I have successfully established an IPSec site to site tunnel with the 2 endpoints being a PIX 515 with 6.21ED code and a PIX 506E with 6.12 code.
The problem is that when I reboot the Windows client, the NT domain login fails. If I cancel out of the login dialog box and go to a command prompt and ping a host on the remote LAN, the tunnel comes up. Immediately after this, I can do a SHUT DOWN>>LOG OFF>> and do a successfull NT domain login.
I can see network traffic on the inside interface of the PIX when I reboot my PC and assume this is the client peforming its login process. But it appears that this is not deemed as interesting and therefore doesn't bring up the tunnel.
With the VPN client application, there is a setting that allows you to initiate the remote access tunnel prior to the login process.....I need the equivalent type of solution for this site to site tunnel.
This remote site client needs to have domain authentication to access resources located at the HQ. The client IP addresses and other relevant info such as WINS and DNS are statically assigned. So no LMHOSTS involved at the moment.
I don't know what kind of process is involved when the client boots and initiates the domain login process. But it seems that the domain login process is not "interesting" and therefore not initiating the tunnel setup.
My access-list to determine interesting traffic simply that identifies the source address as being from the remote site and the destination address as being that of the HQ location.
If I understand you correctly, you should not need to use the Cisco VPN client in a LANtoLAN (PIX to PIX) solution. If your IPSec tunnel is established, the access lists in your config will specify what traffic is to be encrypted and send it across.
I see your problem. I myself have seen a delay of 5 to 10 seconds in the tunnel creation even with interesting traffic. This could be a timing issue. Several logon attempts fail? None of that traffic seems interesting?
Issue SHOW CRYPTO IPSEC SA
Look to see if the tunnel is up in one direction at least.
There is also something called KEEPALIVES which might help you.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :