09-09-2009 07:47 AM
I'm trying to establish a VPN connection between an (old) PIX501 running 6.3(5)
and an ASA5550 (which i don't control). The PIX501 operates in vpnclient mode.
I don't seem to get passed phase 1. I have a feeling it's because of NAT-T/NAT-D (see debug from PIX501) :
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc my hash for NAT-D
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc his hash for NAT-D
ISAKMP (0:0): NAT match HIS hash
shortly after this statement, the phase 1 negotiations start all over again..
Any ideas?
Thanks,
Guy
09-10-2009 09:38 AM
I believe these messages indicate that there is no NAT between the two VPN peers. This does not highlight a NAT problem.
Perhaps you could provide more details, including the remainder of your debug output.
My own experience is when two different parties manage two different VPN endpoint devices it is worthwhile to meticulously review all the VPN settings to ensure that they match. Just a single small discrepancy could result in a failure to tunnel.
HTH
09-11-2009 07:35 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: