Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
0
Helpful
4
Replies

VPN only initiated one way

Go to solution
brian.oflynn
Level 1
Level 1

‎05-11-2007 05:25 AM

Does anybody have any idea's why a site-to-site VPN tunnel could only be established one way? I have a pix connecting to a vpn concentrator via IPSEC tunnel using NAT-T. From the concentrator if I initiate traffic to the pix, the tunnel comes up and then I can access resources behind the concentrator from the pix side.

If I try to initiate traffic from the pix side, the tunnel will not come up. Doing a debug on the pix, it doesn't even try to initiate the tunnel.

Here is a snippet from the pix config:

crypto ipsec transform-set TestSet esp-3des esp-sha-hmac

crypto map TestMap 10 ipsec-isakmp

crypto map TestMap 10 match address ACL_VPN

crypto map TestMap 10 set peer 10.10.10.1

crypto map TestMap 10 set transform-set TestSet

crypto map TestMap interface outside

isakmp enable outside

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

I am just using 10. address's above for the peer as an example. The ACL_VPN specifies the local/remote subnets correctly. The default route is to the outside interface of the pix.

On the concentrator, I have specified the tunnel is bi-directional.

Anybody any idea's why it will only initiate one way?

Cheers

Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
joshua.walton
Level 1
Level 1
In response to Jon Marshall

‎05-12-2007 08:26 PM

Please post your ACL 'ACL_VPN' and your NAT Exemption ACL.

Thanks!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
acomiskey
Level 10
Level 10

‎05-11-2007 05:50 AM

Is there a firewall in front of the concentrator that would be blocking the pix from initiating?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-11-2007 05:53 AM

Hi

If the pix is not even trying to initiate the tunnel then it looks like your crypto access-list is not matching any traffic.

Are you natting the source IP's on the pix and if so does your crypto access-list reference the natted addresses which it should.

Jon

0 Helpful

Go to solution
joshua.walton
Level 1
Level 1
In response to Jon Marshall

‎05-12-2007 08:26 PM

Please post your ACL 'ACL_VPN' and your NAT Exemption ACL.

Thanks!

0 Helpful

Go to solution
brian.oflynn
Level 1
Level 1
In response to joshua.walton

‎05-14-2007 06:40 AM

Forgot my Nat 0, doh. Working fine now.

Cheers

Brian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents