I have configured a vpn 3000 concentrator to pix 501. Initially I have configured both ends to allow allow an octet of my IP address pool in both locations to pass through the tunnel. Unfortunately, recently I need to allow the entire subnet access through the IPSEC tunnel from both ends. Before I attempted any modifications this worked without any trouble.
On the PIX to allow this I added more statements to my existing access-list to allow these additional subnets from that location.
On the VPN3K end I am a bit confused. I open the LAN-LAN IPSEC connection properties and add the new local address and mask and also for the remote end address and mask.
Unfortunately, when I add this to the VPN3k I am unable to establish the IPSEC tunnel. When I read the log I see the initiator attempting to start the tunnel between, but it is rejected. Phase 1 completes successfully, but phase 2 does not seem to be initiating properly.
If I reset those two address pools back to my original entry the tunnel establishes successfully. This almost seems like a bug in the VPN software. I am not sure. My VPN code is vpn3000-3.5.2.Rel-k9.bin.