I have a problem with my IPSec tunnel on PIX 506, 6.3(3), here is the IPSec tunnel configuration:
access-list ipsec-o permit ip 10.0.9.0 255.255.255.0 172.16.64.0
255.255.240.0 crypto ipsec transform-set o-3des-sha esp-3des esp-sha-hmac crypto map internet 880 ipsec-isakmp crypto map internet 880 match address ipsec-o crypto map internet 880 set pfs group2 crypto map internet 880 set peer YYY.YYY.YYY.YYY crypto map internet 880 set transform-set o-3des-sha isakmp key ******** address YYY.YYY.YYY.YYY netmask 255.255.255.255Every other IPSec tunnel is working, so I wonder if the problem is on the other side. Here is the part of the debug output, where XXX is my address and YYY is the address of the other side:
IPSEC(spi_response): getting spi 0x1a03b989(436451721) for SA from YYY.YYY.YYY.YYY to XXX.XXX.XXX.XXX for prot 3
return status is IKMP_NO_ERROR ISAKMP (0): retransmitting phase 2 (3/3). crypto_isakmp_process_block:src:YYY.YYY.YYY.YYY, dest:XXX.XXX.XXX.XXX spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response ISAKMP (0): retransmitting phase 2 (4/4)... mess_id 0x63db3537 ISAKMP (0): retransmitting phase 2 (0/5)... mess_id 0x229c3253 ISAKMP (0): deleting SA: src YYY.YYY.YYY.YYY, dst XXX.XXX.XXX.XXX ISADB: reaper checking SA 0xc98944, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:YYY.YYY.YYY.YYY/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:YYY.YYY.YYY.YYY/500 Total VPN peers:0 crypto_isakmp_process_block:src:YYY.YYY.YYY.YYY, dest:XXX.XXX.XXX.XXX spt:500 dpt:500 ISAKMP: sa not found for ike msg
Any ideas?