09-30-2008 03:47 AM - edited 02-21-2020 03:58 PM
Hello,
I have this initial config with one l2l vpn with a firewall Zyxel
Zywall 2plus
Logs on pix seems to be right, but no data (ping, ssh, http, or other)
comes from or goes to remote zywall.
10-01-2008 01:02 AM
Try adding the below:-
crypto isakmp identity address
remove the below
isakmp keepalive disable
from all l2l tunnel ipsec-attributes
Then re-establish all tunnels - and post the output from show crypto ispec sa
10-01-2008 01:04 AM
Also add:-
route outside 192.168.122.0 255.255.255.0 192.168.1.5
route outside 192.168.131.0 255.255.255.0 192.168.1.5
route outside 192.168.151.0 255.255.255.0 192.168.1.5
route outside 192.168.188.0 255.255.255.0 192.168.1.5
10-01-2008 02:47 AM
The only one that is up now is the "Address C", but still there is no traffic passing.
following the output of the command show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 30, local addr: 192.168.1.5
access-list outside_cryptomap_30 permit ip 192.168.100.0 255.255.255.0 192.168.151.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: "Address site C"
#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 60, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.5, remote crypto endpt.: "Address site C"
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D2283656
inbound esp sas:
spi: 0x203405A6 (540280230)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 415, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 28286
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xD2283656 (3525850710)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 415, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 28286
IV size: 8 bytes
replay detection support: Y
10-01-2008 03:09 AM
The fact that:-
#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Also what is slightly worrying is:-
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
I would expect to see this from a remote CLIENT connection - no a site to site, but again it could be something to do with the remote end equipment.
Indicates to me the issue is with the remote end. I would start to troubleshoot with assitance of the remote end IT support.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide