Hello Brent,
I've been playing around with PIX-to-PIX IPSEC VPN's myself quite a bit
recently.
A couple of suggestions or questions:
1. make sure both ends are running 5.1(2) (unconfirmed rumors amongst
friends was that older revs of the PIX software didn't handle
multiple tunnels that well)
2. you might try having both priority levels of your crypto map
use the same transform-set (I'm doing that successfully on a crypto
map split between a priority level for a site-to-site vpn and a
priority level for dynamically addressed VPN clients)
3. You didn't include any config parameters for the two access
lists (101 and 102) that are referenced by your crypto map. Have
you confirmed that they are correct and mirrored on both sides?
4. On your isakmp policy 30, I notice that you're using
des rather than 3des (unlike policy 20). I trust that's not
a typo and is mirrored on both ends?
Further, if your isakmp policy 20 calls for 3des, does
the transform-set need to be 3des as well? (I noticed that
both myset1 and myset2 are set to esp-des but your isakmp
policy 20 calls for 3des. I genuinely don't know if that
would affect anything, but thought I'd bring it up)
5. Have you tried getting the second tunnel config running without
pfs? You might try installing a more generic config for that second
policy and see how far you get. Something like:
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
just some thoughts and suggestions.
jeff
>
> -----Original Message-----
> From: Brent Stackhouse [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 06, 2000 12:55 PM
> To: [EMAIL PROTECTED]
> Subject: PIX VPN Config. Problem
>
>
> Hello,
>
> I'm trying to get multiple customers hooked via
> VPN through the same PIX and the first one works
> and the second does not. The peer addresses are
> correct but when I turn on debug crypto ipsec
> and debug ipsec isakmp, I get the output at the
> bottom of the page. Notice that sysopt
> connection permit-ipsec is on, so conduit/static
> statements are irrelevant for IPsec traffic.
>
> Thanks for any (obvious) suggestions.
>
> Brent Stackhouse
> Security Analyst
> 2ndWave, Inc.
>
>
> ###IPsec-relevant part of config###
> sysopt connection permit-ipsec
> crypto ipsec transform-set myset1 esp-des esp-sha-hmac
> crypto ipsec transform-set myset2 esp-des esp-sha-hmac
> crypto map Mymap 10 ipsec-isakmp
> crypto map Mymap 10 match address 101
> crypto map Mymap 10 set peer xxx.xxx.xxx.xxx
> crypto map Mymap 10 set transform-set myset1
> crypto map Mymap 11 ipsec-isakmp
> crypto map Mymap 11 match address 102
> crypto map Mymap 11 set pfs group2
> crypto map Mymap 11 set peer xxx.xxx.xxx.xxx
> crypto map Mymap 11 set transform-set myset2
> crypto map Mymap interface outside
> isakmp enable outside
> isakmp key xxxxxxxx address xxx.xxx.xxx.xxx netmask 255
> .255.255.255
> isakmp key xxxxxxxx address xxx.xxx.xxx.xxx netmask
> 255.255.255.255
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 5000
> isakmp policy 30 authentication pre-share
> isakmp policy 30 encryption des
> isakmp policy 30 hash sha
> isakmp policy 30 group 2
> isakmp policy 30 lifetime 5000
>
> ###Debug output###
> ISAKMP (0): deleting SA
> ISADB: reaper checking SA 0x810e6a50, conn_id = 0
> ISADB: reaper checking SA 0x810ea088, conn_id = 0
> ISADB: reaper checking SA 0x810e7678, conn_id = 0 DELETE IT!
>
> ISADB: reaper checking SA 0x810e6a50, conn_id = 0
> ISADB: reaper checking SA 0x810ea088, conn_id = 0IPSEC(ipsec_encap): crypto
> map
> check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(key_engine): request timer fired: count = 2,
> (identity) local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,
> local_proxy= xxx.xxx.xxx.xxx/255.255.255.0/0/0 (type=4),
> remote_proxy= xxx.xxx.xxx.xxx/255.255.255.248/0/0 (type=4)
>
> ISAKMP (0): beginning Main Mode exchangeIPSEC(ipsec_encap): crypto map check
> den
> y
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
>
> ISAKMP (0): retransmitting phase 1...IPSEC(ipsec_encap): crypto map check
> deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
> IPSEC(ipsec_encap): crypto map check deny
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
#############################################################
# Jeff Burson Human Code, Inc. #
# Network Guru 319 Congress Ave. Suite 100 #
# [EMAIL PROTECTED] Austin, TX 78701 #
# 512.477.5455 x1434 http://www.humancode.com #
#############################################################
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
