Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1131
Views
0
Helpful
18
Replies

PIX 515e: more than one l2l vpn don't work

riccardoaccetta
Level 1
Level 1

‎09-30-2008 03:47 AM - edited ‎02-21-2020 03:58 PM

Hello,

I have this initial config with one l2l vpn with a firewall Zyxel

Zywall 2plus

Logs on pix seems to be right, but no data (ping, ssh, http, or other)

comes from or goes to remote zywall.

Labels:
Preview file
7 KB
0 Helpful
18 Replies 18

andrew.prince
Level 10
Level 10
In response to riccardoaccetta

‎10-01-2008 01:02 AM

Try adding the below:-

crypto isakmp identity address

remove the below

isakmp keepalive disable

from all l2l tunnel ipsec-attributes

Then re-establish all tunnels - and post the output from show crypto ispec sa

0 Helpful

andrew.prince
Level 10
Level 10
In response to andrew.prince

‎10-01-2008 01:04 AM

Also add:-

route outside 192.168.122.0 255.255.255.0 192.168.1.5

route outside 192.168.131.0 255.255.255.0 192.168.1.5

route outside 192.168.151.0 255.255.255.0 192.168.1.5

route outside 192.168.188.0 255.255.255.0 192.168.1.5

0 Helpful

riccardoaccetta
Level 1
Level 1
In response to andrew.prince

‎10-01-2008 02:47 AM

The only one that is up now is the "Address C", but still there is no traffic passing.

following the output of the command show crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 30, local addr: 192.168.1.5

access-list outside_cryptomap_30 permit ip 192.168.100.0 255.255.255.0 192.168.151.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: "Address site C"

#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 60, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.5, remote crypto endpt.: "Address site C"

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: D2283656

inbound esp sas:

spi: 0x203405A6 (540280230)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 415, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 28286

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xD2283656 (3525850710)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 415, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 28286

IV size: 8 bytes

replay detection support: Y

0 Helpful

andrew.prince
Level 10
Level 10
In response to riccardoaccetta

‎10-01-2008 03:09 AM

The fact that:-

#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Also what is slightly worrying is:-

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

I would expect to see this from a remote CLIENT connection - no a site to site, but again it could be something to do with the remote end equipment.

Indicates to me the issue is with the remote end. I would start to troubleshoot with assitance of the remote end IT support.

HTH>

0 Helpful
Customers Also Viewed These Support Documents