GroupStudy.com GroupStudy.com - A virtual community of network engineers
Home BookStore StudyNotes Links Archives StudyRooms HelpWanted Discounts Login
Re: PIX-PIX VPN stuck at MM_KEY_EXCH [7:91361] posted 08/01/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next] 
Peter,

Try either adding the "reverse" no-nat statements (see below) on each side
or using the "sysopt ipsec pl-compatible" command.  If you use the second
option, you can actually remove your no-nat statements and the "sysopt
permit ipsec" command, for it will bypass NAT and any access-list on the
interface.

example:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0

Kevin


""peter spalding""  wrote in message
news:200408010807.i7187q05004329@xxxxxxxxxxxxxxxxx
> Thanks for the advice. i reenter the key now I see
> QM_IDLE status.  But I still cannot ping to the other
> LAN.  In my sh crypto ipsec sa result. It shows the
> following.  Note that the pkts is encaps and not
> decaps.  I wonder it is a IOS version problem.  As PIX
> A is 6.3 and PIX B is 6.0.  Besides, in my PIXB I have
> some acccess-list configured on outside interface
> access-group 101 in interface outside.  I wonder
> should i ensure that access group 101 allow isakmp,
> ah, esp gre to come in and at least allow them to come
> to PIXB outside interface?  But I thought the 1)isakmp
> enable outside and 2)sysopt connection permit-ipsec
> should have done the job????
>
>
> local  ident (addr/mask/prot/port):
> (192.168.1.0/255.255.255.0/0/0)
>    remote ident (addr/mask/prot/port):
> (192.168.2.0/255.255.255.0/0/0)
>    current_peer: PIXBIP:500
>    dynamic allocated peer ip: 0.0.0.0
>
>      PERMIT, flags={origin_is_acl,}
>     #pkts encaps: 10, #pkts encrypt: 10, #pkts digest
> 10
>     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
>     #pkts compressed: 0, #pkts decompressed: 0
>     #pkts not compressed: 0, #pkts compr. failed: 0,
> #pkts decompress failed: 0
>     #send errors 1, #recv errors 0
>
>      local crypto endpt.: PIXA IP, remote crypto
> endpt.: PIXB IP
>      path mtu 1500, ipsec overhead 56, media mtu 1500
>      current outbound spi: 58b55c0
>
>      inbound esp sas:
>       spi: 0x383390ec(942903532)
>         transform: esp-des esp-md5-hmac ,
>         in use settings ={Tunnel, }
>         slot: 0, conn id: 5, crypto map: pixmap
>         sa timing: remaining key lifetime (k/sec):
> (4608000/3450)
>         IV size: 8 bytes
>         replay detection support: Y
>
>
>      inbound ah sas:
>
>
>      inbound pcp sas:
>
>
>      outbound esp sas:
>       spi: 0x58b55c0(93017536)
>         transform: esp-des esp-md5-hmac ,
>         in use settings ={Tunnel, }
>         slot: 0, conn id: 6, crypto map: pixmap
>         sa timing: remaining key lifetime (k/sec):
> (4607999/3441)
>         IV size: 8 bytes
>         replay detection support: Y
>
>
>      outbound ah sas:
>
>
>      outbound pcp sas:
>
>
>
> --- "Will K."  wrote:
>
> > Here is the meaning of sysopt route dnat command and
> > the link to 6.0 Command
> > reference:
> >
> > route dnat
> >  Specify that when an incoming packet does a route
> > lookup, the incoming
> > interface is used to determine which interface the
> > packet should go to, and
> > which is the next hop.
> >
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid78
> >
> > I don't think that is the cause.
> >
> > Do a debug crypto isakmp to see the problem.
> >
> > They are not negotiating Phase I. Your isakmp
> > settings look similar. Try
> > re-entering the keys again. Make sure there are no
> > spaces in there.
> >
> >
> >
> > ""peter spalding""  wrote in message
> > news:200407310645.i6V6j0BY031777@xxxxxxxxxxxxxxxxx
> > > Hi..  I am configuring PIX-PIX VPN with pre-share
> > hey.
> > >  After I didn't all the configuration and routing.
> >  I
> > > found it still doesn't work.  When I do a "sh
> > crypto
> > > isakmp sa" in the PIX I saw
> > >
> > > dst      src    State           Pending  Created
> > > IPA      IPB    MM_KEY_EXCH        0        0
> > >
> > > what does it mean??  What is the common mistake
> > for
> > > this.
> > >
> > > PIX A is running at Version 6.3(3) and enabled
> > with
> > > DES/3DES.
> > >
> > > PIX B is running at Version 6.0(2) and enabled
> > with
> > > DES
> > >
> > > Below are the configuration of PIX A, B
> > >
> > > Can u tell what is wrong?  Besides, I want to
> > check
> > > whether "no sysopt route dnat" statement in PIX B
> > is
> > > causing the problem?  the statement is originally
> > > there, but I don't know what is that mean
> > >
> > > PIX-A
> > > Access-list nonat permit ip 192.168.1.0
> > 255.255.255.0
> > > 192.168.2.0 255.255.255.0
> > > Nat (inside) 0 access-list nonat
> > > isakmp enable outside
> > > isakmp policy 10 authentication pre-share
> > > isakmp policy 10 encryption des
> > > isakmp policy 10 hash md5
> > > isakmp policy 10 group 1
> > > isakmp policy 10 lifetime 86400
> > > isakmp identity address
> > > isakmp key pixto address PIXBIP netmask
> > > 255.255.255.255
> > > crypto ipsec transform-set TO-VPN esp-des
> > esp-md5-hmac
> > > crypto ipsec security-association lifetime seconds
> > > 3600
> > > access-list 112 permit ip 192.168.1.0
> > 255.255.255.0
> > > 192.168.2.0 255.255.255.0
> > > sysopt connection permit-ipsec
> > > Crypto map pixmap 10 ipsec-isakmp
> > > Crypto map pixmap 10 match address 112
> > > Crypto map pixmap 10 set peer PIXBIP
> > > Crypto map pixmap 10 set transform-set TO-VPN
> > > crypto map pixmap interface outside
> > >
> > >
> > > PIX-B
> > > Access-list nonat permit ip 192.168.2.0
> > 255.255.255.0
> > > 192.168.1.0 255.255.255.0
> > > Nat (inside) 0 access-list nonat
> > > isakmp enable outside
> > > isakmp policy 10 authentication pre-share
> > > isakmp policy 10 encryption des
> > > isakmp policy 10 hash md5
> > > isakmp policy 10 group 1
> > > isakmp policy 10 lifetime 86400
> > > isakmp identity address
> > > isakmp key pixto address PIXAIP netmask
> > > 255.255.255.255
> > > crypto ipsec transform-set TO-VPN esp-des
> > esp-md5-hmac
> > > crypto ipsec security-association lifetime seconds
> > > 3600
> > > access-list 112 permit ip 192.168.2.0
> > 255.255.255.0
> > > 192.168.1.0 255.255.255.0
> > > sysopt connection permit-ipsec
> > > no sysopt route dnat  problem?
> > > Crypto map pixmap 10 ipsec-isakmp
> > > Crypto map pixmap 10 match address 112
> > > Crypto map pixmap 10 set peer PIXAIP
> > > Crypto map pixmap 10 set transform-set TO-VPN
> > > crypto map pixmap interface outside
> > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > New and Improved Yahoo! Mail - 100MB free storage!
> > > http://promotions.yahoo.com/new_mail
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail Address AutoComplete - You start. We finish.
> http://promotions.yahoo.com/new_mail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=91387&t=91361
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html