Hello,
I'm trying to get multiple customers hooked via
VPN through the same PIX and the first one works
and the second does not. The peer addresses are
correct but when I turn on debug crypto ipsec
and debug ipsec isakmp, I get the output at the
bottom of the page. Notice that sysopt
connection permit-ipsec is on, so conduit/static
statements are irrelevant for IPsec traffic.
Thanks for any (obvious) suggestions.
Brent Stackhouse
Security Analyst
2ndWave, Inc.
###IPsec-relevant part of config###
sysopt connection permit-ipsec
crypto ipsec transform-set myset1 esp-des esp-sha-hmac
crypto ipsec transform-set myset2 esp-des esp-sha-hmac
crypto map Mymap 10 ipsec-isakmp
crypto map Mymap 10 match address 101
crypto map Mymap 10 set peer xxx.xxx.xxx.xxx
crypto map Mymap 10 set transform-set myset1
crypto map Mymap 11 ipsec-isakmp
crypto map Mymap 11 match address 102
crypto map Mymap 11 set pfs group2
crypto map Mymap 11 set peer xxx.xxx.xxx.xxx
crypto map Mymap 11 set transform-set myset2
crypto map Mymap interface outside
isakmp enable outside
isakmp key xxxxxxxx address xxx.xxx.xxx.xxx netmask 255
.255.255.255
isakmp key xxxxxxxx address xxx.xxx.xxx.xxx netmask
255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 5000
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 5000
###Debug output###
ISAKMP (0): deleting SA
ISADB: reaper checking SA 0x810e6a50, conn_id = 0
ISADB: reaper checking SA 0x810ea088, conn_id = 0
ISADB: reaper checking SA 0x810e7678, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x810e6a50, conn_id = 0
ISADB: reaper checking SA 0x810ea088, conn_id = 0IPSEC(ipsec_encap): crypto
map
check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,
local_proxy= xxx.xxx.xxx.xxx/255.255.255.0/0/0 (type=4),
remote_proxy= xxx.xxx.xxx.xxx/255.255.255.248/0/0 (type=4)
ISAKMP (0): beginning Main Mode exchangeIPSEC(ipsec_encap): crypto map check
den
y
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
ISAKMP (0): retransmitting phase 1...IPSEC(ipsec_encap): crypto map check
deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
IPSEC(ipsec_encap): crypto map check deny
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
