I have used configurations from the Cisco Press textbooks and from the Cisco site with no luck.
I have verified crypto maps on both sides, transform sets and so on.
Is there any pointers anyone can give for this? All of my configs appear fine but the tunnel does not appear. As well I can never seem to ping from inside address to inside addreess on the peer - do I need to add in other routes?
Access-list 105 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
***Create the Crypto Map
Crypto map Houston 120 ipsec-isakmp Match address 105 Set peer 219.221.75.150 Set pfs group2 Set transform-set 20 Set security-association lifetime seconds 3600
***Apply the Crypto Map to Interface Int e0 Crypto map Houston Houston PIX
Phew. I noted it all out before I began, but obviously I'm missing something. I never see the tunnel establish at all. Is it that I'm not defining traffic? Is it that I need to permit esp, ah and udp in access lists? Help, Help, Help!!!
There is only so many times I can look at the same configs. I have checked out the cisco site and reread my Cisco Press book, but their examples do not seem to work as easily as they are laid out...or I am doing it wrong. :)
Thanks Everyone!
*I currenlty have nothing configured other than basic access to the internet on the 1710 router, but the pix is already going. In my next reply here I will post what I am putting in. Perhaps someone can see the err of my ways; personally I'm pulling my hair out... "None" wrote in message news:ANmKe.2743$ snipped-for-privacy@newssvr29.news.prodigy.net...
:vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
:dhcpd address 10.0.0.10-10.0.0.41 inside
Your dhcpd address range (to be assigned to inside IPs) overlaps with your VPNPool address range (to be assigned to outside PPTP dialins).
It is not common to use "dialin" to a dynamic IP address: you would normally want to "dialout" from a device with a dynamic IP.
:Here's what I am attempting to use to create the tunnel; on both sides...
:***Create the Crypto ACL *Must match at both ends
:Access-list 105 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
But it doesn't. You don't have a specific crypto ACL assigned on the PIX, so for each VPN group dialin, it is going to create a new temporary ACL with a host netmask, not a /24 netmask. That will mess up your tunnels.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.