Argghh - I'm pulling my hair out.
I'm having problems with this VPN stuff. I have read piles of books etc and I just can't see what the problem is.
I have a PIX515E which has a outside interface with a private IP address which connects to the inside of a 3660 Router. The router nat the PIX ip to a internet routable IP. No access-list are on the router and traffic flows thorugh to other internal IPs fine.
The VPN Cisco Client is saying:
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
259 16:36:02.050 07/24/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "*.*.*.*"
260 16:36:02.060 07/24/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with *.*.*.*.
261 16:36:02.090 07/24/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to *.*.*.*
262 16:36:02.100 07/24/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
263 16:36:02.100 07/24/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
264 16:36:07.568 07/24/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
265 16:36:07.568 07/24/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to *.*.*.*
270 16:36:22.589 07/24/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=B9A3A69D5B3192A7 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
271 16:36:23.090 07/24/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=B9A3A69D5B3192A7 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
272 16:36:23.090 07/24/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "*.*.*.*" because of "DEL_REASON_PEER_NOT_RESPONDING"
The PIX 515 has increase in the In Octets and also packets but has the same amount of dropped packets in a Show ISAKMP command:
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 46152
In Packets: 56
In Drop Packets: 56
In Notifys: 0
The ISAKMP is as follows:
crypto ipsec transform-set Myset esp-3des esp-sha-hmac
crypto dynamic-map TestMap 1 match address CorpOffice
crypto dynamic-map TestMap 1 set transform-set Myset
crypto map Test 10 ipsec-isakmp dynamic TestMap
crypto map Test interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 5
crypto isakmp nat-traversal 20
crypto isakmp am-disable
crypto isakmp disconnect-notify
crypto isakmp reload-wait
Any pointers on how to debug or even fix - much much much appreciated!!!!
Does the rest of your network know a route back to the network you are using for the VPN? Assuming that you have an 'Inside' interface connected to your network, other networking devices in your network would need to know that IP address in order to send traffic back to the network subnet you are assigning to the VPN clients.