unable to get site - to site VPN Up

Answered Question
Nov 13th, 2007
User Badges:

i have two PIX runing version 6.3(3) and 7.1(1). Following is my topology and attached config showing running configuration and debugs.


(PC)172.16.10.10/24<-->172.16.10.1/24-PIX(6.3)--1.1.1.2/30---WAN(X-Over cable)---1.1.1.1/30--PIX(7.1)--10.10.10.1/24<--->10.10.10.10/24(PC)


What am i missing?


Thanks



Correct Answer by elparis about 9 years 5 months ago

By the way, this is the only thing that catches my attention from the 6.3 debugs you provided:


ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN


One thing you can try is to set the ISAKMP identities on both sides:


isakmp identity address (on the 6.3 side)


cry isakmp identity address (on the 7.x side)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
elparis Tue, 11/13/2007 - 10:54
User Badges:
  • Cisco Employee,

Hello,


I don't see anything wrong with the configuration. Nothing seems to be missing.


Could you you enable ISAKMP and IPsec debugging on the 7.x side (debug cry isakmp 128 and debug cry ipsec 128) to get more information of where the IPsec tunnel establishment is failing?

srue Tue, 11/13/2007 - 11:11
User Badges:
  • Blue, 1500 points or more

change the pre-shared key on both ends to something simple and try it again.

I don't see that phase 1 is even completing.



Correct Answer
elparis Tue, 11/13/2007 - 11:12
User Badges:
  • Cisco Employee,

By the way, this is the only thing that catches my attention from the 6.3 debugs you provided:


ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN


One thing you can try is to set the ISAKMP identities on both sides:


isakmp identity address (on the 6.3 side)


cry isakmp identity address (on the 7.x side)


p.holley Tue, 11/13/2007 - 12:24
User Badges:

Entering the following commands solved it:


isakmp identity address (on the 6.3 side)


cry isakmp identity address (on the 7.x side)


Thanks

elparis Tue, 11/13/2007 - 12:30
User Badges:
  • Cisco Employee,

Awesome, glad to see it worked.


Cheers,


Eloy Paris.-

Actions

This Discussion