Hi all I am sure this is a routing issue as all signs show that the SA's are established and the IPSEC has been established correctly
office and 2.2.2.2 being my home router)
sh crypto isakmp sa dst src state conn-id slot status
1.1.1.1 2.2.2.2 QM_IDLE 2 0 ACTIVEsh crypto sess Crypto session current status
Interface: Dialer0 Session status: UP-NO-IKE Peer: 1.1.1.1 port 500 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0
192.168.200.0/255.255.252.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.26.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.100.0/255.255.255.0 Active SAs: 2, origin: crypto mapInterface: Virtual-Access2 Session status: DOWN Peer: 1.1.1.1 port 500 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0
192.168.200.0/255.255.252.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.26.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.100.0/255.255.255.0 Active SAs: 0, origin: crypto mapInterface: Dialer0 Session status: UP-IDLE Peer: 1.1.1.1 port 500 IKE SA: local 2.2.2.2/500 remote 1.1.1.1/500 Active
sh crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 1.1.1.1 2.2.2.2 QM_IDLE 0 1
As shown above it all looks good
On my home router it's just a default route for all traffic out of Dialer0 My home router's LAN interface is 10.10.10.1 /24 The remote subnets are 192.168.26.0/24, 192.168.100.0/24 Access lists are all correct and nat is set to bypass traffic destined between these subnets But for the hell of me I cannot ping either end
More info The 3750 router / switch is set to route 10.10.10.0/24 out
192.168.100.37, the inside i/f of the PIX via a static route The 3750 is running RIP and the 10.0.0.0 network is part of this for other 10.0.0.0 subnets that go out the WAN thru another router (a 2811) Here is the sh route from the PIXoutside 0.0.0.0 0.0.0.0 1.1.1.2 1 OTHER static inside 10.0.0.0 255.255.0.0 10.200.3.18 1 OTHER static outside 10.10.10.0 255.255.255.0 1.1.1.2 1 OTHER static
The config of my router
crypto isakmp policy 20 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key thesharedkey address 2.2.2.2 ! ! crypto ipsec transform-set aff-ts esp-3des esp-md5-hmac ! ! crypto map aff-ho 20 ipsec-isakmp set peer 2.2.2.2 set security-association lifetime seconds 86400 set transform-set aff-ts match address 101
the PIX config
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 1.1.1.1 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400
If anyone can offer any assitance it would be most appreciated
Scott