Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1447
Views
0
Helpful
1
Replies

VPN is not coming UP

vipinrajrc
Participant
Participant

‎09-15-2011 11:28 PM - edited ‎03-11-2019 02:25 PM

Hi Experts,

I have a PIX515E. I need to create a vpn to my clients office. PIX is alerady having two VPN, among two one is a dynamic VPN to a dynamic IP of netgear router.

I tried to create a new IPSEC vpn to a gateway loadbalancer.Device is PLANET MH2001. It is our client premises.

It has two gateway(public IP). Configuration in MH2001 is pretty simple. and i have completed it.

I have also completed configuration in PIX using ASDM. But the VPN is not up till now.

I have checked the logs in MH2001-->

"S2SVPN" #3701: max number of retransmissions (0) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message”

But in PIX side i didnt get log yet. I gave " sh isakmp sa" "sh ipsec sa" But it is not showing anything.... No IKE phase....

As i said MH2001 has two public IPs. and one LAN range. But i configured tunnel-group to only one public IP.

Still Nothing.. no isakmp phase for this VPN....

What should be reason???

Please see the below configuration i Have done.

Did i configure anything wrong??? or do i need to add anything more???? Please suggest...........

A.A.A.A and B.B.B.b are the two public IPs of MH2001.

access-list outside_2_cryptomap extended permit ip <insidelocal> 255.255.255.128 <outsidelocal> 255.255.255.0
access-list inside_nat0_outbound extended permit ip <insidelocal> 255.255.255.128 <outsidelocal> 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
route outside <outsidelocal> 255.255.255.0 A.A.A.A 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set New_Trfm_Dyn_S2S esp-3des esp-sha-hmac


crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer B.B.B.B
crypto map outside_map 2 set transform-set New_Trfm_Dyn_S2S
crypto map outside_map 3 match address outside_2_cryptomap
crypto map outside_map 3 set peer A.A.A.A
crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 3600


tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
pre-shared-key *

tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key *

Thanks

Vipin

Thanks and Regards, Vipin
Labels:
0 Helpful
1 Reply 1

Parminder Sian
Beginner
Beginner

‎09-18-2011 09:08 PM

Hi Vipin,

To begin with, I do not see command " crypto map outside_map interface outside" in your config.

Also, have a look at following links:-

For new vpn tunnel:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

To add new vpn tunnel on PIX with existing config:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

Hope this helps,

Sian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents