RE: PIX VPN Config. Problem

Johnson, Carl Wed, 06 Sep 2000 14:00:07 -0700
Actually I don't think that's true, you can just do a

"clear crypto isakmp"
and
"clear crypto ipsec sa"

At least it always worked fine for me.

Carl

> -----Original Message-----
> From: Mahankali, Sridhar [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 06, 2000 1:30 PM
> To: 'Brent Stackhouse'; [EMAIL PROTECTED]
> Subject: RE: PIX VPN Config. Problem
> 
> 
> Hi Brent,
> 
> Just wondering if you re-applied the "crypto map Mymap 
> interface outside"
> statement. Every time you make changes to the crypto map 
> statements, you
> have to reapply the map to the appropriate interface.
> 
> Sridhar Mahankali
> Firewall/VPN Engineering
> 
> -----Original Message-----
> From: Brent Stackhouse [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 06, 2000 12:55 PM
> To: [EMAIL PROTECTED]
> Subject: PIX VPN Config. Problem
> 
> 
> Hello,
> 
> I'm trying to get multiple customers hooked via
> VPN through the same PIX and the first one works
> and the second does not.  The peer addresses are
> correct but when I turn on debug crypto ipsec
> and debug ipsec isakmp, I get the output at the
> bottom of the page.  Notice that sysopt
> connection permit-ipsec is on, so conduit/static
> statements are irrelevant for IPsec traffic.
> 
> Thanks for any (obvious) suggestions.
> 
> Brent Stackhouse
> Security Analyst
> 2ndWave, Inc.
> 
> 
> ###IPsec-relevant part of config###
> sysopt connection permit-ipsec
> crypto ipsec transform-set myset1 esp-des esp-sha-hmac
> crypto ipsec transform-set myset2 esp-des esp-sha-hmac
> crypto map Mymap 10 ipsec-isakmp
> crypto map Mymap 10 match address 101
> crypto map Mymap 10 set peer xxx.xxx.xxx.xxx
> crypto map Mymap 10 set transform-set myset1
> crypto map Mymap 11 ipsec-isakmp
> crypto map Mymap 11 match address 102
> crypto map Mymap 11 set pfs group2
> crypto map Mymap 11 set peer xxx.xxx.xxx.xxx
> crypto map Mymap 11 set transform-set myset2
> crypto map Mymap interface outside
> isakmp enable outside
> isakmp key xxxxxxxx address xxx.xxx.xxx.xxx netmask 255
> .255.255.255
> isakmp key xxxxxxxx address xxx.xxx.xxx.xxx netmask
> 255.255.255.255
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 5000
> isakmp policy 30 authentication pre-share
> isakmp policy 30 encryption des
> isakmp policy 30 hash sha
> isakmp policy 30 group 2
> isakmp policy 30 lifetime 5000
> 
> ###Debug output###
> ISAKMP (0): deleting SA
> ISADB: reaper checking SA 0x810e6a50, conn_id = 0
> ISADB: reaper checking SA 0x810ea088, conn_id = 0
> ISADB: reaper checking SA 0x810e7678, conn_id = 0  DELETE IT!
> 
> ISADB: reaper checking SA 0x810e6a50, conn_id = 0
> ISADB: reaper checking SA 0x810ea088, conn_id = 
> 0IPSEC(ipsec_encap): crypto
> map
> check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(key_engine): request timer fired: count = 2,
>   (identity) local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,
>     local_proxy= xxx.xxx.xxx.xxx/255.255.255.0/0/0 (type=4),
>     remote_proxy= xxx.xxx.xxx.xxx/255.255.255.248/0/0 (type=4)
> 
> ISAKMP (0): beginning Main Mode exchangeIPSEC(ipsec_encap): 
> crypto map check
> den
> y
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> 
> ISAKMP (0): retransmitting phase 1...IPSEC(ipsec_encap): 
> crypto map check
> deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> IPSEC(ipsec_encap): crypto map check deny
> 
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
RE: PIX VPN Config. Problem

Reply via email to
