Hi Silju, If my understanding of IPSEC is correct... his initial IKE (isakmp) negotiation - phase-1 exchange has completed, this is used to set up the exchange of the IPSEC proposals -- phase-2. So since phase-1 negotiations succeed (isakmp - udp500) but phase two proposals are never obtained it may be that the IPSEC (protocol 50/51) somewhere between himself and the remote VPN endpoints are being filtered... consequesntly phase-1 keeps timing out waiting for acceptance of ipsec proposals.
The command "sysopt connection permit-ipsec" implicitly allows the IP protocols 50/51 and udp 500 through a pix firewall as long as there are matching crypto statements. You can turn this feature off if you want.. in which case you will have to explicitly allow those protocols through in your inbound access-list. Have you ever thought of how can you filter what traffic someone from the other side of the VPN sends you?? By default on a pix you can't. You just define what is interesting to bring the tunnel up from your side, but you can't decide on what the remote end point will send you... sure you can be restictive on your crypto-access list but you can't really stop it from getting into your network.. do you see the point I'm getting at?? rgds, ~Ciaron -----Original Message----- From: Silju Pillai [mailto:[EMAIL PROTECTED]] Sent: 02 August 2002 15:41 To: [EMAIL PROTECTED] Subject: RE: VPN not connecting [7:50144] Hi, Just wondering why you have to specifically open the ports 500, 50, 51. I have installed IPSec VPNs with PIX and Routers. I have never opened any port. Infact we have a VPN setup in my office itself. You believe me or not, with default ones it worked smoothly. Also according to Mike he is receiving IKMP_NO_Error message. So his ISAKMP policies are matching between the locations. I think you have to check your transform sets, access lists and crypto maps which comes in the second phase. Mike, the following link will help you with sample configurations. You might have already gone through it.But still I am putting it here. http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:IPSe c&s=Implementation_and_Configuration#Samples_%26_Tips regards ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. For more information contact [EMAIL PROTECTED] phone + 353 1 4093000 fax + 353 1 4093001 ********************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50535&t=50144 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
