12 Replies Latest reply on Sep 12, 2013 7:12 AM by baldwinboy3

    Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix

    baldwinboy3 New Member

      My side of the Tunnel is the Netvanta 3448 and I have 16 other site-to-site VPN tunnels currently on this box. I am trying to get to connect to an older Cisco Pix on 6.3 code. I don't control or administrator the Cisco Pix side. I have an ASA 5505 at my house which i built a site-to-site tunnel to my work Netvanta 3448 with no issues.

       

      This Netvanta to Pix tunnel had been up for a long while until recently the tunnel failed. I have not been in the Netvanta for weeks so I doubt it is on my side. The tunnel went down and I worked with Company MDI that manages the Cisco Pix to get this back up. The way I configured it to get the vpn tunnel back up was differently then the original configuration. For some reason the Pix "Remote-ID" shows up on my side as the hostname plus domain-name for example fiberpix1.mdi.local and not as the IP address 208.127.59.200 . If i use 208.127.59.200 as the "Remote-ID" it does not work at all. I instead use the "Remote-ID" as "any" instead.

       

      Here is my configuration.

       

      crypto ike policy 116

        initiate aggressive

        respond anymode

        local-id address 69.42.43.42

        nat-traversal v1 disable

        nat-traversal v2 force

        peer 208.127.59.200

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

          group 2

       

      crypto ike remote-id any preshared-key preshare2 ike-policy 116 crypto map VPN 170

      no-mode-config no-xauth nat-t v1 disable nat-t v2 force

       

      crypto map VPN 170 ipsec-ike

        description QMI NY with MDI

        match address VPN-170-vpn-selectors1

        set peer 208.127.59.200

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 116

       

      ip access-list extended VPN-170-vpn-selectors1

        permit ip 10.5.10.0 0.0.0.255  192.168.250.0 0.0.0.255

       

      ip policy-class inside

        allow list VPN-170-vpn-selectors1 stateless

       

      ip policy-class outside

        allow reverse list VPN-170-vpn-selectors1 stateless

       

      Any ideas? I will post his configuration as soon as I get them emailed to me. Also I will post the Debug commands from debug crypto ike client auth, debug crypto ike client conf, debug crypto ike nego, and debug crypto ipsec. I will post those in a little while.

       

      Thanks,

        • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
          levi Employee

          baldwinboy3:

           

          Thank you for asking this question in the support community.  The ADTRAN configuration seems to be accurate.  It appears the Cisco unit may have changed the "local-ID" from an IP address to a FQDN.  If that is the case, you have remedied the situation by changing the remote-ID to "any." 

           

          If you have any additional questions or information, please do not hesitate to reply to this post.  I will be happy to help in any way I can.

           

          Levi

          • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
            baldwinboy3 New Member

            Here is the much waited for configuration from the CIsco Pix.

             

             

             

            access-list nonat permit ip 192.168.250.0 255.255.255.0 10.5.10.0 255.255.255.0

            access-list mrs permit ip 192.168.250.0 255.255.255.0 10.5.10.0 255.255.255.0

             

            crypto ipsec transform-set mrs esp-3des esp-md5-hmac

             

            crypto map outside_map 60 ipsec-isakmp

            crypto map outside_map 60 match address mrs

            crypto map outside_map 60 set peer 69.42.43.42

            crypto map outside_map 60 set transform-set mrs

             

            isakmp key preshare2 address 69.42.43.42 netmask 255.255.255.255

             

            isakmp policy 30 authentication pre-share

            isakmp policy 30 encryption 3des

            isakmp policy 30 hash md5

            isakmp policy 30 group 2

            isakmp policy 30 lifetime 28800

            • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
              baldwinboy3 New Member

              Okay I have turned on the following debug command:

               

              debug crypto ike client auth

              debug crypto ike client conf

              debug crypto ike nego

              debug crypto ipsec

               

              I look at the saved log on this and his IP address does not show up at all when i filter through those logs (ip 208.127.59.200), i dont see the policy 116 being used either. What could cause this? we both have the correct IP addressing for our tunnels. We both are connected to other VPN tunnels with no issue. This Tunnel worked once upon a time.

               

              Ideas?

              • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
                baldwinboy3 New Member

                I changed the CONFIG on the ADTRAN from aggressive mode to Main Mode:

                 

                here is the debug output i get now

                 

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION IkeStartNegotiation: using specified IKE policy "116"

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION IkeFormIsakmpAttribList:Xauth Device.. NONE            for XAUTH 

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION 116: Initiating IKE Phase 1

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION 116: Sent out first message of main mode

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: SA,PROP,TRANS,VID,VID

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   SA PAYLOAD

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     DOI: 1

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     Situation: 1

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     PROPOSAL PAYLOAD

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       Proposal No.: 1

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       IANA No. for protocol: ISAKMP (1)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       Size of the variable SPI field: 0

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       Number of transforms offered: 1

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION       TRANSFORM PAYLOAD

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION         Transform Number: 1

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION         IANA Transform ID: IKE Key (1)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  DH Group 2 (2)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  Pre-shared Key (1)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  3DES (5)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  MD5 (1)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Type (11)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 2

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:  Seconds (1)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Time (12)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Length: 4

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION             Value:   (28800)

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     90 CB 80 91 3E BB 69 6E  ....>.in

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     08 63 81 B5 EC 42 7B 1F  .c...B{.

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     AF CA D7 13 68 A1 F1 C9  ....h...

                2013.09.03 10:50:05 CRYPTO_IKE.NEGOTIATION     6B 86 96 FC 77 57 01 00  k...wW..

                  • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
                    levi Employee

                    baldwinboy3:

                     

                    The Configuring a VPN using Main Mode in AOS guide's troubleshooting section provides some options for different troubleshooting scenarios.  From the debug output you've provided, it appears the ADTRAN unit is sending the first message of main mode, but is not receiving any negotiation messages in return.

                     

                    Levi

                    1 of 1 people found this helpful
                      • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
                        baldwinboy3 New Member

                        Thank you Levi. I am looking at the guide now and will see where it gets me. I will do more debug and post if necessary.

                        • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
                          baldwinboy3 New Member

                          HERE is my DEBUGS and I have read the document you sent me. Nothing specific in the document to my issue except that it may not match for IKE. Here is the debug from debug crypto ike

                           

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION IkeStartNegotiation: using specified IKE policy "116"

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION IkeFormIsakmpAttribList:Xauth Device.. NONE            for XAUTH 

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION 116: Initiating IKE Phase 1

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION 116: Sent out first message of main mode

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: SA,PROP,TRANS,VID,VID

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   SA PAYLOAD

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     DOI: 1

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     Situation: 1

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     PROPOSAL PAYLOAD

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       Proposal No.: 1

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       IANA No. for protocol: ISAKMP (1)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       Size of the variable SPI field: 0

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       Number of transforms offered: 1

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION       TRANSFORM PAYLOAD

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION         Transform Number: 1

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION         IANA Transform ID: IKE Key (1)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  DH Group 2 (2)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  Pre-shared Key (1)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  3DES (5)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  MD5 (1)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Type (11)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 2

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:  Seconds (1)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Time (12)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Length: 4

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION             Value:   (28800)

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     90 CB 80 91 3E BB 69 6E  ....>.in

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     08 63 81 B5 EC 42 7B 1F  .c...B{.

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     AF CA D7 13 68 A1 F1 C9  ....h...

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION     6B 86 96 FC 77 57 01 00  k...wW..

                          2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION

                           

                           

                           

                          2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: DEL

                          2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION   DELETE PAYLOAD

                          2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     DOI: 1

                          2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Protocol Id: 1

                          2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Size of the SPI field: 16

                          2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Number of SPIs being deleted: 1

                          2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION 116: Sent informational exchange message

                            • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
                              levi Employee

                              baldwinboy3:

                               

                              Thank you for replying with the output from the debug crypto ike command.  Unfortunately, it appears to be the same output as you sent previously.  Based on the output you provided, the ADTRAN unit appears to send the first message of IKE, but never receives any information in return:

                               

                              2013.09.03 14:03:53 CRYPTO_IKE.NEGOTIATION 116: Sent out first message of main mode

                               

                              If you review the guide I linked previously, it provides an example of what a proper negotiation looks like, but at this time, it isn't that that negotiation is failing, but instead that the remote unit isn't replying to the request.  Have you been able to determine what the debug on the remote unit indicates?

                               

                              Levi

                                • Re: Site-to-Site VPN Tunnel between Netvanta 3448 and Cisco Pix
                                  baldwinboy3 New Member

                                  It is the same debug from a different time. However there is more debug than last time. I am waiting on the administrator of the Pix to provide me with his debugs and I will post once i have them.

                                   

                                  This was a bit more debug from earlier and was not sure if it would help.

                                   

                                  2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION <POLICY: 116> PAYLOADS: DEL

                                  2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION   DELETE PAYLOAD

                                  2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     DOI: 1

                                  2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Protocol Id: 1

                                  2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Size of the SPI field: 16

                                  2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION     Number of SPIs being deleted: 1

                                  2013.09.03 14:04:13 CRYPTO_IKE.NEGOTIATION 116: Sent informational exchange message