The goal is to create tunnel between the lan behind the 501 via an easy vpn (vpnclient) connection originating on the 501 and terminating on a a
515 running 7.2(1)The 501 is behind another router which provides PAT. Have tried both client and nem mode, NAT-T udp and tcp, and while I achieve L3 connectivity between the 501 and the remote lan, there is no l3 connectivity between the two remote lans.
When I watch "sh crypto isakmp sa" from initiation is that the 501 seems to be attempting to bring up 2 or 3 tunnels (SAs), and, several minutes after one or more forms it dies and the renegotiation begins.
Here's the ipsec part of the cfg on the headend pix515 llab - is the tunnel group that's been working fine with the software vpnclient negotiating NAT-T tcp and udp. llabevpn is an experimental group setup to try to get the 501 vpnclient connection to work. ........... group-policy llabevpn internal group-policy llabevpn attributes dns-server value 192.168.220.2 vpn-idle-timeout none split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel721 split-dns value llab.com nem enable group-policy llab internal group-policy llab attributes dns-server value 192.168.220.2 vpn-idle-timeout none ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel721 split-dns value llab.com ........... crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set 3des-sha crypto map map1 10 ipsec-isakmp dynamic dynmap crypto map map1 interface pix-outside crypto isakmp identity address crypto isakmp enable pix-outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp ipsec-over-tcp port 10000 tunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 15 tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 15 tunnel-group llab type ipsec-ra tunnel-group llab general-attributes address-pool vpnclients authorization-server-group LOCAL default-group-policy llab tunnel-group llab ipsec-attributes pre-shared-key * isakmp keepalive threshold 15 tunnel-group llabevpn type ipsec-ra tunnel-group llabevpn general-attributes address-pool vpnclients authorization-server-group LOCAL default-group-policy llabevpn tunnel-group llabevpn ipsec-attributes pre-shared-key *
....here's a sample crypto ipsec sa on the 515. Note there are 4 SAs formed. My expectation was that I'd only see one with a remote of ident
192.168.57.0/24 (the lan behind the pix501) and local ident 192.168.220.0 (the lan behind the pix515) 192.168.56.104 is the outside address of the 501............................
Crypto map tag: dynmap, seq num: 10, local addr: x.x.x.x
local ident (addr/mask/prot/port): (192.168.220.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.56.104/255.255.255.255/0/0) current_peer: x.x.x.x, username: jj dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: C830E208
inbound esp sas: spi: 0x13C4D5BE (331666878) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 2154, crypto-map: dynmap sa timing: remaining key lifetime (sec): 28639 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xC830E208 (3358646792) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 2154, crypto-map: dynmap sa timing: remaining key lifetime (sec): 28639 IV size: 8 bytes replay detection support: Y
Crypto map tag: dynmap, seq num: 10, local addr: x.x.x.x
local ident (addr/mask/prot/port): (192.168.220.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.57.0/255.255.255.0/0/0) current_peer: x.x.x.x, username: jj dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 58DCD277
inbound esp sas: spi: 0x595A6A5F (1499097695) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 2154, crypto-map: dynmap sa timing: remaining key lifetime (sec): 28706 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x58DCD277 (1490866807) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 2154, crypto-map: dynmap sa timing: remaining key lifetime (sec): 28706 IV size: 8 bytes replay detection support: Y
Crypto map tag: dynmap, seq num: 10, local addr: x.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.221.6/255.255.255.255/0/0) current_peer: x.x.x.x, username: jj dynamic allocated peer ip: 192.168.221.6
#pkts encaps: 35175, #pkts encrypt: 35175, #pkts digest: 35175 #pkts decaps: 24681, #pkts decrypt: 24681, #pkts verify: 24681 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 35175, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/10000, remote crypto endpt.: x.x.x.x/52869 path mtu 1500, ipsec overhead 94, media mtu 1500 current outbound spi: EA76D22B
inbound esp sas: spi: 0x45756873 (1165322355) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, TCP-Encaps, } slot: 0, conn_id: 2149, crypto-map: dynmap sa timing: remaining key lifetime (sec): 27905 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xEA76D22B (3933655595) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, TCP-Encaps, } slot: 0, conn_id: 2149, crypto-map: dynmap sa timing: remaining key lifetime (sec): 27905 IV size: 8 bytes replay detection support: Y
Crypto map tag: dynmap, seq num: 10, local addr: x.x.x.x
local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (192.168.56.104/255.255.255.255/0/0) current_peer: x.x.x.x, username: jj dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x, remote crypto endpt.:
path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 06B31C7E
inbound esp sas: spi: 0x8212EB42 (2182277954) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 2154, crypto-map: dynmap sa timing: remaining key lifetime (sec): 28610 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x06B31C7E (112401534) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 2154, crypto-map: dynmap sa timing: remaining key lifetime (sec): 28610 IV size: 8 bytes replay detection support: Y