Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Trouble 1

Status
Not open for further replies.

adamf53

IS-IT--Management
Oct 28, 2006
20
US
Hello;
I'm having trouble with my VPN. I can connect successfully to the PIX, however I don't receive any traffic. The sent counters increase, but received does not. The same goes for Decrypted packets. Encrypting is fine, but it's not decrypting.

Here is the config;


access-list 108 permit ip 10.1.1.0 255.255.255.0 192.168.4.1 255.255.255.255
ip address outside pppoe setroute
ip address inside 10.1.1.202 255.255.255.0
ip local pool vpntest 192.168.4.1
global (outside) 1 interface
nat (inside) 0 access-list 108
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route inside 10.1.1.0 255.255.0.0 10.1.1.200 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set trmset1 esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map map2 10 set transform-set trmset1
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap2 10 ipsec-isakmp dynamic map2
crypto map mymap2 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400




Any pointers would be greatly appreciated.
 
Here is the guide for 6x code

You have the crypto map entries all jumbled.

Remove all this and start over -
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set trmset1 esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map map2 10 set transform-set trmset1
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap2 10 ipsec-isakmp dynamic map2
crypto map mymap2 interface outside

and put in
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside

Now you didn't put in your client vpn config but it is in the guide and should look similar.

Now to add to this you will need a
route outside
I am not sure what this is for-
route inside 10.1.1.0 255.255.0.0 10.1.1.200 1
but double check the mask you are using.

Posting your whole config next time will be a lot more helpful. Just be sure to remove all the passwords and mask the middle 2 octets of the public IP.

Hope this helps.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top