I've run into a frustrating problem on a 501. It's at a new remote site and I've not had direct access to the device, only via SSH. I was trying to configure their VPN for Pix to Pix access to the corporate office and can't get the link to come up. The site was originally configured with des only and I use 3des so I removed all the crypto statements and added the new connection configuration. I know the configuration works, I've tried it on a spare Pix we have at our corporate office and the link comes up fine. Does the application of the new crypto statements and change to 3des require a restart or can those changes be made on the fly? That's the only thing I haven't tried as I wasn't ready to save the config permanently yet. Here is the config I'm using:
Firstly - Is the configuration on both pix symmetrical? For example, if you are using 3DES on one pix then the other must also be using 3DES and the correct ISAKMP key / crypto ACL etc / transform-set etc?
If both pix have the correct setup then have you issued: clear crypto isakmp sa and also clear crypto ipsec sa on both peers?
Make sure that you have L3 (Network) connectivity between both peers ? if you can ping the outside IP address of your peer pix from your pix then this will confirm that you have L3 connectivity.
You are using isakmp group 1 on your pix, is the remote pix also using group 1 for ISAKMP?
For reference and troubleshooting, look at the following document for help:
I was able to get the configuration working by using the des config at the remote site and an configuring an extra pix I have. The script I posted worked fine then.
The sh ver indicates it's licensed for 3des but I can't get it to come up when I use the same config (with the 3des commands instead of des). Could 3des be incorrectly registered as enabled even if it's not installed?
I run two other VPN tunnels already on the main office Pix I was trying to connect to so I was using group 5 in my config, can I use group 1 concurrently on multiple connections?
I'll check the reference document you've posted as well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...