10-15-2003 10:23 AM - edited 02-21-2020 12:49 PM
I setup a site-site VPN between PIX on my end and a IBM OS/390 on the other end. I also have a dynamic VPN setup for remote users. The dynamic VPN is working fine . I have a problem with the site-site VPN in that when I initiate the tunnel , it works but when the other end tries it , it does not work. However , the thing I find interesting is that I have included the address of the outside interface on the PIX as part of the interesting traffic , and when the other end initiates a tunnel to the outside interface that works but not to the inside host.I tried a lot of things like changing lifetime, removing NAT eeven thouhgh I'm using NAT 0 . I had the inside and outside addresses translated to be the same. I have no clue now on how to make this work. I have attached a sample config which is similar to the one I use.
Any help would be appreciated.
x.x.12.3 is the OUTSIDE interface and the other end is y.y.4.9.The host to which y.y.4.9 needs to connect is x.x.84.9
Thanks ,
Karthik.
access-list WRAIR permit ip host x.x.49.100 x.x.110.0 255.255.255.0
access-list WRAIR permit ip host x.x.68.218 x.x.110.0 255.255.255.0
access-list WRAIR permit ip host x.x.84.9 host y.y.4.9
access-list MEPCOM permit ip host x.x.12.3 host y.y.4.9
access-list MEPCOM permit ip host x.x.84.9 host y.y.4.9
nat 0 access-list WRAIR
ip local pool WRAIRPOOL x.x.110.2-x.x.110.20
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host x.x.101.6 ******* timeout 5
aaa-server authinbound protocol radius
aaa-server authinbound (dmz) host x.x.101.6 ******* timeout 5
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set WRAIRSET esp-3des esp-sha-hmac
crypto dynamic-map WRAIRDYN 1000 set transform-set WRAIRSET
crypto map WRAIRMAP 20 ipsec-isakmp
crypto map WRAIRMAP 20 match address MEPCOM
crypto map WRAIRMAP 20 set peer y.y.4.9
crypto map WRAIRMAP 20 set transform-set WRAIRSET
crypto map WRAIRMAP 1000 ipsec-isakmp dynamic WRAIRDYN
crypto map WRAIRMAP client authentication partnerauth
crypto map WRAIRMAP interface outside
isakmp enable outside
isakmp key ******** address y.y.4.9 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup WRAIR address-pool WRAIRPOOL
vpngroup WRAIR idle-time 1800
vpngroup WRAIR password ********
10-20-2003 11:13 AM
Just try if it works when you increase xauth timer.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: