--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Hi gurus! :-)
I have a problem connecting VPN-tunnels. Can you see if I am missing something in the configs?
The main site Pix 501 xxxxxxxxxxxx is configured with static outside IP and should be able to handle incoming VPN Client connections as well as Dynamic LAN-2-LAN sessions from another Pix 501 on remote office.
The Remote Office Pix 501 PIX (right now configured with static IP but that IP will change) should be able to connect to the xxxxxxxxxxxx pix.
xxxxxxxxxxxx local lan: 192.168.1.0/24
PIX local lan: 192.168.10.0/24
When trying to connect from PIX (local PC pinging 192.168.1.2) I just get this debug output:
NOR doesn't have an outside static IP - it gets it from DHCP via PPPOE. Are you saying that that IP will remain static though?
Try reinitializing everything on NOR - that is the one complaining about not knowing about the other side. We aren't getting to IPSec - the problem is with isakmp.
clear crypto isakmp sa
no isakmp enable outside
isakmp enable inside
Should smack it upside the head. I don't see any problems with your config, but perhaps you entered the commands out of order, and something is just askew. This will force isakmp to re read everything when it restarts via the "isakmp enable inside" command. Then try initializing the tunnel from the HBG side.
The error you're getting in the debugs is stating that it expects to see peer information for the remote pix in its local config. In order to connect without the peer information you have to setup the remote pix as an "Easy VPN Remote Device" There are a few commands that would have to be put in the remote device to authenticate properly.
You should look at the documentation for this stuff as far as determining the mode you want to use and so forth. Also I believe the remote end has to initiate the connection, so if it times out you will have to wait for someone on the remote end to send packets your way.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...