PIX 515 to Linksys BEFSX41 VPN Site to Site

[rlyj]

Hi everyone,

I am trying to create a VPN tunnel between a PIX 515 and Linksys BEFSX41 router. The connection can be established successfully and I can access the machines in BEFSX41 network from machines in PIX network, but not the other way around. The only way I can make a machine(A) in BEFSX41 network to access a machine(B) in PIX network is to ping the A from B first. Then B can access A no problem.

Any ideas?

Thank in advance,
Randy

 

[yizhar]

HI.

It could be related to mismatching ISAKMP/IPSec timeout values.
Try to compare all ISAKMP+IPSec configuration at both peers.
Try to search this forum, I think this issue was discussed in the past.
Try some IPSec debugging at the pix (and the linksys):

http://www.cisco.com/warp/public/707/ipsec_debug.html

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[rlyj]

Thanks for the reply.

Both devices have the same timeout value (isakmp policy 9 lifetime 3600). The debugging is enabled on PIX but I can't see anything wrong. Any other suggestions?

TIA,
Randy

 

[yizhar]

HI.

> Both devices have the same timeout value (isakmp policy 9 lifetime 3600).
This is NOT the only timeout value.
There are other timeout values, you should check them all.

Try the following command at the pix to see the default IPSec timeout values:
show crypto map

Look for:
Security association lifetime: ...........

But also look at the PFS configuration for both peers.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar