Re: Pix 501 to 501 site to site issues - Cisco Community

407

Views

0

Helpful

6

Replies

I have a remote site that I want to create a site to site vpn connection with. I went through the wizard but the tunnel will not come up. Attached are th config files. Thanks!

4 KB

6 Replies 6

Can you do the below change on the Westpix

no isakmp key ******** address 72.151.35.67 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key "ENTER_KEY" address 72.151.35.67 netmask 255.255.255.255

As for other configuration parameters they look fine. To troubleshoot further it is better to send me the output of:

debug crypto isakmp

debug crypto ipsec

This will help us know why the tunnel is failing,

Hope this helps,

Regards,

Could it be as simple as..... Below is the output of the debugs.

isakmp_send: route search for 72.151.35.67 failed

ISAKMP (0): retransmitting phase 1 (0)...

isakmp_send: route search for 72.151.35.67 failed

ISAKMP (0): retransmitting phase 1 (1)...

isakmp_send: route search for 72.151.35.67 failed

ISAKMP (0): retransmitting phase 1 (2)...

isakmp_send: route search for 72.151.35.67 failed

ISAKMP (0): retransmitting phase 1 (3)...

isakmp_send: route search for 72.151.35.67 failed

ISAKMP (0): retransmitting phase 1 (4)...

isakmp_send: route search for 72.151.35.67 failedIPSEC(key_engine): request tim

r fired: count = 1,

(identity) local= 71.159.2.17, remote= 72.151.35.67,

local_proxy= 192.168.12.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 71.159.2.17, dst 72.151.35.67

ISADB: reaper checking SA 0xb0c144, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 72.151.35.67/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 71.159.2.17, remote= 72.151.35.67,

local_proxy= 192.168.12.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4)

I found the mistake You don't need to route the VPN subnet. PIX will match it and send it through the tunnel.

Please remove:

no route outside 192.168.20.0 255.255.255.0 72.151.35.67 1

Another issue that you don't have a default route on the PIX. You should have a default route on the PIX otherwise it won't know how to reach the other VPN peer.The default route should be like below where X is your default gateway assigned by the ISP.

route outside 0.0.0.0 0.0.0.0 71.159.2.x

Let me know if this solves your problem,

Regards,

OK, the addition of the default route allowed the tunnel to come up. I am still unable to pass any traffic over the tunnel. Thanks for the help so far, I appreciate anything in the future!

That's good to know. Can you paste the latest configs to do final check.

Regards,

Hello,

As I can see in the old configuration you have an internal router. If you desktop default gateway is the internal router you have to add a route for the remote subnet to point to the PIX inside interface on this router.

Please let me know how it goes,

Regards,

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card