In article , Jaime wrote: :I do use a Cisco 1760 with VPN module
:Most of the site to site VPNs are Cisco based, althought one of them is :getting me crazy as there is no way of setting it with a Soniwall.
:The isakmp and IPSec phases looks like established on the Cisco side, but :when we send site to site traffic, the connection drops down and :renegociates phase 1 and 2.
- Check the syslogs carefully and ensure that there are no complaints about routes not being available.
- turn on nat-traversal on both sides if you have not done so already
- ensure that the transform set for both sides is very similar. In particular, there can be VPN problems if one end requests AH, the other end does -not- request AH, and there is NAT in the middle. In that situation, the negotiations can sometimes get through (the non-nat'd side tells the other side to go ahead with AH) but real traffic doesnt' work (because the AH that then gets sent gets NAT'd.) This is more of a problem if nat-traversal -is- turned on: without nat-traversal but with AH on, negotiations are more likely to get stuck than to get all the way through.
- Check the ipsec SA's on the 1700 and ensure that you are getting SA's for the connection. If not, then turn on crypto debugging on the 1700 and see at what point the negotiations fail. If one end is negotiating okay but the other end is not and is then tearing down the SAs, then you the final leg of the negotiations isn't making it back. This can be a routing problem (as mentioned before), or it can be a very subtle problem with overlapping crypto match address ACLs (especially if the remote peer IP for one side happens to be an IP covered by one of the other ACLs.)