Hi Mike, When the other member mentioned 50 and 51 he was talking about two protocols ESP and AH rather than two ports. ie -- access-list FromInternet permit esp any host 1.1.1.1
If your using ESP/AH protocols you will need to allow it bidirectionally, so if you have an access-list on the "inside" interface of your router (ethernet) you must allow protocol 50/51 back out. Most people don't bother with protocol 51 AH anymore as ESP provides everything AH does and more. rgds, Ciaron ----- Original Message ----- From: To: Sent: Thursday, August 01, 2002 10:40 PM Subject: RE: VPN not connecting [7:50144] > I've been working on trying to eliminate the variables on each side of the > VPN.... The unfortunate thing is, the other side is home, so I usually wait > until the late evening/night to work on the remote side.... That's also the > reason for the "frustrating" comment earlier. I know I could SSH into it, > but, this isn't the only project I've been working on (as I'm sure a lot of > you can relate)... So I'm going to hopefully wrap it up by this weekend. > > One of the main issues I was running into was the remote network was > subnetted from the main network so the ACLs got a little confusing. So I've > changed the IP scheme on the remote side... This also brings me to another > question; a rather newbie one, what other ports should be open(beside 500)? > I received an email from someone saying 50 & 51, does that sound right? If > you have the, "allow any out and return in", settings for firewall rules... > Do the ports still need to be opened (I would think not since there is the > nat0 command?)? The other issue I'm looking into is the MTU size.... > > Once I establish the tunnel and maintain connectivity I'll let y'all know > what I find.... > > Thanx for the help, > mkj > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 01, 2002 2:54 PM > To: [EMAIL PROTECTED] > Subject: RE: VPN not connecting [7:50144] > > > Lidiya White wrote: > > > > Capture debugs on both ends at the same time. Should be more > > helpful. > > Make sure both ends have "isakmp identify address"... > > > > -- Lidiya White > > Sounds like a good idea. So Mike, what was the problem? It sure would help > those of learning IPSec to hear how you resolved the issue. Thanks. > > Priscilla > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > > Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, July 30, 2002 4:05 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VPN not connecting [7:50144] > > > > The ACLs are mirrors of each other and the transform sets > > match.... > > Very > > frustrating.... > > > > -----Original Message----- > > From: Silju Pillai [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, July 30, 2002 2:29 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VPN not connecting [7:50144] > > > > > > Hi, > > > > Pls check the interesting traffic configured > > (access list) configured at both ends. Your transform set > > parameters > > too. It > > should be same. > > > > As you are receiving IKMP_no_error your isakmp policies are > > working > > fine. > > > > regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50477&t=50144 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
