srue Wed, 09/05/2007 - 11:50
User Badges:
  • Blue, 1500 points or more

have you double checked your preshared keys?

John Patrick Lopez Wed, 09/05/2007 - 12:49
User Badges:

Thanks for the reply. Yes we already checked it. We even configured our pre-shared key to a very simple one to avoid mistake. Thanks.



John Patrick Lopez Wed, 09/05/2007 - 12:54
User Badges:

I'm also wondering right now because suddenly, ISAKMP session stopped. I tried to erase the crypto map that corresponds to that tunnel and re-apply it again. Now, I don't even see my PIX firewall initiating Phase 1 session. What should I check again? Should I see my PIX firewall doing Phase 1 even if he configured something on his end that prevents me from initiating it?



John Patrick Lopez Wed, 09/05/2007 - 13:56
User Badges:


For anyone who can help me, here's my configuration.

Interesting traffic:

access-list test permit ip

ISAKMP Policy:

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash md5

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

Crypto Maps:

crypto map outside 90 ipsec-isakmp

crypto map outside 90 match address test

crypto map outside 90 set pfs group2

crypto map outside 90 set peer x.x.x.x

crypto map outside 90 set transform-set testing

crypto ipsec transform-set testing esp-3des esp-md5-hmac

crypto map outside interface outside

Pre-shared key:

isakmp key secret address x.x.x.x netmask no-xauth no-config-mode

For translation:

global (outside) 12

nat (inside) 12 0 0

I can see the access-list test being hit but the PIX firewall doesn't initiate the connection. Please help.



grahambartlett Thu, 09/06/2007 - 02:38
User Badges:


I see your NAT statements have 12, have you got any others that could be NATTING the network?

Also check the isakmp polcies on both routers.

Can you doa bedug of isakmp?


This Discussion