f



PIX VPN Problem (EZvpn and Site-2-Site in parallel)

Hello,

I shall establish a EZvpn and a site-2-site VPN config on a single PIX.
Sounds straight forward and not to difficult. Yes, but ?
Both part on their own work just fine. When I run the EZvpn part and 
then add the site-2-site part I never get a proper ISAKMP releationship 
as you can see from the two show outputs at the very end.
Below you see the configuration I use. There must be something wrong 
with the order of operation for the authentication of the site-2-site 
connection.  Any help is greatly appreciated.

Roland


Configuration extract:
----------------------
crypto ipsec transform-set TS_SARNAFIL esp-3des esp-sha-hmac
crypto dynamic-map DYNMAP 100 set transform-set TS

crypto map CM 20 ipsec-isakmp
crypto map CM 20 match address CRYPTO_ACL_SARNAFIL
crypto map CM 20 set pfs group2
crypto map CM 20 set peer d.d.d.d
crypto map CM 20 set transform-set TS_SARNAFIL
crypto map CM 20 set security-association lifetime seconds 3600 
kilobytes 4608000
crypto map CM 100 ipsec-isakmp dynamic DYNMAP
crypto map CM client authentication LOCAL
crypto map CM interface outside
isakmp enable outside

isakmp key ******** address d.d.d.d netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

vpngroup VPN_LAB address-pool LAB_POOL
vpngroup VPN_LAB dns-server n.n.n.n
vpngroup VPN_LAB default-domain lab.com
vpngroup VPN_LAB split-tunnel SPLITTUNNEL
vpngroup VPN_LAB idle-time 1800
vpngroup VPN_LAB password ********



!----- fw-01(config)# sh cryp isakmp sa -----!
Total     : 1
Embryonic : 0
         dst               src        state     pending     created
     d.d.d.d           s.s.s.s    OAK_CONF_XAUTH   0           0


!-----  fw-01(config)# sh cryp ipsec sa ----- !

interface: outside
     Crypto map tag: CM, local addr. s.s.s.s

    local  ident (addr/mask/prot/port): (192.168.41.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (172.16.8.0/255.255.255.0/0/0)
    current_peer: d.d.d.d:0
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
     #send errors 946, #recv errors 0

      local crypto endpt.: s.s.s.s, remote crypto endpt.: d.d.d.d
      path mtu 1492, ipsec overhead 0, media mtu 1492
      current outbound spi: 0
      inbound esp sas:
      inbound ah sas:
      inbound pcp sas:
      outbound esp sas:
      outbound ah sas:
      outbound pcp sas:
0
News
1/18/2005 7:49:04 PM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

1 Replies
641 Views

Similar Articles

[PageSpeed] 8

Just in case someone is interested in the solution, I just found the 
problem myself.
Adding the keywords "no-xauth no-config-mode" to the isakmp key ...
command did the job.

isakmp key xxxxxxx address d.d.d.d netmask 255.255.255.255 no-xauth 
no-config-mode


News (Siemens) wrote:
> Hello,
> 
> I shall establish a EZvpn and a site-2-site VPN config on a single PIX.
> Sounds straight forward and not to difficult. Yes, but ?
> Both part on their own work just fine. When I run the EZvpn part and 
> then add the site-2-site part I never get a proper ISAKMP releationship 
> as you can see from the two show outputs at the very end.
> Below you see the configuration I use. There must be something wrong 
> with the order of operation for the authentication of the site-2-site 
> connection.  Any help is greatly appreciated.
> 
> Roland
> 
> 
> Configuration extract:
> ----------------------
> crypto ipsec transform-set TS_SARNAFIL esp-3des esp-sha-hmac
> crypto dynamic-map DYNMAP 100 set transform-set TS
> 
> crypto map CM 20 ipsec-isakmp
> crypto map CM 20 match address CRYPTO_ACL_SARNAFIL
> crypto map CM 20 set pfs group2
> crypto map CM 20 set peer d.d.d.d
> crypto map CM 20 set transform-set TS_SARNAFIL
> crypto map CM 20 set security-association lifetime seconds 3600 
> kilobytes 4608000
> crypto map CM 100 ipsec-isakmp dynamic DYNMAP
> crypto map CM client authentication LOCAL
> crypto map CM interface outside
> isakmp enable outside
> 
> isakmp key ******** address d.d.d.d netmask 255.255.255.255
> isakmp identity address
> isakmp nat-traversal 20
> isakmp policy 5 authentication pre-share
> isakmp policy 5 encryption 3des
> isakmp policy 5 hash md5
> isakmp policy 5 group 2
> isakmp policy 5 lifetime 86400
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> 
> vpngroup VPN_LAB address-pool LAB_POOL
> vpngroup VPN_LAB dns-server n.n.n.n
> vpngroup VPN_LAB default-domain lab.com
> vpngroup VPN_LAB split-tunnel SPLITTUNNEL
> vpngroup VPN_LAB idle-time 1800
> vpngroup VPN_LAB password ********
> 
> 
> 
> !----- fw-01(config)# sh cryp isakmp sa -----!
> Total     : 1
> Embryonic : 0
>         dst               src        state     pending     created
>     d.d.d.d           s.s.s.s    OAK_CONF_XAUTH   0           0
> 
> 
> !-----  fw-01(config)# sh cryp ipsec sa ----- !
> 
> interface: outside
>     Crypto map tag: CM, local addr. s.s.s.s
> 
>    local  ident (addr/mask/prot/port): (192.168.41.0/255.255.255.0/0/0)
>    remote ident (addr/mask/prot/port): (172.16.8.0/255.255.255.0/0/0)
>    current_peer: d.d.d.d:0
>      PERMIT, flags={origin_is_acl,}
>     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
>     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
>     #pkts compressed: 0, #pkts decompressed: 0
>     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
>     #send errors 946, #recv errors 0
> 
>      local crypto endpt.: s.s.s.s, remote crypto endpt.: d.d.d.d
>      path mtu 1492, ipsec overhead 0, media mtu 1492
>      current outbound spi: 0
>      inbound esp sas:
>      inbound ah sas:
>      inbound pcp sas:
>      outbound esp sas:
>      outbound ah sas:
>      outbound pcp sas:
0
Roland
1/19/2005 1:06:09 PM
Reply: