- Posts: 48
- Thank you received: 0
Cisco Pix 515e Version 8.04 - IPsec Site to Site.
15 years 1 month ago #32298
by ikon
Cisco Pix 515e Version 8.04 - IPsec Site to Site. was created by ikon
Hi Guys
I having some trouble configuring a VPN tunnel to a remote office and allowing the remote office to connect through the VPN to some remote networks.
We have a Cisco 3750 configured with 3 Vlans.
VLAN 1 = 10.0.0.1 255.255.255.0
VLAN 2 = 10.0.2.1 255.255.255.0
VLAN 3 = 10.0.4.1 255.255.255.0
We have a Cisco Pix 515e as our internet Firewall/VPN end point located on VLAN1 with address 10.0.0.5.
we have a Cisco Pix 505 located on Vlan 3 which is connect to a Cisco router which provides us with access to a Private organisations network, there IP's are 10.157.x.x 10.158.x.x
internally from vlan1 i cann connect everywhere no problem
what i want to be able to do is connect our remote office 10.0.1.0 255.255.255.0 to our Cisco pix 515e Using Site to Site vpn.
I have already configured this and have it working but i am only able to communicate from
10.0.1.0 255.255.255.0 to 10.0.0.0 255.255.255.0
i need remote office 10.0.1.0 to be able to comminicate with the all Vlans and private organisations network 10.157.x.x
i have had this working by configuring the Cryptomap to protect 10.0.0.0 255.0.0.0 traffic as i can only specify 1 crypto map
##config##
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 84.45.153.53
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
### config ####
This config works but it not correct in my opinion
our private network connected to a private organisation has other sites with non 10.x.x.x ranges that we need to connect to, so i wil need to change my crypto maps.
i also try changing
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
to
access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0
But the VPN would not even come up i get
Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x353b280, mess id 0xabd56a35)!
Group = 84.45.153.53, IP = 84.45.153.53, All IPSec SA proposals found unacceptable!
can you have more than 1 crypto map per vpn tunnel?
the device at our remote office 10.0.1.0 is a Vigor 2600 i have configures this to device witht he necessary routes though the vpn but if i dont specify the remote network as 10.0.0.0 255.255.255.0 the SA do not negatiate, i tried setting 0.0.0.0 0.0.0.0, no luck.
Hope some of you may be able to help.
Thanks
I having some trouble configuring a VPN tunnel to a remote office and allowing the remote office to connect through the VPN to some remote networks.
We have a Cisco 3750 configured with 3 Vlans.
VLAN 1 = 10.0.0.1 255.255.255.0
VLAN 2 = 10.0.2.1 255.255.255.0
VLAN 3 = 10.0.4.1 255.255.255.0
We have a Cisco Pix 515e as our internet Firewall/VPN end point located on VLAN1 with address 10.0.0.5.
we have a Cisco Pix 505 located on Vlan 3 which is connect to a Cisco router which provides us with access to a Private organisations network, there IP's are 10.157.x.x 10.158.x.x
internally from vlan1 i cann connect everywhere no problem
what i want to be able to do is connect our remote office 10.0.1.0 255.255.255.0 to our Cisco pix 515e Using Site to Site vpn.
I have already configured this and have it working but i am only able to communicate from
10.0.1.0 255.255.255.0 to 10.0.0.0 255.255.255.0
i need remote office 10.0.1.0 to be able to comminicate with the all Vlans and private organisations network 10.157.x.x
i have had this working by configuring the Cryptomap to protect 10.0.0.0 255.0.0.0 traffic as i can only specify 1 crypto map
##config##
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 84.45.153.53
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
### config ####
This config works but it not correct in my opinion
our private network connected to a private organisation has other sites with non 10.x.x.x ranges that we need to connect to, so i wil need to change my crypto maps.
i also try changing
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
to
access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0
But the VPN would not even come up i get
Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x353b280, mess id 0xabd56a35)!
Group = 84.45.153.53, IP = 84.45.153.53, All IPSec SA proposals found unacceptable!
can you have more than 1 crypto map per vpn tunnel?
the device at our remote office 10.0.1.0 is a Vigor 2600 i have configures this to device witht he necessary routes though the vpn but if i dont specify the remote network as 10.0.0.0 255.255.255.0 the SA do not negatiate, i tried setting 0.0.0.0 0.0.0.0, no luck.
Hope some of you may be able to help.
Thanks
15 years 1 month ago #32313
by ikon
Replied by ikon on topic Re: Cisco Pix 515e Version 8.04 - IPsec Site to Site.
Ok i changed my
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0
and the Vigor router config is set remote network to 0.0.0.0 0.0.0.0
the VPN has come up and Traffic is flowing nicely, however it seems very unstable, it disconnects sometime after a few minutes and i get errors like
[code:1]
Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Error: Unable to remove PeerTblEntry
Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:06m:43s, Bytes xmt: 2194552, Bytes rcv: 2497331, Reason: Phase 2 Mismatch
Oct 01 12:25:50 10.0.0.5 :Oct 01 12:25:50 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)
Oct 01 12:25:55 10.0.0.5 :Oct 01 12:25:55 GMT/BDT: %PIX--4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3194
Oct 01 12:25:56 10.0.0.5 :Oct 01 12:25:56 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:00m:06s, Bytes xmt: 1138, Bytes rcv: 0, Reason: Unknown
Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Freeing previously allocated memory for authorization-dn-attributes
Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)
Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-ids-4-400010: IDS:2000 ICMP echo reply from 87.127.88.145 to 87.127.88.147 on interface outside
Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-3-713902: Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x35a55d8, mess id 0x4da6d3e9)!
Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-1-713900: Group = 84.45.153.53, IP = 84.45.153.53, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Oct 01 12:26:05 10.0.0.5 :Oct 01 12:26:05 GMT/BDT: %PIX--4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3242
[/code:1]
Then the VPN comes backup and all is well, using my old cryptomap acl to just allow 10.0.0.0 255.255.255.0 to 10.0.1.0 255.255.255.0 to be protected the vpn is very stable.
any ideas on this or advice on how to set this up better?
Thanks
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip any 10.0.1.0 255.255.255.0
and the Vigor router config is set remote network to 0.0.0.0 0.0.0.0
the VPN has come up and Traffic is flowing nicely, however it seems very unstable, it disconnects sometime after a few minutes and i get errors like
[code:1]
Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Error: Unable to remove PeerTblEntry
Oct 01 12:25:49 10.0.0.5 :Oct 01 12:25:49 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:06m:43s, Bytes xmt: 2194552, Bytes rcv: 2497331, Reason: Phase 2 Mismatch
Oct 01 12:25:50 10.0.0.5 :Oct 01 12:25:50 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)
Oct 01 12:25:55 10.0.0.5 :Oct 01 12:25:55 GMT/BDT: %PIX--4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3194
Oct 01 12:25:56 10.0.0.5 :Oct 01 12:25:56 GMT/BDT: %PIX-auth-4-113019: Group = 84.45.153.53, Username = 84.45.153.53, IP = 84.45.153.53, Session disconnected. Session Type: IKE, Duration: 0h:00m:06s, Bytes xmt: 1138, Bytes rcv: 0, Reason: Unknown
Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-4-713903: Group = 84.45.153.53, IP = 84.45.153.53, Freeing previously allocated memory for authorization-dn-attributes
Oct 01 12:25:57 10.0.0.5 :Oct 01 12:25:57 GMT/BDT: %PIX-vpn-3-713122: IP = 84.45.153.53, Keep-alives configured on but peer does not support keep-alives (type = None)
Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-ids-4-400010: IDS:2000 ICMP echo reply from 87.127.88.145 to 87.127.88.147 on interface outside
Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-3-713902: Group = 84.45.153.53, IP = 84.45.153.53, QM FSM error (P2 struct &0x35a55d8, mess id 0x4da6d3e9)!
Oct 01 12:25:58 10.0.0.5 :Oct 01 12:25:58 GMT/BDT: %PIX-vpn-1-713900: Group = 84.45.153.53, IP = 84.45.153.53, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Oct 01 12:26:05 10.0.0.5 :Oct 01 12:26:05 GMT/BDT: %PIX--4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3242
[/code:1]
Then the VPN comes backup and all is well, using my old cryptomap acl to just allow 10.0.0.0 255.255.255.0 to 10.0.1.0 255.255.255.0 to be protected the vpn is very stable.
any ideas on this or advice on how to set this up better?
Thanks
15 years 1 month ago #32316
by ikon
Replied by ikon on topic Re: Cisco Pix 515e Version 8.04 - IPsec Site to Site.
ok i think i fixed it, made a boo boo...
i had PFS enabled on one end and not the other..
so far so good.
i had PFS enabled on one end and not the other..
so far so good.
Time to create page: 0.127 seconds