Show Quoted Text
Firstly I am really a router person - the pix is a whole new ball game. Well in my view new 'can of worms' really. Lots of it is similar though.
For the VPN to "work" you need the following:-
- Communications between the two pixes for IPSEC traffic. - IPSEC Security Association - established - Valid routes in both directions from end host to end host. - pix firewall allowing traffic. - maybe some other stuff.
Clearly 1. is OK.
Next easiest to check are probably the validity of routes at all points in the path.
Re: 2. sh cry ip sa -
You have to check that the entries for you end points have operational SA's.
If the SA is up there are loads of counters about bytes and lifetimes, if not none. I dont have a pix or IPSEC router to look at now.
sh ip route ! displays the routing.
Post:-
Exactly what is not working. sh run sh ip route sh cry ip sa ! - (or whatever the command really is on a pix)
You should sanitise the information removing KEYS, user IDs, passwords, and mangling external IP addresses.
from both ends.
You can "capture" packe3ts to a buffer and look at them later. There are various debugs. debug crypto ipsec ! maybe