07-08-2008 12:50 AM - edited 02-21-2020 03:48 PM
I have this scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml
Bat I have a problem: VPN is not rising up from router which behind the NAT, and rising up from another site. Can anybody help me to resolve this problem?
07-08-2008 03:46 AM
Do you have any vpn on the PIX also?
07-08-2008 04:21 AM
Yes I have active vpn tunnels on my PIX. How it can influence to my scheme?
07-08-2008 04:45 AM
What PIX version do you have?
07-08-2008 06:47 PM
PIX 515E
Cisco PIX Security Appliance Software Version 7.0(1)
07-08-2008 03:48 AM
debug crypto ipsec
debug crypto isakmp
no access-list 120
access-list 120 permit ip host 192.168.34.1 host 192.168.11.7
no ip access-list extended VPN
ip access-list extended VPN
permit ip host 192.168.11.7 host 192.168.34.1
07-08-2008 04:45 AM
07-08-2008 04:52 AM
so... Was it working?
try to add on both sides
ctypto isakmp keepalive 10
crypto isakmp invalid-spi-recovery
after that do
clear crypto sa
clear crypto isa sa
07-08-2008 07:33 PM
Yes I have added crypto isakmp invalid-spi-recovery previously
and vpn tunnel worked, bat in scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml no crypto isakmp invalid-spi-recovery What do this line? How mach this config safe and stable?
07-08-2008 11:00 PM
07-09-2008 12:05 AM
Yes I have read this guid and this confuse me
If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The feature has a built-in mechanism to minimize such a risk, but because there is a risk, the feature is not enabled by default. You must enable the command using command-line interface (CLI).
Can vpn work without crypto isakmp invalid-spi-recovery? I think c871 don't detect NAT
07-08-2008 04:53 AM
did you save the config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide