PIX IPSec VPN

Discussion in 'OT Technology' started by ds3, Apr 16, 2004.

  1. ds3

    ds3 Guest

    just curious here if anyone knows if this is right or not. Today in the lab i was testing out tunnel mode ipsec on two 501 pix's. using ipsec crypto maps and isakmp negotiation. For some reason once we finally got it working the connections only stated as having 1 sa. I know the communication requires 2 in order to encrypt and decrypt properly, as the are unidirectional. Can anyone provide any help on this?
     
  2. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    hmmm, i've set them up before, but have not run into that problem. I'll shoot an email to my buddy who is a cisco guy. Or maybe balzzzzzzzzz will chime in. ;)
     
  3. ds3

    ds3 Guest

    config:

    crypto map vpn 10 ipsec-isakmp
    crypto map vpn 10 match address 1
    crypto map vpn 10 set peer 192.168.8.2
    crypto map vpn 10 set transform-set seattle
    crypto ipsec transform-set seattle esp-des
    crypto map vpn interface outside

    isakmp enable outside
    isakmp identity address
    isakmp key cisco123 address 192.168.8.2
    isakmp policy 10 encryptioon des
    isakmp policy 10 hash md5
    isakmp policy 10 authentication pre-share
    isakmp policy 10 group 2
    isakmp policy 10 lifteime 86400
     
  4. Balzz

    Balzz N54 Elitist OT Supporter

    Joined:
    Mar 30, 2000
    Messages:
    22,467
    Likes Received:
    0
    So the VPN is working yet only shows one SA? Paste the output from "sh crypto ipsec sa" after the VPN is established and the crypto ACLs from both ends. A complete config wouldn't hurt either. It doesn't look like you're using public addresses anyway.
     
  5. ds3

    ds3 Guest

    ya this was just a practice lab for the ccsp exam.

    I just finished the course however and might not get a change to get back on the pix's anytime soon. But yes, both pix's only showed one sa. I wish i would have copied the output of the show commands though. I'm gonna have to sneak back in and do this again and save the output this time.

    I just thought id check to see if anyone had run into this, i thought maybe there was a bug in the pix output cause everything seemed to be working, encryption and decryption packet counters where being incremented as well.

    I'll keep you guys updated if i do get a copy of the output.
     
  6. Balzz

    Balzz N54 Elitist OT Supporter

    Joined:
    Mar 30, 2000
    Messages:
    22,467
    Likes Received:
    0
    I've never seen only one SA being negotiated. Even when there's an issue with crypto ACLs that don't match, both SAs come up since the ACLs aren't used during negotiation. I imagine it could happen if there's the inbound ACL on the outside interface isn't allowing traffic through but the sysopt permit ipsec command on the PIX should bypass that. Here's an example of a proper sh crypto ipsec sa:

    interface: outside
    Crypto map tag: ABELVPN, local addr. x.x.x.x

    local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.102.37/255.255.255.255/0/0)
    current_peer: x.x.x.x:48336
    dynamic allocated peer ip: 192.168.102.37

    PERMIT, flags={transport_parent,}
    #pkts encaps: 1645, #pkts encrypt: 1645, #pkts digest 1645
    #pkts decaps: 1546, #pkts decrypt: 1546, #pkts verify 1546
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
    path mtu 1500, ipsec overhead 72, media mtu 1500
    current outbound spi: a35765e0

    inbound esp sas:
    spi: 0x932440f0(2468626672)
    transform: esp-aes-256 esp-sha-hmac ,
    in use settings ={Tunnel UDP-Encaps, }
    slot: 0, conn id: 3, crypto map: ABELVPN
    sa timing: remaining key lifetime (k/sec): (4607996/23096)
    IV size: 16 bytes
    replay detection support: Y


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:
    spi: 0xa35765e0(2740413920)
    transform: esp-aes-256 esp-sha-hmac ,
    in use settings ={Tunnel UDP-Encaps, }
    slot: 0, conn id: 4, crypto map: ABELVPN
    sa timing: remaining key lifetime (k/sec): (4607994/23096)
    IV size: 16 bytes
    replay detection support: Y


    outbound ah sas:


    outbound pcp sas:
     
  7. ds3

    ds3 Guest

    using the 'sysopt permit ipsec' command we had even stranger problems, we would have two entries at times for one tunnel, each counting 1 SA. Only once did i see one entry with 2 SA's and it didn't do it again. We finally got it stable when we tossed that command and just let the ipsec traffic be negotiated against the acl's, but then still we only got 1 SA for the tunnel.

    Oh also at one point the tunnel would be negotiated, and then suddenly one device would decide to kill the connection for some reason. The configs seemed exactly the same, but maybe my friend fucked something up. I'll really try and do the lab again and get the config and output, but im fairly busy studying for BSMSN and CCSP tests.
     

Share This Page