01-22-2007 12:33 PM - edited 02-21-2020 01:22 AM
I have a remote site that I want to create a site to site vpn connection with. I went through the wizard but the tunnel will not come up. Attached are th config files. Thanks!
01-22-2007 02:52 PM
Can you do the below change on the Westpix
no isakmp key ******** address 72.151.35.67 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key "ENTER_KEY" address 72.151.35.67 netmask 255.255.255.255
As for other configuration parameters they look fine. To troubleshoot further it is better to send me the output of:
debug crypto isakmp
debug crypto ipsec
This will help us know why the tunnel is failing,
Hope this helps,
Regards,
01-22-2007 03:59 PM
Could it be as simple as..... Below is the output of the debugs.
isakmp_send: route search for 72.151.35.67 failed
ISAKMP (0): retransmitting phase 1 (0)...
isakmp_send: route search for 72.151.35.67 failed
ISAKMP (0): retransmitting phase 1 (1)...
isakmp_send: route search for 72.151.35.67 failed
ISAKMP (0): retransmitting phase 1 (2)...
isakmp_send: route search for 72.151.35.67 failed
ISAKMP (0): retransmitting phase 1 (3)...
isakmp_send: route search for 72.151.35.67 failed
ISAKMP (0): retransmitting phase 1 (4)...
isakmp_send: route search for 72.151.35.67 failedIPSEC(key_engine): request tim
r fired: count = 1,
(identity) local= 71.159.2.17, remote= 72.151.35.67,
local_proxy= 192.168.12.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): deleting SA: src 71.159.2.17, dst 72.151.35.67
ISADB: reaper checking SA 0xb0c144, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 72.151.35.67/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 71.159.2.17, remote= 72.151.35.67,
local_proxy= 192.168.12.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4)
01-22-2007 04:05 PM
I found the mistake You don't need to route the VPN subnet. PIX will match it and send it through the tunnel.
Please remove:
no route outside 192.168.20.0 255.255.255.0 72.151.35.67 1
Another issue that you don't have a default route on the PIX. You should have a default route on the PIX otherwise it won't know how to reach the other VPN peer.The default route should be like below where X is your default gateway assigned by the ISP.
route outside 0.0.0.0 0.0.0.0 71.159.2.x
Let me know if this solves your problem,
Regards,
01-22-2007 06:02 PM
OK, the addition of the default route allowed the tunnel to come up. I am still unable to pass any traffic over the tunnel. Thanks for the help so far, I appreciate anything in the future!
01-23-2007 08:54 AM
That's good to know. Can you paste the latest configs to do final check.
Regards,
01-23-2007 08:56 AM
Hello,
As I can see in the old configuration you have an internal router. If you desktop default gateway is the internal router you have to add a route for the remote subnet to point to the PIX inside interface on this router.
Please let me know how it goes,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide