The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
baldwinboy3
New Contributor III

Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

My side of the Tunnel is the Netvanta 3448 and I have 16 other site-to-site VPN tunnels currently on this box. I am trying to get to connect to an older Cisco Pix on 6.3 code. I don't control or administrator the Cisco Pix side. I have an ASA 5505 at my house which i built a site-to-site tunnel to my work Netvanta 3448 with no issues.

This Netvanta to Pix tunnel had been up for a long while until recently the tunnel failed. I have not been in the Netvanta for weeks so I doubt it is on my side. The tunnel went down and I worked with Company MDI that manages the Cisco Pix to get this back up. The way I configured it to get the vpn tunnel back up was differently then the original configuration. For some reason the Pix "Remote-ID" shows up on my side as the hostname plus domain-name for example fiberpix1.mdi.local and not as the IP address 208.127.59.200 . If i use 208.127.59.200 as the "Remote-ID" it does not work at all. I instead use the "Remote-ID" as "any" instead.

Here is my configuration.

crypto ike policy 116

  initiate aggressive

  respond anymode

  local-id address 69.42.43.42

  nat-traversal v1 disable

  nat-traversal v2 force

  peer 208.127.59.200

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

    group 2

crypto ike remote-id any preshared-key preshare2 ike-policy 116 crypto map VPN 170

no-mode-config no-xauth nat-t v1 disable nat-t v2 force

crypto map VPN 170 ipsec-ike

  description QMI NY with MDI

  match address VPN-170-vpn-selectors1

  set peer 208.127.59.200

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 116

ip access-list extended VPN-170-vpn-selectors1

  permit ip 10.5.10.0 0.0.0.255  192.168.250.0 0.0.0.255

ip policy-class inside

  allow list VPN-170-vpn-selectors1 stateless

ip policy-class outside

  allow reverse list VPN-170-vpn-selectors1 stateless

Any ideas? I will post his configuration as soon as I get them emailed to me. Also I will post the Debug commands from debug crypto ike client auth, debug crypto ike client conf, debug crypto ike nego, and debug crypto ipsec. I will post those in a little while.

Thanks,

Labels (3)
Tags (3)
0 Kudos
1 Solution

Accepted Solutions
baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

Thank you for all your views!!! Thank you for reply Levi!!! I am closing this Post. The company on the Cisco Pix side could not make his stuff work. THey have installed a new Cisco box and i set up a tunnel in 10 minuets or less to it. This is how it should work.

Thanks,

View solution in original post

0 Kudos
12 Replies
Anonymous
Not applicable

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

:

Thank you for asking this question in the support community.  The ADTRAN configuration seems to be accurate.  It appears the Cisco unit may have changed the "local-ID" from an IP address to a FQDN.  If that is the case, you have remedied the situation by changing the remote-ID to "any." 

If you have any additional questions or information, please do not hesitate to reply to this post.  I will be happy to help in any way I can.

Levi

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

The site-to-site VPN tunnel is not up at this time. I am having the Cisco Pix engineer get me their configuration and will post it. After that I will post debug commands. Sadly I have not heard back from that engineer yet. We both in the past attempts in getting this tunnel up have verified settings are matching and still could not get the tunnel up. I have made this tunnel work with setting his Remote ID to ip address and FQDN and got it to work. SO soon as I can get that info I will update this post. 

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

Here is the much waited for configuration from the CIsco Pix.

access-list nonat permit ip 192.168.250.0 255.255.255.0 10.5.10.0 255.255.255.0

access-list mrs permit ip 192.168.250.0 255.255.255.0 10.5.10.0 255.255.255.0

crypto ipsec transform-set mrs esp-3des esp-md5-hmac

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address mrs

crypto map outside_map 60 set peer 69.42.43.42

crypto map outside_map 60 set transform-set mrs

isakmp key preshare2 address 69.42.43.42 netmask 255.255.255.255

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 28800

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

Okay I have turned on the following debug command:

debug crypto ike client auth

debug crypto ike client conf

debug crypto ike nego

debug crypto ipsec

I look at the saved log on this and his IP address does not show up at all when i filter through those logs (ip 208.127.59.200), i dont see the policy 116 being used either. What could cause this? we both have the correct IP addressing for our tunnels. We both are connected to other VPN tunnels with no issue. This Tunnel worked once upon a time.

Ideas?

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

I changed the CONFIG on the ADTRAN from aggressive mode to Main Mode:

here is the debug output i get now

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION IkeStartNegotiation: using specified IKE policy "116"

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION IkeFormIsakmpAttribList:Xauth Device.. NONE            for XAUTH 

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION 116: Initiating IKE Phase 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION 116: Sent out first message of main mode

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: SA,PROP,TRANS,VID,VID

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   SA PAYLOAD

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     DOI: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     Situation: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     PROPOSAL PAYLOAD

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       Proposal No.: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       IANA No. for protocol: ISAKMP (1)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       Size of the variable SPI field: 0

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       Number of transforms offered: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       TRANSFORM PAYLOAD

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION         Transform Number: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION         IANA Transform ID: IKE Key (1)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  DH Group 2 (2)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  Pre-shared Key (1)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  3DES (5)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  MD5 (1)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Type (11)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  Seconds (1)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Time (12)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 4

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:   (28800)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     90 CB 80 91 3E BB 69 6E  ....>.in

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     08 63 81 B5 EC 42 7B 1F  .c...B{.

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     AF CA D7 13 68 A1 F1 C9  ....h...

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     6B 86 96 FC 77 57 01 00  k...wW..

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

Any ideas on this? I have posted his config on the Pix and debug from my side.

Anonymous
Not applicable

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

:

The Configuring a VPN using Main Mode in AOS guide's troubleshooting section provides some options for different troubleshooting scenarios.  From the debug output you've provided, it appears the ADTRAN unit is sending the first message of main mode, but is not receiving any negotiation messages in return.

Levi

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

Thank you Levi. I am looking at the guide now and will see where it gets me. I will do more debug and post if necessary.

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

HERE is my DEBUGS and I have read the document you sent me. Nothing specific in the document to my issue except that it may not match for IKE. Here is the debug from debug crypto ike

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION IkeStartNegotiation: using specified IKE policy "116"

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION IkeFormIsakmpAttribList:Xauth Device.. NONE            for XAUTH 

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION 116: Initiating IKE Phase 1

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION 116: Sent out first message of main mode

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: SA,PROP,TRANS,VID,VID

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   SA PAYLOAD

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     DOI: 1

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     Situation: 1

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     PROPOSAL PAYLOAD

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       Proposal No.: 1

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       IANA No. for protocol: ISAKMP (1)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       Size of the variable SPI field: 0

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       Number of transforms offered: 1

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       TRANSFORM PAYLOAD

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION         Transform Number: 1

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION         IANA Transform ID: IKE Key (1)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  DH Group 2 (2)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  Pre-shared Key (1)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  3DES (5)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  MD5 (1)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Type (11)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  Seconds (1)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Time (12)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 4

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:   (28800)

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     90 CB 80 91 3E BB 69 6E  ....>.in

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     08 63 81 B5 EC 42 7B 1F  .c...B{.

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     AF CA D7 13 68 A1 F1 C9  ....h...

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     6B 86 96 FC 77 57 01 00  k...wW..

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: DEL

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION   DELETE PAYLOAD

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     DOI: 1

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Protocol Id: 1

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Size of the SPI field: 16

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Number of SPIs being deleted: 1

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION 116: Sent informational exchange message

Anonymous
Not applicable

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

:

Thank you for replying with the output from the debug crypto ike command.  Unfortunately, it appears to be the same output as you sent previously.  Based on the output you provided, the ADTRAN unit appears to send the first message of IKE, but never receives any information in return:

2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION 116: Sent out first message of main mode

If you review the guide I linked previously, it provides an example of what a proper negotiation looks like, but at this time, it isn't that that negotiation is failing, but instead that the remote unit isn't replying to the request.  Have you been able to determine what the debug on the remote unit indicates?

Levi

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

It is the same debug from a different time. However there is more debug than last time. I am waiting on the administrator of the Pix to provide me with his debugs and I will post once i have them.

This was a bit more debug from earlier and was not sure if it would help.

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: DEL

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION   DELETE PAYLOAD

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     DOI: 1

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Protocol Id: 1

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Size of the SPI field: 16

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Number of SPIs being deleted: 1

2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION 116: Sent informational exchange message

baldwinboy3
New Contributor III

Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

Jump to solution

Thank you for all your views!!! Thank you for reply Levi!!! I am closing this Post. The company on the Cisco Pix side could not make his stuff work. THey have installed a new Cisco box and i set up a tunnel in 10 minuets or less to it. This is how it should work.

Thanks,

0 Kudos