cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
4
Replies

ISAKMP fails to start

dennylester
Level 1
Level 1

I am attempting to establish a VPN between a Pix515e and a Cisco 7206VXR router. I have no control of the 7206VXR as it is owned by another company.

I'm trying to setup a LAN to LAN VPN, actually a server on my end, to a Class C on the other end. The requirement is my internal server needs to use one of my public addresses when communicating through the VPN to this remote subnet.

I have NAT setup to NAT my server's internal address to a public address when the traffic is destined for this remote subnet. The ACL counter for this NAT translation increments when I ping from my server to the remote side, so it appears this is working.

I have another ACL used by my IPSec setup to define interesting traffic. This ACL uses my NATTED public address and the remote subnet to define what is interesting. When I ping I see the counter on this ACL incrementing.

Now for the problem, when I run debug crypto isakmp I get nothing, except for what's happening with my other VPN's.

I am stumped, even though interesting traffic is apparently being seen, what could be causing the Pix to not attempt the key exchange at all?

Denny

4 Replies 4

andrew.prince
Level 10
Level 10

Denny,

Have you assigned the interesting traffic ACL to the crypto map? Are you making sure you are no natting, to the remote end?

Post your config for review, sanitised of course!

HTH>

Richard Burts
Hall of Fame
Hall of Fame

Denny

Is it possible that something is not matching up right in your config? Could the access list specified in the crypto map not quite match the identifier of the access list?, Is it possible that the peer address used in configuring the shared key is not quite the same as the peer address in the crypto map? Is it possible that packets source from the address used by IPSec do not have IP connectivity to the peer address?

HTH

Rick

HTH

Rick

Hello,

I want to thank you both for responding.

I was 100% sure everything was setup correctly. It was surprising that nothing was showing while running debug.

While Googling the issue the VPN ended up coming up after an hour or so. Perhaps the remote end was down.

Thank you again for responding. If you have any insight on why the debug mode wasn't showing anything, I'd be interested in hearing about it.

Denny

Are you receiving routes for the 'destination' of the VPN via a dynamic routing protocol?

It could be that you did not know how to reach the other end of the VPN, therefore the VPN was not kicking in. As soon as it came up, the VPN encr/decr started.

Regards

Farrukh