02-13-2007 05:47 AM - edited 02-21-2020 02:52 PM
I have a PIX501 at a remote site (213.x.x.186).
I had to install a Linksys VPN router at another remote site and VPN between the two.
I configured the Linksys in my office on a static IP (84.x.x.14) and remotely configured the PIX, i got these working fine.
I have since installed the Linksys at the other remote site and changed the static IP (213.x.x.235).
On the PIX i reconfigured:
crypto map transam 1 set peer 213.x.x.235
isakmp key ******** address 213.x.x.235 netmask 255.255.255.255 no-xauth no-config-mode.
On the pix "show crypto ipsec sa" shows:
interface: outside
Crypto map tag: transam, local addr. 213.x.x.186
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 84.x.x.14:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 88, #pkts encrypt: 88, #pkts digest 88
#pkts decaps: 83, #pkts decrypt: 83, #pkts verify 83
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 213.x.x.186, remote crypto endpt.: 84.x.x.14
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
This output shows the connection to my office still, and the Linksys connected in the remote site will not re-establish a connection.
show crypto isakmp sa shows:
Total : 1
Embryonic : 0
dst src state pending created
213.x.x.186 213.x.x.235 QM_IDLE 0 0
I've tried clearing this entry with "clear crypto ipsec sa peer" and it will not disappear and reestablish with the new configuration.
Can anyone throw me some suggestions?
02-13-2007 01:07 PM
Hi,
When you do 'show cryptoo map' you should see something like :
crypto map transam interface
do a
no crypto map transam interface
and
crypto map transam interface
It should resolve the problem. Please do not forget to clear the SAs.
HTH,
Kamal
02-14-2007 03:42 AM
Thanks for your help,
The issue actually turned out to be my boss changing the local subnet on the Linksys to be 192.168.101.0 , when it was initially 192.168.1.0.
I only changed the access-lists on the PIX but also needed to change local secure group on the PIX.
Thanks anyways mate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide