Hi mike, Could be that IPSEC is being filtered out by one of the intermediary providers. Would explain why your ike negotiation is working but ipsec never gets established.
worth checking. rgds, C ----- Original Message ----- From: "supernet" To: Sent: Friday, August 02, 2002 3:08 AM Subject: RE: VPN not connecting [7:50144] > I've seen VPN problems between PIXs, Cisco routers and VPN-1s. Sometimes > everything seems to be right but it doesn't work. Remove "crypto map" > and add them back may help. At least, it helped me twice. > > HTH. > Yoshi > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, August 01, 2002 2:40 PM > To: [EMAIL PROTECTED] > Subject: RE: VPN not connecting [7:50144] > > I've been working on trying to eliminate the variables on each side of > the > VPN.... The unfortunate thing is, the other side is home, so I usually > wait > until the late evening/night to work on the remote side.... That's also > the > reason for the "frustrating" comment earlier. I know I could SSH into > it, > but, this isn't the only project I've been working on (as I'm sure a lot > of > you can relate)... So I'm going to hopefully wrap it up by this > weekend. > > One of the main issues I was running into was the remote network was > subnetted from the main network so the ACLs got a little confusing. So > I've > changed the IP scheme on the remote side... This also brings me to > another > question; a rather newbie one, what other ports should be open(beside > 500)? > I received an email from someone saying 50 & 51, does that sound right? > If > you have the, "allow any out and return in", settings for firewall > rules... > Do the ports still need to be opened (I would think not since there is > the > nat0 command?)? The other issue I'm looking into is the MTU size.... > > Once I establish the tunnel and maintain connectivity I'll let y'all > know > what I find.... > > Thanx for the help, > mkj > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 01, 2002 2:54 PM > To: [EMAIL PROTECTED] > Subject: RE: VPN not connecting [7:50144] > > > Lidiya White wrote: > > > > Capture debugs on both ends at the same time. Should be more > > helpful. > > Make sure both ends have "isakmp identify address"... > > > > -- Lidiya White > > Sounds like a good idea. So Mike, what was the problem? It sure would > help > those of learning IPSec to hear how you resolved the issue. Thanks. > > Priscilla > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > > Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, July 30, 2002 4:05 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VPN not connecting [7:50144] > > > > The ACLs are mirrors of each other and the transform sets > > match.... > > Very > > frustrating.... > > > > -----Original Message----- > > From: Silju Pillai [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, July 30, 2002 2:29 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VPN not connecting [7:50144] > > > > > > Hi, > > > > Pls check the interesting traffic configured > > (access list) configured at both ends. Your transform set > > parameters > > too. It > > should be same. > > > > As you are receiving IKMP_no_error your isakmp policies are > > working > > fine. > > > > regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50522&t=50144 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
