Help with Cisco PIX 506E VPN config

Nate7311 · Sep 15, 2004

Trying to setup IPSEC VPN to a Linksys BEFSRX1 VPN router and a SSH Sentinel

Cisco config:
PIX Version 6.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ----------------------- encrypted
passwd --------------------------- encrypted
hostname lloil-pix
domain-name *****************
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
names
access-list outside_in permit icmp any any echo
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any host ***PIX external IP*** eq www
access-list outside_in permit tcp any host ***PIX external IP*** eq pop3
access-list outside_in permit tcp any host ***PIX external IP*** eq pcanywhere-data
access-list outside_in permit udp any host ***PIX external IP*** eq pcanywhere-status
access-list outside_in permit tcp any host ***PIX external IP*** eq 5900
access-list outside_in permit udp any host ***PIX external IP*** eq 8767
access-list outside_in permit tcp any host ***PIX external IP*** eq 10888
access-list outside_in permit tcp any host ***PIX external IP*** eq 17900
access-list outside_in permit tcp any host ***PIX external IP*** eq 30230
access-list outside_in permit tcp any host ***PIX external IP*** eq smtp
access-list outside_in permit tcp any host ***PIX external IP*** eq 17888
access-list outside_in permit tcp any host ***PIX external IP*** eq 17889
access-list no-nat permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat permit ip any 10.1.1.0 255.255.255.0
access-list split-tunnel permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list outside_cryptomap_dyn_24 permit ip any 10.1.1.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside ***PIX external IP*** 255.255.255.252
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.1.1.1-10.1.1.254
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 10.0.0.3 255.255.255.255 inside
pdm location 10.0.0.9 255.255.255.255 inside
pdm location 10.0.0.18 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0
0
static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 5900 10.0.0.2 5900 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 10888 10.0.0.3 10888 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 17900 10.0.0.3 17900 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 30230 10.0.0.3 30230 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface pcanywhere-data 10.0.0.18 pcanywhere-data
netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 10.0.0.18 pcanywhere-sta
tus netmask 255.255.255.255 0 0
static (inside,outside) udp interface 8767 10.0.0.3 8767 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 17888 10.0.0.9 17888 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 17889 10.0.0.9 17889 netmask 255.255.255.2
55 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***T1 Router*** 1
timeout xlate 8:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http ***DNS Addy*** 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 3 set pfs group2
crypto dynamic-map dynmap 3 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto dynamic-map dynmap 4 set transform-set strong-des
crypto dynamic-map dynmap 24 match address outside_cryptomap_dyn_24
crypto dynamic-map dynmap 24 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic dynmap
crypto map partner-map client configuration address initiate
crypto map partner-map client configuration address respond
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 28 authentication pre-share
isakmp policy 28 encryption 3des
isakmp policy 28 hash sha
isakmp policy 28 group 2
isakmp policy 28 lifetime 14400
vpngroup lloc address-pool vpn-pool
vpngroup lloc dns-server 10.0.0.9
vpngroup lloc wins-server 10.0.0.1
vpngroup lloc default-domain LLOC
vpngroup lloc split-tunnel split-tunnel
vpngroup lloc idle-time 14400
vpngroup lloc password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:1beffd7aabfedd8a10e850f99371f61e
: end
lloil-pix#

IKE configs with 3DES-MD5 with preshared key, do not connect.

SSH Sentinel Logs:

IP; Start isakmp sa negotiation
IP; Version = 1.0, Input packet fields = 0000
IP; Encode packet, version = 1.0, flags = 0x00000000
IP; Packet to old negotiation
IP; Version = 1.0, Input packet fields = 0001 SA
IP; Encode packet, version = 1.0, flags = 0x00000000
IP; Packet to old negotiation
IP; Version = 1.0, Input packet fields = 0412 KE NONCE VID
: Received vendor id `09 00 26 89 df d6 b7 12' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00' from No Id (server *** PIX External (outside) IP ***:500)
: Received vendor id `37 14 c7 d8 b7 09 c3 75 15 98 65 f7 cb 4f 0f 13' from No Id (server *** PIX External (outside) IP ***:500)
IP; Diffie-hellman secret g^xy[128] = 0xa134e114 4618f21b f4375a7a 0f10887e afabe92a 02641cae 19e00686 71c84b1b 3890e424 b2e7b6c3 3adf5b93 a5fde0e5 f427a06d b8d397cd 55543b83...
IP; Hash algorithm = hmac-md5
IP; Prf key[8] = 0x71696b6e 657a3034
IP; Calculating SKEYID
IP; Output of SKEYID hash[16] = 0x1470d078 2ea9b5f0 a0d8b0f3 79e7ab84
IP; Output of SKEYID_d hash[16] = 0xaf95e9a6 5f7d069b 0ef00985 77a62e45
IP; Output of SKEYID_a hash[16] = 0x96be013a 2bacc18f 19c62922 a6c421be
IP; Output SKEYID_e hash[16] = 0x2acc5963 1eb46724 33b3c0c7 a45ffe59
IP; Final encryption key[24] = 0xdd0de3aa 11ee7054 61791564 e0e7e2ba 851445c4 5ff78cb1
IP; Output of HASH_I hash[16] = 0xf1bcb6fc 1999b521 9a0c3eb7 5727d792
IP; Encode packet, version = 1.0, flags = 0x00000001
IP; Packet to old negotiation
IP; Warning, junk after packet len = 64, decoded = 56
IP; Version = 1.0, Input packet fields = 0024 ID HASH
IP; Output of HASH_R hash[16] = 0xfc080ef0 69d4af6a 4ae14c35 a64847b6
IP; dec->enc iv[8] = 0xfa7259fd 0f3459eb
IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = md5, prf = hmac-md5, life = 0 kB / 14400 sec, key len = 0, group = 2
: Phase-1 [initiator] between ipv4(udp:500,[0..3]=192.168.1.100) and fqdn(udp:500,[0..27]=*** PIX FIREWALL ID ***) done.
QM; Start ipsec sa negotiation
QM; Version = 1.0, Input packet fields = 0000
QM; Output of phase 2 IV hash[8] = 0x7279b6e9 1f579f42
QM; Encode packet, version = 1.0, flags = 0x00000001
QM; HASH hash .= M-ID[4] = 0x40b20a05
QM; HASH hash .= rest of packet[840] = 0x0a000294 00000001 00000001 02000034 01030401...
QM; Output of HASH hash[16] = 0x3d0c0670 3cfc5c09 71b71da5 f1f9b086
IP; Connected
IP; Version = 1.0, Input packet fields = 0024 ID HASH
IP; Connected
CFG; New negotiation
CFG; Output of phase 2 IV hash[8] = 0xdf6a7c11 e77fbf23
CFG; Version = 1.0, Input packet fields = 0820 HASH
CFG; HASH hash .= M-ID[4] = 0x5f9b5d05
CFG; HASH hash .= rest of packet[8] = 0x00000008 03000000
CFG; Output of HASH hash[16] = 0xadd4c1a9 51637147 5b3efbc1 70a86123
CFG; MESSAGE: CFG Mode wait done
CFG; Encode packet, version = 1.0, flags = 0x00000001
CFG; HASH hash .= M-ID[4] = 0x5f9b5d05
CFG; Output of HASH hash[16] = 0x3d2a8339 37d59a19 909403e0 4c0d2c58
CFG; Connected
DEBUG: unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = *** PIX External (outside) IP ***:500
QM; Retransmitting packet, retries = 5
IP; Removing negotiation
IP; Deleting negotiation
: Phase-2 [initiator] for ipv4(icmp:0,[0..3]=192.168.1.100) and ipv4(icmp:0,[0..3]=10.1.1.1) failed; Aborted notification.

Anyone spot what I'm doing wrong?

NetJunkie · Sep 16, 2004

Do a:

term mon
debug crypto isakmp
debug crypto ipsec

Then try to connect from behind the PIX. Post the output.

knucklebusted · Sep 16, 2004

You might also setup a log server and capture it to a file. Then set the logging level to informational to be sure that nothing strange is happening in the access-lists. I don't see ISAKMP or IPSEC in the access-list but it shouldn't be needed for a tunnel that ends on the PIX.

I've got tons of PIX to PIX VPNs and one to a Checkpoint firewall which I don't own. Nothing to a Linksys or SSH Sentinel. Have you confirmed a client can connect to the PIX? I did have to add no-xauth and no-config-mode to get the Checkpoint to work as best I remember.

Here's a snippet of what works for me in my scenarios and looks substantially the same except mine is all static:

sysopt connection permit-ipsec
crypto ipsec transform-set mytran esp-3des esp-md5-hmac
crypto map 3desmap 10 ipsec-isakmp
crypto map 3desmap 10 match address list_acl
crypto map 3desmap 10 set peer remote-ip
crypto map 3desmap 10 set transform-set mytran
crypto map 3desmap interface outside
isakmp enable outside
isakmp key shared-key address remote-ip netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 64800
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 64800

Nate7311 · Sep 16, 2004

Yeah, My problem is that the opposite end points of the VPN's are all DSL connections at retail locations...

. I'll get a Log off the Pix tomorrow. Thanks for the ideas guys!

Nate7311 · Sep 21, 2004

Ok peoples... I've made progress. Now I can get the tunnel up and established, but can't pass traffic through... Pix506E to Netgear FVS318

Pix config:
: Saved
:
PIX Version 6.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1Lv54RsgPVzqNoBP encrypted
passwd 1Lv54RsgPVzqNoBP encrypted
hostname lloil-pix
domain-name lincolnlandoil.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
names
access-list outside_in permit icmp any any echo
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq www
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq pop3
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq pcanywhere-data
access-list outside_in permit udp any host [PIX PUBLIC IP] eq pcanywhere-status
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq 5900
access-list outside_in permit udp any host [PIX PUBLIC IP] eq 8767
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq 10888
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq 17900
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq 30230
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq smtp
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq 17888
access-list outside_in permit tcp any host [PIX PUBLIC IP] eq 17889
access-list inside_outbound_nat0_acl permit ip any 10.1.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host [PIX PUBLIC IP]
access-list split-tunnel permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside [PIX PUBLIC IP] 255.255.255.252
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.1.1.1-10.1.1.254
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 10.0.0.3 255.255.255.255 inside
pdm location 10.0.0.9 255.255.255.255 inside
pdm location 10.0.0.18 255.255.255.255 inside
pdm location 209.144.36.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 10.2.2.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0
0
static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 5900 10.0.0.2 5900 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 10888 10.0.0.3 10888 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 17900 10.0.0.3 17900 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 30230 10.0.0.3 30230 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface pcanywhere-data 10.0.0.18 pcanywhere-data
netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 10.0.0.18 pcanywhere-sta
tus netmask 255.255.255.255 0 0
static (inside,outside) udp interface 8767 10.0.0.3 8767 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 17888 10.0.0.9 17888 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 17889 10.0.0.9 17889 netmask 255.255.255.2
55 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 [LOCAL ROUTER IP] 1
timeout xlate 8:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 209.144.36.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set test1 ah-md5-hmac esp-3des esp-md5-hmac
crypto dynamic-map dynmap 4 set transform-set strong-des
crypto dynamic-map inside_dyn_map 30 set pfs group2
crypto dynamic-map inside_dyn_map 30 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set transform-set strong-des
crypto map partner-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map partner-map client configuration address respond
crypto map partner-map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address [NETGEAR FVS318 PUBLIC IP] netmask 255.255.255.255 no-config-mode

isakmp identity address
isakmp keepalive 10 10
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 28 authentication pre-share
isakmp policy 28 encryption 3des
isakmp policy 28 hash sha
isakmp policy 28 group 2
isakmp policy 28 lifetime 86400
vpngroup lloc address-pool vpn-pool
vpngroup lloc dns-server 10.0.0.9
vpngroup lloc wins-server 10.0.0.1
vpngroup lloc default-domain LLOC
vpngroup lloc split-tunnel split-tunnel
vpngroup lloc idle-time 14400
vpngroup lloc password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:eb84dbdc62c3064f2ae4d27f4afbb81f
: end
lloil-pix#

PIX DEBUG of connection
crypto_isakmp_process_block: src [NETGEAR PUBLIC IP], dest [PIX 506E PUBLIC IP]
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:[NETGEAR PUBLIC IP] Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:[NETGEAR PUBLIC IP] Ref cnt incremented to:1 Total VPN Peers
:1
crypto_isakmp_process_block: src [NETGEAR PUBLIC IP], dest [PIX 506E PUBLIC IP]
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 5832719

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 0, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: group is 2
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-SHA
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
(key eng. msg.) dest= [PIX 506E PUBLIC IP], src= [NETGEAR PUBLIC IP],
dest_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24

ISAKMP (0): processing NONCE payload. message ID = 5832719

ISAKMP (0): processing KE payload. message ID = 5832719

ISAKMP (0): processing ID payload. message ID = 5832719
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 192.168.3.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 5832719
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 10.0.0.0/255.255.255.0 prot 0 port 0IPSEC(ke
y_engine): got a queue event...
IPSEC(spi_response): getting spi 0x9d930dc4(2643660228) for SA
from [NETGEAR PUBLIC IP] to [PIX 506E PUBLIC IP] for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src [NETGEAR PUBLIC IP], dest [PIX 506E PUBLIC IP]
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from [NETGEAR PUBLIC IP] to [PIX 506E PUBLIC IP] (proxy 192.168.3.
0 to 10.0.0.0)
has spi 2643660228 and conn_id 1 and flags 25
lifetime of 28800 seconds
outbound SA from [PIX 506E PUBLIC IP] to [NETGEAR PUBLIC IP] (proxy 10.0.0
.0 to 192.168.3.0)
has spi 2363703759 and conn_id 2 and flags 25
lifetime of 28800 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= [PIX 506E PUBLIC IP], src= [NETGEAR PUBLIC IP],
dest_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 28800s and 0kb,
spi= 0x9d930dc4(2643660228), conn_id= 1, keysize= 0, flags= 0x25
IPSEC(initialize_sas): ,
(key eng. msg.) src= [PIX 506E PUBLIC IP], dest= [NETGEAR PUBLIC IP],
src_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 28800s and 0kb,
spi= 0x8ce341cf(2363703759), conn_id= 2, keysize= 0, flags= 0x25

VPN Peer: IPSEC: Peer ip:[NETGEAR PUBLIC IP] Ref cnt incremented to:2 Total VPN Peers:
1
VPN Peer: IPSEC: Peer ip:[NETGEAR PUBLIC IP] Ref cnt incremented to:3 Total VPN Peers:
1
return status is IKMP_NO_ERROR

Thoughts now? Like I said, It looks like the connection gets established but no traffic will flow...

Thanks!!

Help with Cisco PIX 506E VPN config

Nate7311

2[H]4U

NetJunkie

[H]F Junkie

knucklebusted

[H]ard|Gawd

Nate7311

2[H]4U

Nate7311

2[H]4U