any ideas on this or advice on how to set this up better?

    Thanks[CODE]
    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Error: Unable to remove PeerTblEntry

    Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:06m:43s, Bytes xmt: 2194552, Bytes rcv: 2497331, Reason: Phase 2 Mismatch

    Oct 01 12:25:50 10.0.0.5 :Oct 01 12:25:50 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)

    Oct 01 12:25:55 10.0.0.5 :Oct 01 12:25:55 GMT/BDT: %PIX–4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3194

    Oct 01 12:25:56 10.0.0.5 :Oct 01 12:25:56 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:00m:06s, Bytes xmt: 1138, Bytes rcv: 0, Reason: Unknown

    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Freeing previously allocated memory for authorization-dn-attributes
    Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)

    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-ids-4-400010: IDS:2000 ICMP echo reply from 87.127.88.145 to 87.127.88.147 on interface outside
    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-3-713902: Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x35a55d8, mess id 0x4da6d3e9)!

    Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-1-713900: Group = 84.45.153.53, IP = 84.45.153.53, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

    Oct 01 12:26:05 10.0.0.5 :Oct 01 12:26:05 GMT/BDT: %PIX–4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3242
    [/CODE]

    Then the VPN comes backup and all is well, using my old cryptomap acl to just allow 10.0.0.0 255.255.255.0 to 10.0.1.0 255.255.255.0 to be protected the vpn is very stable.

    any ideas on this or advice on how to set this up better?

    Thanks

    Avatar
    Dumber
    Participant
    #200448

    Re: Cisco Pix 515e Version 8.04 – IPsec Site to Site

    I noticed this: Reason: Phase 2 Mismatch
    Have you checked that Phase 2 are configured the same at both ends?

    Avatar
    ikon
    Member
    #354222

    Re: Cisco Pix 515e Version 8.04 – IPsec Site to Site

    Everything is the same as far as the IKE negotiations go and IPsec SA’s are the same.

    However i did notice i had Perfect Forward Security enabled on the Vigor and on the PIX it was not enabled, I have disabled it for now to see how it it goes, i will enable PFS after as i prefer it for security.

    But as for Phase 2 negotiations both IKE and IPSEC settings where identical, PFS must of caused the issue, we will see in a few minutes.

    Thanks

    Avatar
    ikon
    Member
    #354223

    Re: Cisco Pix 515e Version 8.04 – IPsec Site to Site

    So far so good!

    connected for 2 hours 16 mins

    Thanks

    Avatar
    Dumber
    Participant
    #200483

    Re: Cisco Pix 515e Version 8.04 – IPsec Site to Site

    Glad to hear. At both ends the configuration should be exactly the same.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.