iki ayrı şirkete ait iki ayrı CPde sonlandırıyorum. Yalnız versiyonları farklı. Oradaki config'de enc.schemes ayarları yok. Ancak subnetler ve enc.domainler aynı. Cisco.com'da verilen hata da enc.domain mismatch ile ilgili..
Config aşağıda:

access-list 101 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.0.0
access-list nonat permit ip y.y.y.y.y 255.255.255.0 y.y.y.y 255.255.255.0
access-list 130 permit ip y.y.y.y 255.255.255.0 y.y.y.y 255.255.255.0
nat (inside) 0 access-list nonat
nat (intf2) 0 access-list nonat
traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aaa esp-des esp-md5-hmac
crypto ipsec transform-set bbb esp-des esp-md5-hmac
crypto map bbb 10 ipsec-isakmp
crypto map bbb 10 match address 101
crypto map bbb 10 set pfs group2
crypto map bbb 10 set peer x.x.x.x
crypto map bbb 10 set transform-set rtptac
crypto map bbb 30 ipsec-isakmp
crypto map bbb 30 match address 130
crypto map bbb 30 set peer y.y.y.y
crypto map bbb 30 set transform-set tempotac
crypto map bbb interface outside
isakmp enable outside
isakmp enable intf3
isakmp key ******** address x.x.x.x netmask 255.255.255.0 no-xauth no-confi
isakmp key ******** address y.y.y.y netmask 255.255.255.255 no-xauth no-c
isakmp keepalive 60 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
isakmp policy 4 authentication pre-share
isakmp policy 4 encryption des
isakmp policy 4 hash md5
isakmp policy 4 group 1
isakmp policy 4 lifetime 86400

Ekte debug çıktısı da var...










-----Original Message-----
From: Serkan Ustundag - (Güvenlik ve Ag Mühendisi -Tepum Secura) [mailto:[email protected]]
Sent: 05 Kasım 2004 Cuma 14:35
To: [email][email protected][/email]
Subject: YNT: [cisco-ttl] bir cisco pix sorusu


?
Hayır gerekmiyor elbette ayni interface'de 2 ayri tunel olusturabilirsin
sen karsida iki ayri checkpointte mi sonlandiriyorsun yoksa tek cp mi var
aslinda access-listler dahil tum vpn configurasyonunu gonderirsen daha iyi yardimci olabiliriz

_____

Kimden: YAVUZ TEMIZKAN [mailto:[email protected]]
Gönderilmiş: Cum 05.11.2004 14:10
Kime: [email][email protected][/email]
Konu: [cisco-ttl] bir cisco pix sorusu




Merhaba,

Bir pix'te ayni interfaceden 2 ayri t?urabiliyor muyuz? cisco.com sayfasini check ettim ve ?k bir konf. buldum ve bunu fw'umuza uyguladim.

crypto ipsec transform-set aaa esp-des esp-md5-hmac
crypto ipsec transform-set bbb esp-des esp-md5-hmac
crypto map bbbrules 10 ipsec-isakmp
crypto map bbbrules 10 match address 101
crypto map bbbrules 10 set pfs group2
crypto map bbbrules 10 set peer xxx.xxx.xxx.xxx
crypto map bbbrules 10 set transform-set aaa
crypto map bbbrules 30 ipsec-isakmp
crypto map bbbrules 30 match address 130
crypto map bbbrules 30 set peer yyy.yyy.yyy.yyy
crypto map bbbrules 30 set transform-set bbb
crypto map bbbrules interface outside

Ancak bu konf'u yaptiktan sonra 10 no'lu y?privilege'li vpn 硬ismaya devam etti ancak digerini 硬istiramadik. Dahasi makineyi restart ettigimizde bu sefer ilk vpn de down oldu. 2. vpn ile ilgili tanimlari silince d?..
karsidaki cihaz Checkpoint bir FW. Ayni interfaceden t?urarken transform-set'lerin farkli mi olmasi gerekir?

pix'in sh ver ç©«tisini da veriyorum:

EApixAnkara# sh ver

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)



Compiled on Wed 19-Mar-03 11:49 by morlee

EApixAnkara up 42 mins 39 secs



Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

0: ethernet0: address is 000d.bd3c.035f, irq 10

1: ethernet1: address is 000d.bd3c.0360, irq 11

2: ethernet2: address is 0005.5d18.37dc, irq 11

3: ethernet3: address is 0005.5d18.37dd, irq 10

4: ethernet4: address is 0005.5d18.37de, irq 9

5: ethernet5: address is 0005.5d18.37df, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 807320295 (0x301ebae7)

Configuration last modified by enable_15 at 12:53:09.597 Turkey Fri Nov 5 2004










Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

Listeden cikmak iç©® [email][email protected][/email] adresine bir e-posta g?rebilirsiniz.



Yahoo! Groups Sponsor
ADVERTISEMENT
click here <http://us.ard.yahoo.com/SIG=129hue9rk/M=315388.5543473.6613715.3001176/D=groups/S=1705004726:HM/EXP=1099742990/A=2372354/R=0/SIG=12id813k2/*https://www.orchardbank.com/hcs/hcsapplication?pf=PLApply&media=EMYHNL40F21004SS>



_____

Yahoo! Groups Links


* To visit your group on the web, go to:
[url]http://groups.yahoo.com/group/cisco-ttl/[/url]

* To unsubscribe from this group, send an email to:
[email][email protected][/email] <mailto:[email protected]?subject=Unsubscribe>

* Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .


crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

ISADB: reaper checking SA 0xfb0364, conn_id = 0

ISADB: reaper checking SA 0xfad32c, conn_id = 0

ISADB: reaper checking SA 0x11d4c44, conn_id = 0 DELETE IT!



VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:0 Total VPN Peers:3

VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.x/500 Total VPN peers:2

ISADB: reaper checking SA 0xfb0364, conn_id = 0

ISADB: reaper checking SA 0xfad32c, conn_id = 0



crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0



ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload



ISAKMP (0): processing vendor id payload



ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0



ISAKMP (0): processing NONCE payload. message ID = 0



return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated



ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 35

ISAKMP (0): Total payload length: 39

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x/500 Total VPN Peers:3

VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:1 Total VPN Peers:3

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 2975269246



ISAKMP : Checking IPSec proposal 1



ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP (0): atts not acceptable. Next payload is 3

ISAKMP: transform 2, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP (0): atts not acceptable. Next payload is 3

ISAKMP: transform 3, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP (0): atts not acceptable. Next payload is 3

ISAKMP: transform 4, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP (0): atts are acceptable.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1439012485



ISAKMP : Checking IPSec proposal 1



ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP (0): atts not acceptable. Next payload is 3

ISAKMP: transform 2, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP (0): atts not acceptable. Next payload is 3

ISAKMP: transform 3, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP (0): atts not acceptable. Next payload is 3

ISAKMP: transform 4, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP (0): atts are acceptable.

ISAKMP: IPSec policy invalidated proposal

ISAKMP : Checking IPSec proposal 2



ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 61440

ISAKMP (0): atts not acceptable. Next payload is 3

ISAKMP: transform 2, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 61440

ISAKMP (0): atts not acceptable. Next payload is 3

ISAKMP: transform 3, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.ua_ _ all





EApixAnkara#





EApixAnkara# sh isa sa



Total : 3



Embryonic : 0



dst src state pending created



PIX Checkpoint1 QM_IDLE 0 3



Checkpoint3 PIX QM_IDLE 0 6



PIX x.x.x.x QM_IDLE 0 0