Firewall Wizards mailing list archives

Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN

From: "Glenn Crissman" <gwcrissman () gmail com>
Date: Wed, 12 Sep 2007 23:08:24 -0400

First guess is check your NAT 0 access lists on both sides. If you don't
have an acl entry there matching your interesting traffic acl for the 515 /
501 L2L VPN it won't attempt to come up. The PIX will NAT the traffic (or at
least attempt to) before it hits the crypto engine.

On v6 do 'sh nat', on v7+ do 'sh run nat'. You're looking for the 'nat
(interface) 0 access-list ...' statement(s).

You might have already checked this but its a first guess.

On 9/12/07, Jerry B. Altzman <jbaltz () altzman com> wrote:


Hi,

I wonder if any of you have encountered this problem before with
PIX<->PIX VPNs.

A client of mine has 3 firewalls: a Fortigate, a 515 and a 501. The 515
and FG already have an IPSec lan-to-lan VPN between them that works fine.

We'd like to set up a mesh of L2L VPNs, but first steps first: we need
to connect the 515 to the new 501.

I've gone through the configurations, followed the directions from
cisco's website, cleared everything out and done everything *but*
restarted the 515 (which is in production and might cause some
consternation if it were rebooted willy-nilly)

I've watched the logging output, and it doesn't seem that the 501/515
pair even attempt to do the phase 1 IPSec negotiations. It's just that
NOTHING happens at all.

Has anyone seen this? Any received wisdom on this? My search-engine-fu
must be weak, I've not managed to tease out a solution to this from the
all-seeing GoogleEye.

Thanks!

//jbaltz
--
jerry b. altzman        jbaltz () altzman com     www.jbaltz.com
thank you for contributing to the heat death of the universe.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Jerry B. Altzman (Sep 12)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Glenn Crissman (Sep 13)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Julian M. Dragut (Sep 13)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Christopher J. Wargaski (Sep 13)
  - Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Jerry B. Altzman (Sep 17)