Hi I am trying to set up a VPN between a PIX-515E v7.0(7) and a Checkpoint NG. Phase 1 and 2 are up, but traffic isnt going out of the PIX i.e mtr's show traffic going out onto the internet and not across the VPN
sh crypto ipsec sa detail | b FW2 - shows a temporary access list "access-list OO_temp_IPSEC11" - permit ip host FW1 host FW2 - instead I would have expected ACL1 as per other VPN's we have i.e permit ip object-group 400 host REMOTE. Any help would be appreciated... Thanks IP address/schematic: LAN (NAT) > FW1 > IPSec > FW2 > REMOTE (class C real IP) object-group network 400 network-object host LAN ! access-list IPSec extended permit tcp any any eq 21 access-list IPSec extended permit tcp any any eq 11551 access-list IPSec extended permit tcp any any eq 3305 access-list IPSec extended permit icmp any any echo access-list IPSec extended permit esp host FW2 host FW1 access-list IPSec extended permit udp host FW2 host FW1 eq 500 access-list IPSec extended deny ip any any log ! access-list ACL1 extended permit ip object-group 400 host REMOTE access-list ACL1 extended deny ip any any log ! crypto ipsec transform-set ACL1_IPSEC esp-aes-256 esp-sha-hmac ! crypto map IPSEC 11 match address ACL1 crypto map IPSEC 11 set connection-type originate-only crypto map IPSEC 11 set peer FW2 crypto map IPSEC 11 set transform-set ACL1_IPSEC crypto map IPSEC 11 set security-association lifetime seconds 3600 crypto map IPSEC 11 set reverse-route crypto map IPSEC interface outside ! isakmp policy 11 authentication pre-share isakmp policy 11 encryption aes-256 isakmp policy 11 hash sha isakmp policy 11 group 2 isakmp policy 11 lifetime 64800 isakmp nat-traversal 1000 isakmp identity address isakmp enable outside ! group-policy ACL1 internal group-policy ACL1 attributes vpn-filter value IPSec ! tunnel-group FW2 general-attributes default-group-policy ACL1 tunnel-group FW2 type ipsec-l2l tunnel-group FW2 ipsec-attributes isakmp keepalive disable pre-shared-key KEY ! access-list OSPF_ONLY standard permit host REMOTE ! route-map OSPF_ONLY permit 10 match ip address OSPF_ONLY ! router ospf 2 redistribute static subnets route-map OSPF_ONLY sh crypto isakmp sa detail | b FW2 3 IKE Peer: FW2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : aes-256 Hash : SHA Auth : preshared Lifetime: 64800 Lifetime Remaining: 64770 sh vpn-sessiondb l2l Connection : FW2 Index : 2 IP Addr : FW2 Protocol : IPSecLAN2LAN Encryption : AES256 Hashing : SHA1 Bytes Tx : 0 Bytes Rx : 0 Login Time : 15:48:48 UTC Mon Jun 16 2008 Duration : 0h:04m:46s Filter Name : GXS_IPSec pix-SP-1# sh crypto ipsec sa detail | b FW2 access-list OO_temp_IPSEC11 permit ip host FW1 host FW2 local ident (addr/mask/prot/port): (FW1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (FW2/255.255.255.255/0/0) current_peer: FW2 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: FW1, remote crypto endpt.: FW2 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 61270EDA inbound esp sas: spi: 0x7C043FC7 (2080653255) transform: esp-aes-256 esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 4210, crypto-map: IPSEC sa timing: remaining key lifetime (kB/sec): (3825000/2844) IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x61270EDA (1629949658) transform: esp-aes-256 esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 4210, crypto-map: IPSEC sa timing: remaining key lifetime (kB/sec): (3825000/2844) IV size: 16 bytes replay detection support: Y Crypto map tag: ras_map, seq num: 6, local addr: FW1 Sam ---- Sam Hall Robert Wiseman & Sons Ext: 6655 Tel: +44 (0)1355 270655 [EMAIL PROTECTED] www.wiseman-dairies.co.uk 159 Glasgow Road, East Kilbride, Glasgow, G74 4PA ********************************************************************************* Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman & Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman & Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company. Robert Wiseman & Sons Limited reserves the right to monitor all e-mail communications through its network. This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files. ROBERT WISEMAN & SONS LIMITED Registered Number: 87376 Scotland Registered Office: 159 Glasgow Road, East Kilbride, Glasgow, G74 4PA ******************************************************************************** _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/