Need help site to site vpn

Wyvern971 · 1 Dec 2006 at 21:32

I've got a cisco pix 506e at the office
There is an asa 5510 at a co-location site

the isakmp phase 1 seems to go OK

I then get this
ISAKMP: phase 2 packet is a duplicate of a previous packet
the engineer on the other end says it's asking for x-auth, but I haven't set the crypto map to require xauth

Anyone got any bright ideas??

oldbag · 1 Dec 2006 at 21:35

You got the same shared key punched in at both ends?

Chief Wiggum · 1 Dec 2006 at 22:11

Phase 1 complete would suggest that the pre-shared key is correct. (I think! But check anyway!) Phase 2 would be the auth type. Ensure that it's the same at both ends - you should be able to use ESP-3DES-MD5 / ESP-DES-MD5 Found under IPSEC and under IKE, set the encyrption to be 3des / des the hash as SHA and the auth as pre-share.

Also ensure that your IPSEC rules have the same networks defined at both ends. Think that's about it.

Kev

Wyvern971 · 4 Dec 2006 at 21:59

Right this really is starting to get annoying.....

Doing a test this morning a 506e & a 501 was no problems whatsoever, it just worked.

changing the IPs to the co-location sites IP addresses I would have thought would have worked, but it doesn't

Either I am doing something incredibly stupid or the engineer at the other end hasn't a clue :mad:

I've had my Manager have a quick gander at the cofig I've bashed together but he wasn't able to spot ant obvious mistakes.

Anyhow

I now have:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
...
access-list xxx permit ip "Local LAN" /24 "Access VPN pool" /24
access-list xxx permit ip "Local LAN" /24 "Co-Location" /24
.....
access-list yyy permit ip host "Server1" "Co-Location" /24
access-list yyy permit ip host "Server2" "Co-Location" /24
......
global (outside) 1 interface
nat (inside) 0 access-list xxx
......
route outside 0.0.0.0 0.0.0.0 "GW IP" 1
......
sysopt connection permit-ipsec
.....
crypto ipsec transform-set "company" esp-3des esp-md5-hmac
crypto ipsec transform-set "Co-Location" esp-3des esp-sha-hmac
.......
crypto dynamic-map "company" 10 set transform-set "company"
.......
crypto map "company" 20 ipsec-isakmp
crypto map "company" 20 match address "yyy"
crypto map "company" 20 set peer "Co-Location ASA IP"
crypto map "company" 20 set transform-set "Co-Location"
crypto map "company" 30 ipsec-isakmp dynamic "Company"
crypto map "company" client token authentication "RSA aaa-server alias"
crypto map "company" interface outside
........
isakmp enable outside
isakmp key "Secret" address "Co-Location ASA IP"
isakmp identity address
isakmp nat-traversal 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

Policy 10 is for Access-VPNs
Policy 20 is for the S2S

Tui · 5 Dec 2006 at 03:29

Only thing I see that masks a potential problem is that your xxx and yyy access lists differ.
Your no NAT list, xxx, references the local and remote networks.
Your crypto map list. yyy, references two host addresses and the remote network.
I presume the two host addresses are in the local LAN network, in which case does the remote end only have those two host addresses for its remote network entries? - as someone else posted, they need to match.
Also, any local address other than those two hosts that try to access the remote network will go out un-encrypted and not source NATted.

I'm suggesting maybe your yyy list should be your local network and the remote network. If you're trying to restrict access to the remote network to only those two hosts then you should have another, input access access list applied to the inside interface for this.

Wyvern971 · 5 Dec 2006 at 08:43

Tui said:
Only thing I see that masks a potential problem is that your xxx and yyy access lists differ.
Your no NAT list, xxx, references the local and remote networks.
Your crypto map list. yyy, references two host addresses and the remote network.
I presume the two host addresses are in the local LAN network, in which case does the remote end only have those two host addresses for its remote network entries? - as someone else posted, they need to match.
Also, any local address other than those two hosts that try to access the remote network will go out un-encrypted and not source NATted.

I'm suggesting maybe your yyy list should be your local network and the remote network. If you're trying to restrict access to the remote network to only those two hosts then you should have another, input access access list applied to the inside interface for this.

thanks for that, I've actually changed it to the whole network now, still didn't work.......got a call 2 hours later from the engy at the other end "oh it's working now. But I haven't changed any settings at this end". Not going to comment on that one, but suffice to say the isakmp negotiations all failed during those 2 hours :rolleyes: