Help With 1710 to Pix 501 VPN Tunnel

I am having trouble establishing a tunnel between two sites. I'm not sure what I'm missing here. The first part is my Pix config, the second part is what I'm putting into both sides for the tunnel.

Here's My current config on the Pix:

Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password VdNQtSmyp5pSIPcY encrypted passwd VdNQtSmyp5pSIPcY encrypted hostname superwall domain-name clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names object-group service RemoteAssistance tcp description Remote Assistance Port port-object range 3389 3389 object-group service UPnP tcp port-object range 5000 5000 object-group network pos description POS Stations network-object host network-object host network-object host access-list inside_outbound_nat0_acl permit ip any access-list noweb deny tcp object-group pos any eq www access-list noweb permit ip any any pager lines 24 logging on logging timestamp logging trap informational logging host inside interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm ip audit attack action alarm ip local pool VPNPool pdm location inside pdm logging warnings 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 dns 0 0 access-group noweb in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp no sysopt route dnat telnet inside telnet timeout 5 ssh timeout 5 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username bsmith password ********* vpdn username bsmitty password ********* vpdn enable outside dhcpd address inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:8b874c8b88d7786009a1ccb287287f05 : end [OK]

Here's what I am attempting to use to create the tunnel; on both sides...

Dallas Router

***Creating IKE Policy Crypto isakmp policy 100 Authentication pre-share Encryption 3des Hash md5 Group 2 Lifetime 86400

***Defining the Pre-shared Key & Peer

crypto isakmp key mrpix1 address

***Create the Transform-set

Crypto ipsec transform-set 20 esp-3des esp-md5-hmac

***Configure IPSec SA Lifetimes

Crypto ipsec security-association lifetime seconds 3600

***Create the Crypto ACL *Must match at both ends

Access-list 105 permit ip

***Create the Crypto Map

Crypto map Houston 120 ipsec-isakmp Match address 105 Set peer Set pfs group2 Set transform-set 20 Set security-association lifetime seconds 3600

***Apply the Crypto Map to Interface Int e0 Crypto map Houston Houston PIX

***Enable IKE

Isakmp enable outside

***Create IKE Policy

Isakmp policy 100 authentication pre-share Isakmp policy 100 encryption 3des Isakmp policy 100 group 2 Isakmp policy 100 hash md5 Isakmp policy 100 lifetime 3600 Isakmp identity address Isakmp enable outside

***Configure Pre-Shared Key

Isakmp key mrpix1 address netmask

***Do not nat traffic across tunnel nat (inside) 0 access-list 105

***Create A Crypto Access List

Access-list 105 permit ip

***Configure a Transform-Set

Crypto ipsec transform-set 20 esp-3des esp-md5-hmac

***Configure IPSec SA Lifetime

Crypto ipesc security-association lifetime seconds 3600

***Create Crypto Map

Crypto map Dallas 10 ipsec-isakmp Crypto map Dallas 10 match address 105 Crypto map Dallas 10 set transform-set 20 Crypto map Dallas 10 set peer Crypto map Dallas 10 interface outside

***Bypass traffic checking through tunnel

Sysopt connection permit-ipsec

Phew. I noted it all out before I began, but obviously I'm missing something. I never see the tunnel establish at all. Is it that I'm not defining traffic? Is it that I need to permit esp, ah and udp in access lists? Help, Help, Help!!!

There is only so many times I can look at the same configs. I have checked out the cisco site and reread my Cisco Press book, but their examples do not seem to work as easily as they are laid out...or I am doing it wrong. :)

Thanks Everyone!

*I currenlty have nothing configured other than basic access to the internet on the 1710 router, but the pix is already going. In my next reply here I will post what I am putting in. Perhaps someone can see the err of my ways; personally I'm pulling my hair out...
Reply to
B. Gray
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.