Pix to Pix IPSec VPN Problem

kmssnoc · ‎03-04-2004

Hello *

I'm trying to connect 2 LANs to each other; from a local PIX515e to a remote PIX501, both run IOS 6.2.

The local pix has a public IP on the outside interface, while the remote pix has a private ip, since it is connected to a Zyxel P314Plus Router.

I have attached the config files of both pixes.

The commands 'show isakmp sa' and 'show ipsec sa' show a established tunnel between the pixes, but I do not seem to have a connection between the private nets. No pings or ssh connections through the Tunnel seem to reach the remote end. (Connection to the outside interface of the remote is ok)

The hitcounts on the access-lists of the remote pix show 0(crypto) and 6(nat0) hits while the local shows appropriate numbers (>10000).

I would appreciate any comments very much.

Regards,

Christian Diehl

gfullage · ‎03-04-2004

The configs look fine, I presume the other tunnels on the 515e are all working OK, so the problem is not at that end.

I would guess that the problem is the Zyxel is not passing the ESP packets through to the 501 properly. The tunnel is built OK cause this all happens on UDP/500, something the Zyxel is happy to forward on to the 501. The actual data packets though are ESP, which is not TCP or UDP based, so a lot of boxes have trouble NAT'ing or forwarding these, you might want to check and see if the Zyxel is capable of doing this.

kmssnoc · ‎03-05-2004

Thanks for your reply.

Yes the other tunnels work flawless.

I used "debug packet" on the remote pix and saw only tcp packages, so it's

likely that the Zyxel is the problem.

The Zyxel claims in its tech specs to have

"NAT/SUA support, IPSEC ESP Tunneling mode"

but the manual remains silent about that. I'll try to get some more info.