[VPN] PIX-to-PIX VPN problem

Siddhartha Jain losttoy2000 at yahoo.co.uk
Mon Jan 27 01:20:07 EST 2003 

Hi Catalin,

We recently faced the same problem. Our software
version is 6.2(2). And after four hours with TAC on
the phone here is what we did to get it working:

1. TAC asked us to check Bug ID CSCdx81103
2. And you will have to reboot the box after you do
the changes.



 --- Catalin Condurache <catalin at sychron.com> wrote: >
Hi,
> I have two PIX515 in two offices working fine with
> CiscoVPN clients. I'm
> trying to create a VPN Tunnel between offices using
> the PIXes.
> So, following some documentation I updated the
> configurations on the both
> PIXes, but I'm getting:
> 
> "IPSEC(sa_initiate): ACL = deny; no sa created"
> 
> The Cisco VPN clients still can connect.
> The configs are very similar, just some interchanges
> regarding the outside
> interfaces and the peers IPs.
> 
> ------------------------
> access-list inside_outbound_nat0_acl permit ip any
> 10.2.95.0 255.255.255.0
> access-list inside_outbound_nat0_acl permit ip
> <NETWORK1> 255.255.0.0
> <NETWORK2> 255.255.0.0
> access-list outside_cryptomap_dyn_20 permit ip any
> 10.2.95.0 255.255.255.0
> access-list users_splitTunnelAcl permit ip 10.0.0.0
> 255.0.0.0 any
> access-list 110 permit ip <NETWORK1> 255.255.0.0
> <NETWORK2> 255.255.0.0
> ip address outside <IP1_OUTSIDE> 255.255.255.248
> ip address inside <IP1_INSIDE> 255.255.0.0
> ip local pool VPN_Group 10.2.95.100-10.2.95.200
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 <GATEWAY1> 1
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set ESP-3DES-SHA esp-3des
> esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set
> transform-set ESP-3DES-SHA
> crypto map outside_map 11 ipsec-isakmp
> crypto map outside_map 11 match address 110
> crypto map outside_map 11 set peer <IP2_OUTSIDE>
> crypto map outside_map 11 set transform-set
> ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic
> outside_dyn_map
> crypto map outside_map client authentication
> <WIN_HOST>
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address <IP2_OUTSIDE> netmask
> 255.255.255.255
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> ------------------------------
> 
> ------------------------
> access-list inside_outbound_nat0_acl permit ip any
> 10.1.95.0 255.255.255.0
> access-list inside_outbound_nat0_acl permit ip
> <NETWORK2> 255.255.0.0
> <NETWORK1> 255.255.0.0
> access-list outside_cryptomap_dyn_20 permit ip any
> 10.1.95.0 255.255.255.0
> access-list users_splitTunnelAcl permit ip 10.0.0.0
> 255.0.0.0 any
> access-list 110 permit ip <NETWORK2> 255.255.0.0
> <NETWORK1> 255.255.0.0
> ip address outside <IP2_OUTSIDE> 255.255.255.248
> ip address inside <IP2_INSIDE> 255.255.0.0
> ip local pool VPN_Group 10.1.95.100-10.1.95.200
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 <GATEWAY2> 1
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set ESP-3DES-SHA esp-3des
> esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set
> transform-set ESP-3DES-SHA
> crypto map outside_map 11 ipsec-isakmp
> crypto map outside_map 11 match address 110
> crypto map outside_map 11 set peer <IP1_OUTSIDE>
> crypto map outside_map 11 set transform-set
> ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic
> outside_dyn_map
> crypto map outside_map client authentication
> <WIN_HOST>
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address <IP1_OUTSIDE> netmask
> 255.255.255.255
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> ------------------------------
> 
> And all I'm getting when initiate traffic is 
> "IPSEC(sa_initiate): ACL = deny; no sa created"
> I found that is about 'proxy mismatches' and there
> are some troubles with
> ACLs, but I can't see where.
> 
> Many thanks for any suggestions!
> Catalin
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

More information about the VPN mailing list