Does anybody have any idea's why a site-to-site VPN tunnel could only be established one way? I have a pix connecting to a vpn concentrator via IPSEC tunnel using NAT-T. From the concentrator if I initiate traffic to the pix, the tunnel comes up and then I can access resources behind the concentrator from the pix side.
If I try to initiate traffic from the pix side, the tunnel will not come up. Doing a debug on the pix, it doesn't even try to initiate the tunnel.
Here is a snippet from the pix config:
crypto ipsec transform-set TestSet esp-3des esp-sha-hmac
crypto map TestMap 10 ipsec-isakmp
crypto map TestMap 10 match address ACL_VPN
crypto map TestMap 10 set peer 10.10.10.1
crypto map TestMap 10 set transform-set TestSet
crypto map TestMap interface outside
isakmp enable outside
isakmp key ******** address 10.10.10.1 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
I am just using 10. address's above for the peer as an example. The ACL_VPN specifies the local/remote subnets correctly. The default route is to the outside interface of the pix.
On the concentrator, I have specified the tunnel is bi-directional.
Anybody any idea's why it will only initiate one way?