More VPN routing issues... )-:

So i have 2 PIXs that connect via the internet via IPSec Preshared Keys LAN-to-LAN

HQ 10.1.x.x SF 10.2.x.x 10.6.x.x

Not sure what happened to the configs, but we were originally working from 10.1 to 10.2 and not from 10.1 to 10.6

I made some corrections to my Lifetime values and all was good in the world.

Then a month or so later, I can no longer go from 10.1 to 10.2 though from 10.1 to 10.6 works great.

What can I do to troubleshoot this?

Thanks, Scott

Reply to
scooter133
Loading thread data ...

Firstly I am really a router person - the pix is a whole new ball game. Well in my view new 'can of worms' really. Lots of it is similar though.

For the VPN to "work" you need the following:-

  1. - Communications between the two pixes for IPSEC traffic.
  2. - IPSEC Security Association - established
  3. - Valid routes in both directions from end host to end host.
  4. - pix firewall allowing traffic.
  5. - maybe some other stuff.

Clearly 1. is OK.

Next easiest to check are probably the validity of routes at all points in the path.

Re: 2. sh cry ip sa -

You have to check that the entries for you end points have operational SA's.

If the SA is up there are loads of counters about bytes and lifetimes, if not none. I dont have a pix or IPSEC router to look at now.

sh ip route ! displays the routing.

Post:-

Exactly what is not working. sh run sh ip route sh cry ip sa ! - (or whatever the command really is on a pix)

You should sanitise the information removing KEYS, user IDs, passwords, and mangling external IP addresses.

from both ends.

You can "capture" packe3ts to a buffer and look at them later. There are various debugs. debug crypto ipsec ! maybe

Reply to
Bod43

scott,

double check if theres any conflict with routes and also the crypto acl.

To capture the traffic.

do the following: access-list capture1 permit ip 10.1.x.x 255.255.255.0 10.2.x.x

255.255.255.0 capture capt1 interface inside access-list capture1

verify: show capture capt1

Thanks

Reply to
networkzman

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.