Support
Community

baldwinboy3 · ‎08-28-2013

My side of the Tunnel is the Netvanta 3448 and I have 16 other site-to-site VPN tunnels currently on this box. I am trying to get to connect to an older Cisco Pix on 6.3 code. I don't control or administrator the Cisco Pix side. I have an ASA 5505 at my house which i built a site-to-site tunnel to my work Netvanta 3448 with no issues.

This Netvanta to Pix tunnel had been up for a long while until recently the tunnel failed. I have not been in the Netvanta for weeks so I doubt it is on my side. The tunnel went down and I worked with Company MDI that manages the Cisco Pix to get this back up. The way I configured it to get the vpn tunnel back up was differently then the original configuration. For some reason the Pix "Remote-ID" shows up on my side as the hostname plus domain-name for example fiberpix1.mdi.local and not as the IP address 208.127.59.200 . If i use 208.127.59.200 as the "Remote-ID" it does not work at all. I instead use the "Remote-ID" as "any" instead.

Here is my configuration.

crypto ike policy 116

initiate aggressive

respond anymode

local-id address 69.42.43.42

nat-traversal v1 disable

nat-traversal v2 force

peer 208.127.59.200

attribute 1

encryption 3des

hash md5

authentication pre-share

group 2

crypto ike remote-id any preshared-key preshare2 ike-policy 116 crypto map VPN 170

no-mode-config no-xauth nat-t v1 disable nat-t v2 force

crypto map VPN 170 ipsec-ike

description QMI NY with MDI

match address VPN-170-vpn-selectors1

set peer 208.127.59.200

set transform-set esp-3des-esp-md5-hmac

ike-policy 116

ip access-list extended VPN-170-vpn-selectors1

permit ip 10.5.10.0 0.0.0.255 192.168.250.0 0.0.0.255

ip policy-class inside

allow list VPN-170-vpn-selectors1 stateless

ip policy-class outside

allow reverse list VPN-170-vpn-selectors1 stateless

Any ideas? I will post his configuration as soon as I get them emailed to me. Also I will post the Debug commands from debug crypto ike client auth, debug crypto ike client conf, debug crypto ike nego, and debug crypto ipsec. I will post those in a little while.

Thanks,

baldwinboy3 · ‎09-12-2013

Thank you for all your views!!! Thank you for reply Levi!!! I am closing this Post. The company on the Cisco Pix side could not make his stuff work. THey have installed a new Cisco box and i set up a tunnel in 10 minuets or less to it. This is how it should work.

Thanks,

View solution in original post

Anonymous · ‎08-29-2013

:

Thank you for asking this question in the support community. The ADTRAN configuration seems to be accurate. It appears the Cisco unit may have changed the "local-ID" from an IP address to a FQDN. If that is the case, you have remedied the situation by changing the remote-ID to "any."

If you have any additional questions or information, please do not hesitate to reply to this post. I will be happy to help in any way I can.

Levi

baldwinboy3 · ‎08-29-2013

The site-to-site VPN tunnel is not up at this time. I am having the Cisco Pix engineer get me their configuration and will post it. After that I will post debug commands. Sadly I have not heard back from that engineer yet. We both in the past attempts in getting this tunnel up have verified settings are matching and still could not get the tunnel up. I have made this tunnel work with setting his Remote ID to ip address and FQDN and got it to work. SO soon as I can get that info I will update this post.

baldwinboy3 · ‎09-03-2013

Here is the much waited for configuration from the CIsco Pix.

access-list nonat permit ip 192.168.250.0 255.255.255.0 10.5.10.0 255.255.255.0

access-list mrs permit ip 192.168.250.0 255.255.255.0 10.5.10.0 255.255.255.0

crypto ipsec transform-set mrs esp-3des esp-md5-hmac

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address mrs

crypto map outside_map 60 set peer 69.42.43.42

crypto map outside_map 60 set transform-set mrs

isakmp key preshare2 address 69.42.43.42 netmask 255.255.255.255

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 28800

baldwinboy3 · ‎09-03-2013

Okay I have turned on the following debug command:

debug crypto ike client auth

debug crypto ike client conf

debug crypto ike nego

debug crypto ipsec

I look at the saved log on this and his IP address does not show up at all when i filter through those logs (ip 208.127.59.200), i dont see the policy 116 being used either. What could cause this? we both have the correct IP addressing for our tunnels. We both are connected to other VPN tunnels with no issue. This Tunnel worked once upon a time.

Ideas?

baldwinboy3 · ‎09-03-2013

I changed the CONFIG on the ADTRAN from aggressive mode to Main Mode:

here is the debug output i get now

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION IkeStartNegotiation: using specified IKE policy "116"

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION IkeFormIsakmpAttribList:Xauth Device.. NONE for XAUTH

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION 116: Initiating IKE Phase 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION 116: Sent out first message of main mode

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: SA,PROP,TRANS,VID,VID

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION SA PAYLOAD

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION DOI: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION Situation: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION PROPOSAL PAYLOAD

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION Proposal No.: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION IANA No. for protocol: ISAKMP (1)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION Size of the variable SPI field: 0

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION Number of transforms offered: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION TRANSFORM PAYLOAD

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION Transform Number: 1

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION IANA Transform ID: IKE Key (1)

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION TRANSFORM ATTRIBUTES

2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION SA Attrib: Group Description (4)