Route My World!

A CCNA/CCNP Blog

« Add That to the Win Column
100th Post - Anniversary Edition »

Frustrated!

Posted by Aragoen Celtdra on September 5th, 2008

I’m about to smack a helpless dog from all this frustration. I’ve been trying to create an ipsec tunnel between a PIX and an Edgewater device on a remote location since yesterday and I’m not getting anywhere. Checked all my configs and checked them twice five times. Hmmmm………

Just kidding about smacking a helpless dog - for you dog-lovers out there. I meant to say a helpless cat. :D

This entry was posted on Friday, September 5th, 2008 at 2:56 pm and is filed under PIX/ASA, VPN. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Frustrated!”

  1. Joey BNo Gravatar Says:
    September 5th, 2008 at 3:02 pm

    Care to post some sample configs?  Extras eyes can be pretty helpful, understood if you’d rather not and all.

    G/l figuring it out!

  2. BarryNo Gravatar Says:
    September 6th, 2008 at 8:22 am

    At it again, are ya?  Have you tried setting the IKE & IPsec SA lifetime timers to 28800?  I find that non-Cisco devices like to use that timer. 

    Otherwise, what do the EdgeMarc Advanced->IKE-Proposal settings look like (i.e. 3DES-SHA1-MODP1024)?  Not sure how late/long you were working on this, but are you certain both sides match?

    HTH,
    B-

  3. Aragoen CeltdraNo Gravatar Says:
    September 6th, 2008 at 8:30 am

    Barry: You really are the man! I did, however, get it to work last night. And guess what? You hit it right on the head. When I finally discovered the “Advanced” setting, the default IKE proposal settings did read just as you said it did (3DES-SHA1-MODP1024). And because I couldn’t find a way to modify that, I just re-wrote a new IKE policy to match the policy on the EdgeMarc. And that was about 80% of the problem. You were also right about the timers defaulting to 28800. However, It didn’t seem to make a difference when I had the PIX set on 86400.

    Joey: Thanks for trying to help. For a while there I started doubting if I was reading my configs right because I’ve been working on it nonstop. I thought maybe I wasn’t seeing I was supposed to. It turns out that the config was a big part of the problem, as I mentioned above ;)

    If you’re interested, I posted my problem on techexams.net forum. You can see my partial configs there.

  4. Steve Says:
    September 6th, 2008 at 8:45 am

    what phase of the tunnel is not getting established? Commom issue is the SA times. Cisco is 86400 ( Phase 1) and 3600 (Phase 2) by default. Have you ran some debugs yet? 

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« Add That to the Win Column
100th Post - Anniversary Edition »
 

Route My World! is Digg proof thanks to caching by WP Super Cache!