Comments on: Frustrated!

By: Steve

Steve — Sat, 06 Sep 2008 15:45:39 +0000

what phase of the tunnel is not getting established? Commom issue is the SA times. Cisco is 86400 ( Phase 1) and 3600 (Phase 2) by default. Have you ran some debugs yet?

By: Aragoen Celtdra

Aragoen Celtdra — Sat, 06 Sep 2008 15:30:27 +0000

Barry: You really are the man! I did, however, get it to work last night. And guess what? You hit it right on the head. When I finally discovered the “Advanced” setting, the default IKE proposal settings did read just as you said it did (3DES-SHA1-MODP1024). And because I couldn’t find a way to modify that, I just re-wrote a new IKE policy to match the policy on the EdgeMarc. And that was about 80% of the problem. You were also right about the timers defaulting to 28800. However, It didn’t seem to make a difference when I had the PIX set on 86400.

Joey: Thanks for trying to help. For a while there I started doubting if I was reading my configs right because I’ve been working on it nonstop. I thought maybe I wasn’t seeing I was supposed to. It turns out that the config was a big part of the problem, as I mentioned above

If you’re interested, I posted my problem on techexams.net forum. You can see my partial configs there.

By: Barry

Barry — Sat, 06 Sep 2008 15:22:55 +0000

At it again, are ya? Have you tried setting the IKE & IPsec SA lifetime timers to 28800? I find that non-Cisco devices like to use that timer.

Otherwise, what do the EdgeMarc Advanced->IKE-Proposal settings look like (i.e. 3DES-SHA1-MODP1024)? Not sure how late/long you were working on this, but are you certain both sides match?

HTH,
B-

By: Joey B

Joey B — Fri, 05 Sep 2008 22:02:37 +0000

Care to post some sample configs? Extras eyes can be pretty helpful, understood if you’d rather not and all.

G/l figuring it out!