dynamic ipsec between a statically addressed pix and dynamically addressed

Unanswered Question
Mar 6th, 2008


above is currently the URL I am using. Both ends of the VPN are config'd as per document apart from IP details.

On the router side I am using a Cisco 1841 with a HWIC-3G-GSM card. This connects onto the Vodafone 3G network and is assigned a private IP address. This then NATS onto a Public IP address.

The remote device we are using is a PIX firewall version 6.3. This device needs to be able to accept VPN connections from any IP address.

Phase 1 on the VPN is coming up fine but I am not seeing any traffic on phase 2. Packets are being encrypted but not decrypted at both ends of the VPN.

dst src state conn-id slot status

80.x.x.x 10.x.x.x


sh crypto ipsec sa

interface: Cellular0/0/0

Crypto map tag: to_vpn, local addr 10.x.x.x

protected vrf: (none)

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer 80.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 9830, #pkts encrypt: 9830, #pkts digest: 9830

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Packets are being encrypted but not being decrypted.

Any help would be greatly appreciated


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kevin-howell Fri, 03/07/2008 - 06:41

The issue is now resolved. Seem to be a PIX config issue.I received a technical guide outlining all changes on the devices


This Discussion