Cisco ASA: Received a DELETE PFKey message from IKE
KB ID 0001720 Problem I was debugging a VPN tunnel today. (From a Fortigate to a Cisco ASAv). I was messing around with the encryption and hashing, when the tunnel fell over. Phase 1 was establishing fine but not Phase 2 (IPSEC). I’ve got better skills on the ASA, so that’s where I was debugging; IPSEC: Received a PFKey message from IKE IPSEC: Parsing PFKey GETSPI message IPSEC: Creating IPsec SA IPSEC: Getting the...
Cisco PIX 500 – IPSEC Site to Site VPNs (v6)
KB ID 0000611 Problem Note: This is for firewalls running an operating system BEFORE version 7, if you have an PIX running version 7 or above go here instead. I’ll run though he commands first and then the configuration from PDM at the end. Solution PIX 500: Configure a site to site VPN from command line 1. Connect to the PIX, go to “enable mode”, then to “Configure terminal mode” User Access...
Cisco ASA Site to Site VPN’sSite to Site ISAKMP VPN (Main Mode)
KB ID 0000213 Problem As with most things, before you have a hope of fixing something, you will stand a better chance if you know how it works in the first place. Below is a quick run though of what’s happening with your site to site VPN’s and how they work. For the entire process we will have two Cisco ASA 5500 firewalls and a site to site VPN. Solution What’s an Initiator and a Responder? 1. Our Laptop 192.168.1.50...
Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels
KB ID 0000625 Problem It’s been over two years since I wrote Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels. I’ve always meant to come back and write the ‘Phase 2’ article but never got around to it. This article is NOT intended to be a ‘fix all” for phase 2 problems, it’s designed to point you in the right direction to locate the source of the problem. Solution Here’s my...
Cisco ASA to Juniper SRX Site to Site VPN
KB ID 0000710 Problem You want to establish a site to site VPN from a site with a Cisco ASA firewall, to another site running a Juniper SRX firewall. I had to do this this week, and struggled to find any good information to help. In the example below I’m configuring the whole thing from a laptop (172.16.254.206) that’s on the Juniper’s site. Use the diagram below, and substitute your own IP addresses and subnet...