Re: PIX VPN implementation

d.jursik · ‎02-18-2002

Hi All,

I'm running pix 520 with 6.1(2) and I have some question. First, I got three tunnels, one to IOS Box, one to Linux FreeS/WAN and one to Intermate VPN 2000. All of them works but I realize strange thing.

The IKE negotiation with last 2 tunnels works ONLY if remote peer starts the tunnel?!? In the case of clearing SA on pix the pix tries to establish the tunnel but without any success. Any ideas ?

And I have also another question regarding the implementation of DPD on pix for remote clients. It seems if one packet get lost the pix is not able to answer the next dpd request (ID+1) and the connection is dropped. Is there any way to disable DPD at all ? I'm using Unified 3.1 and 3.5 clients. Thanks a lot.

cjacinto · ‎02-19-2002

On the first question, it is possible that not all the phase 1 (IKE) attributes being passed by the PIX to the 3rd party device are being understood by them.

You have to enable the debugs on the remote peers and see which attributes are not acceptable to the remote peer. You could double check the configuration.

On the issue of DPD it is on all the time and cannot be disabled, it is way of detecting a dead peer so that it automatically clears the SA and thus prevent any stale SA that could present issues when the client reconnects. Normally the SA is torn down when it doesn't get a reply to 3 consecutive DPD r-u-there.

d.jursik · ‎02-20-2002

Thanks, but there is not so much thing that you can change on the pix ... I see on remote sites that they are ignoring some of the vendor payload but I can't see which.

For DPD I don't understand why pix just not synchonize if it gets number + 1 because one packet is lost and says: wrong number. But the client sends DPD request always with number + 1 and not the same number for which it didn't receive answer.