HSRP with IPSec Issue - Router to PIX set up

Unanswered Question
Apr 7th, 2003
User Badges:

Having a problem using HSRP for IPSEC in a router to PIX set up.


Our two routers (3640 and 3725) run code that supports HSRP with IPSec.

We have two cyrpto maps configured. One for a router to PIX set up and one for a router to router set up. We are using pre shared keys and Isakmp keep alives on the PIX.


Behavior:

Both set ups work fine but then the router to PIX set up fails. When we ping from our end (router) the SA's will not come up. The only way to bring it back up is to ping fromt he remote end (PIX). Once this is done SA's immediately come back up and we can ping from both ends.


During this time the router to router set up never fails to work.


Wondering if this is a known issue for PIX. Anyone ever seen this before?


Cleaned up config from our routers:


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

!

crypto isakmp key <key 1> address <remote ip 1>

crypto isakmp key <key 2> address <remote ip 2>

!

crypto ipsec transform-set <set 1> esp-3des esp-md5-hmac

crypto ipsec transform-set <set 2> esp-3des esp-md5-hmac

!

!router to pix config!

crypto map <map 1> 10 ipsec-isakmp

set peer <remote ip 1>

set transform-set <set 1>

match address 120

!

!router to router config!

crypto map <map 2> 20 ipsec-isakmp

set peer <remote ip 2>

set transform-set <set 2>

match address 130


Thanks,

-daniel




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Mon, 04/07/2003 - 22:04
User Badges:
  • Cisco Employee,

Don't know of any issues, we'd need to see the debugs on the PIX when the tunnel is initiated from the router end to see what the problem is. Usually issues where a tunnel can only be built in one direction are to do with the crypto ACL's not being the exact opposite of each other, or with your Phase 1/2 timers not matching (especially Phase 1).


Keep in mind that with Phase 1, the router and PIX will only accept the initialization if the peers policy is shorter than or equal to its own, so if they don't match, you're only going to be able to build the tunnel in one direction (which is what you're seeing).

Actions

This Discussion