Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[neolith13]

Hi guys,

I've got some troubles to fix a ipsec tunnel between DFL 210 and Cisco Pix 501. In fact, tunnel can be up from dfl or pix 501, but i can have traffic only if the cisco is the first one to send request...

If pix 501 is the first device to send traffic, traffic will be ok from and to the 2 networks. But if i try to join pix 501 network from the DFL, without doing anything else from pix, it doesn't work

Help me please, i'll be crazy about that....

Here's my network conf :

192.168.0.0/24 rsx 1
172.16.10.0/24 rsx 2

rsx1 -- 192.168.0.254 (DFL 210 inside) - (DFL 210 outside) 192.168.1.154 -- 192.168.1.254 (Box provider) x.x.x.x ----- Internet ------ y.Y.Y.Y (Box provider) 172.16.12.254 -- 172.16.12.154 (Pix Outside) -(Pix inside) 172.16.10.254 -- rsx2

When i connect from rsx2 to rsx1, everything is working fine (ipsec tunnel up, and traffic ok)
When i connect from rsx1 to rsx2, ipsec tunnel is up, but no traffic at all. Just a ping from rsx2 and traffic become ok

[Fatman]

The NAT in front of your VPN firewalls is not making me feel better about this situation.  You may have a mismatch on NAT-T, DPD, or KA.  Other than that my every word out of my mouth is going to be that you need to do this without all that NAT.

[neolith13]

Thks Fatman for you answer... but VPN is up... box nat what i want, and tunnel is up and traffic is ok from network "rsx 2" to network "rsx 1"... But not from rsx1 to rsx2 if i don't send any packet from rsx2.....

If nat was a pb, no one of rsx2 or rsx1 can be able to send any traffic right

 

[Fatman]

Not necessarily, which is why I listed a set of things that may go wrong that may even be aggravated by that NAT.  For example NAT-T on one side can cause something that looks a whole lot like this.