I have several IOS routers that are successfully establishing IPSec tunnels to my PIX. However there is one particular router that will not connect. It is no different than all the rest, same IOS, same crypto config but it just doesn't work. I have double and triple checked the configs and all looks OK. I have some debugs here from both ends that show the failure but don't really say why its failing. Maybe somebody can tell me what the debugs mean. There is a debug from both ends.
** Debug of PIX with 22.214.171.124 IOS Router trying to establish ISAKMP **
crypto_isakmp_process_block: src 126.96.36.199, dest 188.8.131.52
VPN Peer: ISAKMP: Added new peer: ip:184.108.40.206 Total VPN Peers:6
shows that it's sending IKE packets to the PIX. The PIX debug shows it's comparing the attributes and they're OK, it replies to the router, but the router never sees that. It retransmits, again it gets no answer, and eventually gives up.
So you have to see why the router isn't seeing the ISAKMP packets from the PIX. Check that the ISP isn't blocking them, they do sometimes cause they want to charge extra for having VPN's run across their network.
Failing that, try bringing up the tunnel from behind the PIX (rather from behind the router) and check the debugs again, you'll get more information on the router debug this way and it may give more information as to the cause.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...