I am troubleshooting why I cannot build a site-to-site VPN tunnel between a remote Linksys RV042 and a PIX 501. I presume that since my isakmp access-list statement shows no hits after clicking the connect button on the RV042, this means the PIX is not getting any isakmp packets. Is this correct or does the "sysopt connection permit-ipsec" statement mean that access-list processing is bypassed altogether (which would make this troubleshooting technique useless)?
With the permit-ipsec statement, I believe that no outbound access-list is needed; right?
access-list 100 permit 50 any any access-list 100 permit 51 any any access-list 100 permit udp any eq 500 any eq 500 access-group 100 in interface outside
show access-list 100 access-list 100; 9 elements access-list 100 line 1 permit esp any any (hitcnt=0) access-list 100 line 2 permit ah any any (hitcnt=0) access-list 100 line 3 permit udp any eq isakmp any eq isakmp (hitcnt=0)
A section from the RV042 log follows. Does this provide any additional insight? I am especially interested in the second to last message. (The last message is odd since I'm not doing dynamic ipsec and aggressive mode is set on the RV042 anyway.)
[Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packetinitiating Aggressive Mode #10, connection "ips2"
STATE_AGGR_I1: initiate
Received Vendor ID payload Type = [Dead Peer Detection]
[Tunnel Negotiation Info]