07-08-2008 12:50 AM - edited 02-21-2020 03:48 PM
I have this scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml
Bat I have a problem: VPN is not rising up from router which behind the NAT, and rising up from another site. Can anybody help me to resolve this problem?
07-08-2008 03:46 AM
Do you have any vpn on the PIX also?
07-08-2008 04:21 AM
Yes I have active vpn tunnels on my PIX. How it can influence to my scheme?
07-08-2008 04:45 AM
What PIX version do you have?
07-08-2008 06:47 PM
PIX 515E
Cisco PIX Security Appliance Software Version 7.0(1)
07-08-2008 03:48 AM
debug crypto ipsec
debug crypto isakmp
no access-list 120
access-list 120 permit ip host 192.168.34.1 host 192.168.11.7
no ip access-list extended VPN
ip access-list extended VPN
permit ip host 192.168.11.7 host 192.168.34.1
07-08-2008 04:45 AM
07-08-2008 04:52 AM
so... Was it working?
try to add on both sides
ctypto isakmp keepalive 10
crypto isakmp invalid-spi-recovery
after that do
clear crypto sa
clear crypto isa sa
07-08-2008 07:33 PM
Yes I have added crypto isakmp invalid-spi-recovery previously
and vpn tunnel worked, bat in scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml no crypto isakmp invalid-spi-recovery What do this line? How mach this config safe and stable?
07-08-2008 11:00 PM
07-09-2008 12:05 AM
Yes I have read this guid and this confuse me
If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The feature has a built-in mechanism to minimize such a risk, but because there is a risk, the feature is not enabled by default. You must enable the command using command-line interface (CLI).
Can vpn work without crypto isakmp invalid-spi-recovery? I think c871 don't detect NAT
07-08-2008 04:53 AM
did you save the config?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: