thanks for your reply

but no traffic between the hosts yet

any ideas what causing problems with this tunnel

when i check log i see:

sa_request

ISAKMP Phase 1 exchange started

ISAKMP Phase 1 retransmission

Can you try some debugging on the pix ie.

debug crypto isa

debug crypto ipsec

and post the output.

Jon

kindly send outputs of following show commands for troubleshooting:

sh run isakmp

sh run crypto ipsec

sh run crypto map

i could successfully establish VPN with another FW cisco 501 6.3

but still can't fix my dilemma which i connect to Huawei Eudemon 500‎

sh isakmp

PIX Version 6.3(5)‎

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0‎

nameif ethernet1 inside security100 ‎

access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎

access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎

access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎

access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎

global (outside) 1 interface‎

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎

crypto ipsec security-association lifetime seconds 3600‎

crypto map outside_map 100 ipsec-isakmp

crypto map outside_map 100 match address outside_cryptomap_100‎

crypto map outside_map 100 set peer remote peer

crypto map outside_map 100 set transform-set ESP-3DES-SHA

crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎

crypto map outside_map interface outside

isakmp enable outside

‎ ‎

isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha‎

isakmp policy 20 group 2‎

isakmp policy 20 lifetime 86400‎

sh crypto map

Crypto Map: "outside_map" interfaces: { outside }‎

Crypto Map "outside_map" 100 ipsec-isakmp

Peer = remote peer

access-list outside_cryptomap_100; 2 elements‎

access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎

access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎

Current peer: remote peer

Security association lifetime: 1843200 kilobytes/3600 seconds‎

PFS (Y/N): N

Transform sets={ ESP-3DES-SHA, }‎

Crypto Map: "set" interfaces: { }‎

any ideas for this

i thought that if i could start tunnel manually would help

how to use manual key negotiation ? if it supported by pix 501

I already posted on the other thred, Manual IKE is not supported on 501 AFAIK. Can you please post the output of:

debug crypto isakmp

debug crypto ipsec

debug crypto engine

Regards

Farrukh

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:Remote FW IP, dest:MY FW IP spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:Remote FW IP, dest:MY FW IP spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 31

ISAKMP (0): Total payload length: 35

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1 (0)...

ISADB: reaper checking SA 0xb6a704, conn_id = 0

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

ISAKMP (0): retransmitting phase 1 (3)...

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= MY FW IP, remote= Remote FW IP,

local_proxy= 10.102.0.11/255.255.255.255/0/0 (type=1),

remote_proxy= 10.71.161.15/255.255.255.255/0/0 (type=1)

ISAKMP (0): deleting SA: src MY FW IP, dst Remote FW IP

ISADB: reaper checking SA 0xb6a704, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for Remote FW IP/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= MY FW IP, remote= Remote FW IP,

local_proxy= 10.102.0.11/255.255.255.255/0/0 (type=1),

remote_proxy= 10.71.161.15/255.255.255.255/0/0 (type=1)

Man y are genus, it worked ‎

I have tried this command a few days ago from SSH console but it make nothing I ‎don't know why but later I have read IKE troubleshooting I found the same command ‎I tried it from pix interface it worked

Only one last thing how to change between aggressive and main mode ?‎

Dear Wael, I'm glad you have it working now :)

I'm not aware of any such command on the PIX 6.x. On 7.x and above you can use this command:

crypto isakmp am-disable

Regards

Farrukh