PIX to Vigor 2600G VPN NAT-T tunnel problem

[seggsy]

I have configured a Vigor 2600G router to create a VPN tunnel to a PIX 506 firewall (OS 6.3(3)). The PIX also has VPN Clients terminating there. The tunnel works whilst I have NAT-T disabled on the PIX. When I enable NAT-T which I need for my VPN Client users the tunnel fails.

Does anyone have experience of the above problem. I would like to be able to make an adjustment on the Vigor to to resolve this problem. I have looked on the Draytek website but information is scant.

Thanks for any help

Seggsy

 

[themut]

Since you have both LAN-to-LAN and VPN client tunnels, make sure your isakmp key for the LAN-to-LAN includes the keywords no-xauth no-config-mode:

isakmp key ******** address VV.XX.YY.ZZ no-xauth no-config-mode

 

[seggsy]

Apologies, I forgot to mention that I already have a tunnel established to another PIX which works fine without having to disable NAT-T. It is only to the Vigor that I experience this problem.

With respect to the no-xauth and no-config-mode on the isakmp key, I do have those entries.

Seggsy

 

[themut]

Well, that being the case I would look into simultaneous debugs at both ends to try to determine what is causing this behaviour. The debugs needed on the PIX are:

debug crypto isakmp
debug crypto ipsec

The link below will help you understand the debugs:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml