VPN only initiated one way

Answered Question
May 11th, 2007

Does anybody have any idea's why a site-to-site VPN tunnel could only be established one way? I have a pix connecting to a vpn concentrator via IPSEC tunnel using NAT-T. From the concentrator if I initiate traffic to the pix, the tunnel comes up and then I can access resources behind the concentrator from the pix side.

If I try to initiate traffic from the pix side, the tunnel will not come up. Doing a debug on the pix, it doesn't even try to initiate the tunnel.

Here is a snippet from the pix config:

crypto ipsec transform-set TestSet esp-3des esp-sha-hmac

crypto map TestMap 10 ipsec-isakmp

crypto map TestMap 10 match address ACL_VPN

crypto map TestMap 10 set peer 10.10.10.1

crypto map TestMap 10 set transform-set TestSet

crypto map TestMap interface outside

isakmp enable outside

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

I am just using 10. address's above for the peer as an example. The ACL_VPN specifies the local/remote subnets correctly. The default route is to the outside interface of the pix.

On the concentrator, I have specified the tunnel is bi-directional.

Anybody any idea's why it will only initiate one way?

Cheers

Brian

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 05/11/2007 - 05:50

Is there a firewall in front of the concentrator that would be blocking the pix from initiating?

Jon Marshall Fri, 05/11/2007 - 05:53

Hi

If the pix is not even trying to initiate the tunnel then it looks like your crypto access-list is not matching any traffic.

Are you natting the source IP's on the pix and if so does your crypto access-list reference the natted addresses which it should.

Jon

Actions

This Discussion