The IPSEC tunnel will not be initiated, unless you force an interesting traffic to flow on the PIX. Try to initiate a traffic from host DMS100 to host 188.8.131.52 & then see the show commands given above. You can also do some debugs... debug crypto isakmp sa, ipsec and see if there any errors.. sequence no need not match, but make sure you match the other things like encryption, authentication, pfs, lifetime, crypto ACL etc...
due to some reason, we cannot trigger a traffic on the DMS100, but it's able to recieve traffic. People on the 184.108.40.206 said they initiated traffic towards DMS100, but there is no response from our side. What could be the reason? They can ping my outside public IP address.
Are you able to see any traffic hitting your PIX , when they initiate the traffic ?? run some debugs, given above and see what exactly is happening.. you can also ask the remote guys to run some debugs and see what happens... the configs on your end PIX, looks fine... make sure of the following from your end:
1) hope you are able to ping and reach 220.127.116.11
2) Be very sure of the parameters configured on the Nortel box . they should have configured DES encryption, md5 hash, group 1, lifetime 86400, the same ISAKMP key, transform sets etc.. even if one of these parameters dont match, it is going to be an issue...
3) default gateway on DMS100 will point to the local DMZ ip address of the PIX..
4) Just to be sure, make sure you see the NAT translation on the show xlate
The problem has been solved. I feel so embarrassed because it's a very silly mistake---They gave me the wrong key. Later when I use debug and show logging command, I saw the "CRYPTO-4-IKMP_BAD_MESSAGE", then I knew the point. Since I double-checked every parameter with them and they said yes, so I didn't pay much attention to it. Sorry for the silly mistake and thank you very much.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :