IPSec tunnel not coming up between 515E and 1841

Unanswered Question
May 12th, 2007
User Badges:


I used the config from the Cisco site to setup the IPSec tunnel between my PiX and a 1841 router. It does not seem to work. Please help.

I have attached my configs of 515E and 1841. Going forward the 1841 and 515E will have remote users connecting to them using Cisco VPN client software.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Jon Marshall Sat, 05/12/2007 - 16:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Looking at the pix config your crypto map references an access-list called testing eg.

crypto map valuable 21 match address testing

This access-list is not defined anywhere in your config.



syedharoonrasheed Sun, 05/13/2007 - 03:42
User Badges:


Thank you, I have changed that to access-list nonat which is defined. I still do not see the IPSec tunnel coming up.

Please help, it is urgent.


froggy3132000 Sun, 05/13/2007 - 06:07
User Badges:
  • Bronze, 100 points or more

Your encryption domains do not match.

on the pix you have:

access-list nonat extended permit ip

on the router you have

access-list 120 permit ip

syedharoonrasheed Sun, 05/13/2007 - 08:32
User Badges:

Here are my new configs with the vpn configuration for cisco vpn clients which is working but the IPSec tunnel still does not work.

My network looks like this

Site A router----DSL Router---Internet---DSL Router----PiX.

Router and PiX are on static public IP's.

froggy3132000 Sun, 05/13/2007 - 18:59
User Badges:
  • Bronze, 100 points or more

Have you debugged the traffic?

I also would add crypto map valuable 21 ipsec-isakmp.

syedharoonrasheed Mon, 05/14/2007 - 02:45
User Badges:

i have added the crypto ipsec-isakmp on the pix and the router but it does not help. debug does not give me any output though i have enabled logging. my remote users are able to do vpn to the router as well as to the pix using cisco vpn client but the ipsec tunnel between my router and the pix still does not come up.

when i do a ping to the router from the pix, this is all i get

LarnacaPIX# ping

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

%PIX-7-609001: Built local-host NP Identity Ifc:xx.xxx.xxx.19 (pix outside IP)

%PIX-7-609001: Built local-host outside:

%PIX-6-302020: Built ICMP connection for faddr gaddr xx.xxx.xx

x.19/4388 laddr xx.xxx.xxx.19/4388

????%PIX-7-710005: UDP request discarded from to inside:



Success rate is 0 percent (0/5)

LarnacaPIX# %PIX-5-111008: User 'haroon' executed the 'ping' com


%PIX-6-302021: Teardown ICMP connection for faddr gaddr xx.xxx

.xxx.19/4388 laddr xx.xxx.xxx.19/4388

%PIX-7-609002: Teardown local-host NP Identity Ifc:xx.xxx.xxx.19 duration 0:00:1


%PIX-7-609002: Teardown local-host outside: duration 0:00:10

syedharoonrasheed Mon, 05/14/2007 - 05:00
User Badges:

Debug info

protocol : 17

port : 500

length : 12

*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Total payload length: 12

*May 14 11:20:23.634: CryptoEngine0: generate hmac context for conn id 4

*May 14 11:20:23.634: ISAKMP:(0:4:SW:1): sending packet to xx.xxx.xxx.19 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 14 11:20:23.634: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5

*May 14 11:20:24.118: ISAKMP (0:134217732): received packet from xx.xxx.xxx.19 dport 500 sport 500 Global (I) MM_KEY_EXCH

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 0

*May 14 11:20:24.122: ISAKMP (0:134217732): ID payload

next-payload : 8

type : 1

address : xx.xxx.xxx.19

protocol : 17

port : 500

length : 12

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):: peer matches *none* of the profiles

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 0

*May 14 11:20:24.122: CryptoEngine0: generate hmac context for conn id 4

*May 14 11:20:24.122: ISAKMP:received payload type 17

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): processing vendor id payload

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1): vendor ID is DPD

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):SA authentication status:


*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):SA has been authenticated with xx.xxx.xxx.19

*May 14 11:20:24.122: ISAKMP: Trying to insert a peer xx.xxx.xx.62/xx.xxx.xxx.19/500/, and inserted successfully 6423A1E0.

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 14 11:20:24.122: ISAKMP:(0:4:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6


This Discussion