Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

unable to get site - to site VPN Up

i have two PIX runing version 6.3(3) and 7.1(1). Following is my topology and attached config showing running configuration and debugs.

(PC)172.16.10.10/24<-->172.16.10.1/24-PIX(6.3)--1.1.1.2/30---WAN(X-Over cable)---1.1.1.1/30--PIX(7.1)--10.10.10.1/24<--->10.10.10.10/24(PC)

What am i missing?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: unable to get site - to site VPN Up

By the way, this is the only thing that catches my attention from the 6.3 debugs you provided:

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

One thing you can try is to set the ISAKMP identities on both sides:

isakmp identity address (on the 6.3 side)

cry isakmp identity address (on the 7.x side)

6 REPLIES
Cisco Employee

Re: unable to get site - to site VPN Up

Hello,

I don't see anything wrong with the configuration. Nothing seems to be missing.

Could you you enable ISAKMP and IPsec debugging on the 7.x side (debug cry isakmp 128 and debug cry ipsec 128) to get more information of where the IPsec tunnel establishment is failing?

Gold

Re: unable to get site - to site VPN Up

change the pre-shared key on both ends to something simple and try it again.

I don't see that phase 1 is even completing.

New Member

Re: unable to get site - to site VPN Up

I was using ciscocisco as pre-shared key

Cisco Employee

Re: unable to get site - to site VPN Up

By the way, this is the only thing that catches my attention from the 6.3 debugs you provided:

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

One thing you can try is to set the ISAKMP identities on both sides:

isakmp identity address (on the 6.3 side)

cry isakmp identity address (on the 7.x side)

New Member

Re: unable to get site - to site VPN Up

Entering the following commands solved it:

isakmp identity address (on the 6.3 side)

cry isakmp identity address (on the 7.x side)

Thanks

Cisco Employee

Re: unable to get site - to site VPN Up

Awesome, glad to see it worked.

Cheers,

Eloy Paris.-

100
Views
0
Helpful
6
Replies
CreatePlease to create content