[EMAIL PROTECTED] wrote: > > I've been working on trying to eliminate the variables on each > side of the > VPN.... The unfortunate thing is, the other side is home, so I > usually wait > until the late evening/night to work on the remote side.... > That's also the > reason for the "frustrating" comment earlier. I know I could > SSH into it, > but, this isn't the only project I've been working on (as I'm > sure a lot of > you can relate)... So I'm going to hopefully wrap it up by > this weekend.
No problem, but do let us know what you learn! :-) Thanks. A few more comments below... > > One of the main issues I was running into was the remote > network was > subnetted from the main network so the ACLs got a little > confusing. I was thinking that ACLs might be related to the problem. On the crypto ACL that defines interesting packets that must be protected by IPSec, you have to get addresses and any protocols, ports, etc., just right. It doesn't help that PIX doesn't do the mask the same as IOS. While troubleshooting, you might want to make this access list pretty general purpose using big blocks of addresses and not worrying about ports. Now, don't confuse this with general-purpose access lists. This crypto access list is just for defining traffic that must be protected. > So I've > changed the IP scheme on the remote side... This also brings > me to another > question; a rather newbie one, what other ports should be > open(beside 500)? > I received an email from someone saying 50 & 51, does that > sound right? If That's a different issue from the crypto access list, but also very important, (although from what you were saying about your symptoms earlier, I don't think that's the problem.) But it's possible for IPSec to fail because general-purpose access lists are denying the UDP port used by ISAKMP, which is 500. In addition, you should make sure that IP protocol types 50 and 51 are allowed. These are used by IPSec's Encapsulating Security Payload and Authentication Header, respectively. They aren't UDP or TCP port numbers; they are IP protocol numbers. I also read this confusing warning in the VPN book I'm reading. It could be relevant: By default, all IPSec traffic is disallowed through the PIX Firewall. A NAT and conduit/access list must exist for IPSec traffic to flow through the firewall, as in any other traffic flow. However, if a crypto map is assigned to an interface, IPSec traffic for that map is allowed to bypass the adaptive security algorithm. So, you're probably OK, there, but maybe not. Why DO they make these things so complicated? :-) Keep us posted. Thank-you! Priscilla > you have the, "allow any out and return in", settings for > firewall rules... > Do the ports still need to be opened (I would think not since > there is the > nat0 command?)? The other issue I'm looking into is the MTU > size.... > > Once I establish the tunnel and maintain connectivity I'll let > y'all know > what I find.... > > Thanx for the help, > mkj > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 01, 2002 2:54 PM > To: [EMAIL PROTECTED] > Subject: RE: VPN not connecting [7:50144] > > > Lidiya White wrote: > > > > Capture debugs on both ends at the same time. Should be more > > helpful. > > Make sure both ends have "isakmp identify address"... > > > > -- Lidiya White > > Sounds like a good idea. So Mike, what was the problem? It sure > would help > those of learning IPSec to hear how you resolved the issue. > Thanks. > > Priscilla > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > > Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, July 30, 2002 4:05 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VPN not connecting [7:50144] > > > > The ACLs are mirrors of each other and the transform sets > > match.... > > Very > > frustrating.... > > > > -----Original Message----- > > From: Silju Pillai [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, July 30, 2002 2:29 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VPN not connecting [7:50144] > > > > > > Hi, > > > > Pls check the interesting traffic configured > > (access list) configured at both ends. Your transform set > > parameters > > too. It > > should be same. > > > > As you are receiving IKMP_no_error your isakmp policies are > > working > > fine. > > > > regards > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50483&t=50144 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
