PIX VPN Sanity Check

mpitts · ‎03-09-2005

I have a customer who has two sites with PIX 506E units. They were installed at different times, by different folks. Each has VPN for remote access and that is working fine.

They recently added a Point-to-Point T-1 connection between the two sites and then added configuration for a Point-to-Point VPN tunnel between the sites as a backup route for the T-1.

The VPN tunnel between the two PIXs does not appear to be functioning (i.e. no security associations established) and I have not been able to determine what the problem is. I have been looking at the attached configurations, and comparing them to examples in the documentation, and they seem to be correct. I fear I have been looking at them too long and am missing something. I would appreciate another opinion.

The customer is also concerned that when they connect through remote access VPN they are unable to connect to resources at the other site but it seems to me that the ACL that is defining interesting traffic for the VPN tunnel would make that impossible.

Thanks,

Mike

jmia · ‎03-09-2005

Mike,

I had a quick look at the config provided and see a few mis-match, one thing that would be really helpful would be a debug output:

> debug crypto ipsec

> debug crypto isakmp

Let me know if you need further help.

Jay

mpitts · ‎03-09-2005

Jay,

Could you tell me what you see mis-matched? That might resolve the problem. I would need to schedule some time with the customer anyway, and if I couldn't clear it up I would be able to do some debugging. I don't have any remote access to them presently.

Mike

aftermath · ‎03-09-2005

Check your pre-shared keys on both ends....Usually the " sanity check erros " indicate a mis-match in the preshare....

HTH