--===============1079539973==
Content-Type: multipart/alternative;
boundary="----=_Part_18894_32331114.1189652904407"

------=_Part_18894_32331114.1189652904407
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

First guess is check your NAT 0 access lists on both sides. If you don't
have an acl entry there matching your interesting traffic acl for the 515 /
501 L2L VPN it won't attempt to come up. The PIX will NAT the traffic (or at
least attempt to) before it hits the crypto engine.

On v6 do 'sh nat', on v7+ do 'sh run nat'. You're looking for the 'nat
(interface) 0 access-list ...' statement(s).

You might have already checked this but its a first guess.

On 9/12/07, Jerry B. Altzman wrote:
>
> Hi,
>
> I wonder if any of you have encountered this problem before with
> PIX<->PIX VPNs.
>
> A client of mine has 3 firewalls: a Fortigate, a 515 and a 501. The 515
> and FG already have an IPSec lan-to-lan VPN between them that works fine.
>
> We'd like to set up a mesh of L2L VPNs, but first steps first: we need
> to connect the 515 to the new 501.
>
> I've gone through the configurations, followed the directions from
> cisco's website, cleared everything out and done everything *but*
> restarted the 515 (which is in production and might cause some
> consternation if it were rebooted willy-nilly)
>
> I've watched the logging output, and it doesn't seem that the 501/515
> pair even attempt to do the phase 1 IPSec negotiations. It's just that
> NOTHING happens at all.
>
> Has anyone seen this? Any received wisdom on this? My search-engine-fu
> must be weak, I've not managed to tease out a solution to this from the
> all-seeing GoogleEye.
>
> Thanks!
>
> //jbaltz
> --
> jerry b. altzman jbaltz@altzman.com www.jbaltz.com
> thank you for contributing to the heat death of the universe.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>


------=_Part_18894_32331114.1189652904407
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

First guess is check your NAT 0 access lists on both sides. If you don't have an acl entry there matching your interesting traffic acl for the 515 / 501 L2L VPN it won't attempt to come up. The PIX will NAT the traffic (or at least attempt to) before it hits the crypto engine.


On v6 do 'sh nat', on v7+ do 'sh run nat'. You're looking for the 'nat (interface) 0 access-list ...' statement(s).

You might have already checked this but its a first guess.


On 9/12/07, Jerry B. Altzman <jbaltz@altzman.com> wrote:

Hi,

I wonder if any of you have encountered this problem before with
PIX<->PIX VPNs.

A client of mine has 3 firewalls: a Fortigate, a 515 and a 501. The 515
and FG already have an IPSec lan-to-lan VPN between them that works fine.


We'd like to set up a mesh of L2L VPNs, but first steps first: we need
to connect the 515 to the new 501.

I've gone through the configurations, followed the directions from
cisco's website, cleared everything out and done everything *but*

restarted the 515 (which is in production and might cause some
consternation if it were rebooted willy-nilly)

I've watched the logging output, and it doesn't seem that the 501/515
pair even attempt to do the phase 1 IPSec negotiations. It's just that

NOTHING happens at all.

Has anyone seen this? Any received wisdom on this? My search-engine-fu
must be weak, I've not managed to tease out a solution to this from the
all-seeing GoogleEye.

Thanks!


//jbaltz
--
jerry b. altzman        jbaltz@altzman.com     www.jbaltz.com
thank you for contributing to the heat death of the universe.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com

https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




------=_Part_18894_32331114.1189652904407--

--===============1079539973==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============1079539973==--