This is a multi-part message in MIME format.

------=_NextPart_000_011A_01C71E0E.AC75DF90
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable

Hello,
I have been unable to reach the list site to look for any archives
on this question, so I=92ll through it out there. I=92m trying to setup =
a IPSec
VPN tunnel from a Cisco Router (on which I have several hundred =
successful
site-to-site tunnels) running IOS 12.4(7) to a Symantec Raptor.
Unfortunately, I can=92t really provide much detail about the Symantec =
because
it=92s a customer/vendor=92s device. At one point the tunnel did work, =
but
started failing, and now it fails when something behind the Symantec =
tries
to initiate a tunnel, but not when something behind the Router initiates =
the
tunnel.
To lay out some details (which have been obfuscated to protect
identity and security):

Cisco side:
Inside IP: 10.1.1.25 (local subnet has routing to encr dom)
Outside IP: 1.2.3.4
Preshared key
P1: 3DES MD5 DH2
P2: 3DES MD5 no-pfs
Local encryption domain: 7.8.9.0/24 (public space)
Sample ACL for crypto map:
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.56
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.113
permit ip 7.8.9.0 0.0.0.255 host 172.16.10.78


Symantec Raptor side:
Inside IP: 172.16.10.254
Outside IP: 21.22.23.24
Preshared key
P1: 3DES MD5 DH2
P2: 3DES MD5 no-pfs
Local encryption domain: group containing 172.16.10.56, 172.16.10.113,
172.16.10.78
Remote encryption domain: 7.8.9.0 255.255.255.0


It use to work fine this way, with a single local group for the
hosts on the Raptor side, and a subnet on the Cisco side, and each host =
had
its own IPSec SA (tunnel) to the subnet on the Cisco side. Then the =
Raptor
changed behavior and started to try to use any existing SA for any 1 of =
the
3 hosts to encrypt traffic for the other 2 when a system behind the =
Raptor
was the initiator of traffic and negotiations. If the Cisco side =
initiates
to all 3 separately, creating the SAs itself, then the tunnel works
bi-directionally as it should, until the P2 SAs expire. At the moment,
there is no way to identify what firmware change, or config change on =
the
Raptor caused this, so rolling things back is not a practical option =
(unless
someone knows exactly what the issue is).
We tried disabling that group and tunnel (perhaps deleting it would
be more thorough and a better test ?) and creating 3 totally separate
tunnels on the Raptor, using the same key, etc as the 1 defined S-2-S =
tunnel
on the Cisco, but system behind the Raptor still can not initiate a =
tunnel.
As I said, perhaps deleting the old one (not just disabling it) is
necessary.
I ran into the same issue with another customer/vendor using a
Raptor, where they were using a group, and switching them to individual
tunnels resolved the bi-directional initiation issues (it introduced =
some
minor problems that I=92m ignoring here).


Anyone have any experience with a Cisco to Raptor tunnel with a
subnet and hosts (or anything like this) that could shed some light on =
this?


Nate

--=20
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.16/582 - Release Date: =
12/11/2006
4:32 PM
=20

------=_NextPart_000_011A_01C71E0E.AC75DF90
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"

eJ8+IjkWAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAA DoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQOQBgAYFwAAIAAAAAsAAgABAA AAAwAmAAAAAAAeAHAAAQAAACQA
AABDaXNjbyBSb3V0ZXIgSU9TIHRvIFN5bWFudGVjIFJhcHRvcg ACAXEAAQAAABYAAAABxx5A9mRw
9e+thzlGAqeu9S+3ZHnjAAALAAEOAAAAAAIBCg4BAAAAGAAAAA AAAADBjJBoIM7TEYnmsC+dAAAA
woAAAAMAFA4BAAAAAgEJEAEAAADSEwAAzhMAADE3AABMWkZ1Ky Mq3wcABgEBC2BuZzEwMmY1AGQA
cmNwDdAOADIdDGBjDUQBNAExc3Rz4mgFcGJjaBA1CQAQx2ZoDr AQ1mJpAUMNpDPyMxLmZmUTYgH3
AqQDY0cCABDACsBzZXQC0XAocnEyAAAqCqFuby0WICAN8BdxNh NwMDWcMDQX8QHQF+A0fQdt3wKD
AFAD1BXPFttiF7EYIJ8XghzEGKAHEwKDMzYVX38bLxdzGEIXwA HQISAYYjNgfUdpb3YAcAMASVBU
Q1RUHdQ4Hk4yiyLSH3IgB20gQ0Ud1J45Iv8YECQvJTV5cgKD5j QaAR5sMTYaASd/A4L6RwnRayj0
DyApfyyxKr+9A4JUCHAo9BOQEqFkAKAZLN43Ny3/JTQoSGXyYglwdyko9CdBMC8xM/8kHzKWBxAB
oA6wM3UOECzerjgeMTWvA4JCB0B0DrC/KPQePypgL/E5PzLDVgiQ6HRuYQeBZTN1IuEaPPcj+AcT
JYY0JhE/TSc3QMX9KNU1Gg8qaEDELAgPEURv9y3mQMQvZjUv90R9MXdAxL 0zCzUz50o+QEw2+zU3
0e9EfTj3QMQ6iTU7QUR+PHb7S7U+DjUxgRo9QLQCgAKRVQjmOw lvMFifZQ4ANf9ZylrhWp9bqVm0
W9JaP14Pn13NXU9bf1nPFDAyOGOa/2SxZG9leVm0ZaJkD2ffZ533Zx9lT2kUOQ8gbGRtwWXjp23A
AoIQUHlsB5BoCeDqdAAAcQlQbBLBBRABQOED8GRjdGwKsXCQNx CycAEBYXU6oABgcwqwR3DwHuBx
8m51bQIAYclxsHRvDVFqdRBQBRB8Z2hx4AUQCgFwIAoBab0BkH BwQXDgEMAesXMAUX8BMXXgC/An
QAdADbY6oHL/dWQLwydAEycT6AjQCcA0IBl4E25weGl6BXNuZfp4V0FOBbAAwA JzFuB1oc12AWQ0
MDqwdmUQQB8QnG1pEgB80AnwIERxlDQgUArAYQnAcWBoIO5GAi F8FBBgMQBQEGADYE53CzBzwAGA
c1c0IHS8aEITkHPACrB80GwN4Psi4IFkcoHYDZCBRgGAg0fKYo NHcoFCY2IKsCpQ/4UyH2CFkwJg
C4AJkYZkb0CMcGWBQQTwZWxscKH3gRCAsYbBc30gACA6kX/B/zMwgmCJJglQiUQMsYlTcSD5iURk
Z4omi6CLJnVwiUT+dm/vcP9yD3MfdC91Pwvy/3cskfENtHgEFCJ2UXlslXf/lvV7Q3/xfVp7tDzg
AaBvYP1u8zEOEI2Pjp+Pr5C/kc//ktp1wgvydo93kjRBHiJ37/d4/3oPexJinMAJgAIgEDE/mEMO
EG8xHwA0IJqAODO9GAEgCfB9IAkAh2AgWLB+dAhwGaN1sDtAmr NmMDjfmw6dEA7QCqAXMHgA4Kux
7nkMMAGgEHAtbbCqUaxxrHc3bcABQXgDUHSYUruqUYTxbQzQDN CuKXmbQf+cH50vnj+fQaozn5+g
pnZv/3d0DDKitB4ho0+kX6Vvpn3fO0Cnj6iVgkIHkHN8FzGA33zHks1 3KbBACNBmDyCmZmN8kbuV
NzM3OOBM4CD+SIdRihALgCxDfFMi4L4//79PwFQO8MDPwdh/MIfggFD/CYDCf22ww6+gbHcqREIM
Ab+F8BAxxnl9aBBAwpFzAiB3B0AQQAWgbauxfTHBnEX7AMADEF NvQm2wV8MW4Atgz63gAjBvNJrQ
c2QQUAdw3mGu0FMB0qERUWsJgAEB1jB8I1iwdhTiVcLgFyB+dx mh1ES70Qkzu9jV0zZfLdAYEJqB
wbnWVDLB8DnFTOA1fCN4bWwAgBTjCdmzMSCewHRwOi/OLwTwb5AAwHMufYAFAFUXMG8BgC7PMS/c
EGaRDrBlL3cFsGQvIRG+M9zz2cBX0AqhwpF3DvB3tQABQN4zaL wB3sEAwHL/i7CuId+UgnDgFipQ
M9DflNpi4UNnsbCt4HKT8x8QP5uQm1KAUJuQihEBgG5ifmoAYA nwfNARYADwAiBv763gBtAJgKww
cwISAFDkuOmfQWdkhZBhCaIFcBFg/9Sg0gIBQCHgmuDmwXtg2cC9mJFogFALUYfA6OBsgQDfe2IM
QLkgBbB9cXgJgAWg9wIw0gEQMWF9IAuA6APZsf8QMejh2bEEkA NgHwAAUBcgtnjR0bHAec5Re2Bw
EHD/ACALkBcgsEGKELCQAOECMPsCYACAYhCg7SGwkYfAAhC2csBh8F FtEHANYVzo4HRyeuRzZ9+y
C4GLoGjz8AOuI2d28pnxUZ6gC4D/4APzIfQV4VLyYujh5cHzMf3142rt8QBwCzDkcYdCDyDydgiQ
d2uGkQ4Q99IE8N8HQBQx3tHhwIyyZQ1g+TXHAhDk4M5xbHl01V ALgP99MOPR+seewADAsbCwkO0h
/9nQnsCx8QkysiCH0AJQB0D/C5D90YZkmtD60PjBm5ACYH+AYfrBAlGSwIxR2dAzMGv/8HF9MBcg
AFGvwAUwCUF7QP+v4LHAuKILgIfCtSHIMdywH4fQfdHSwIfQr7 FwcHX/AkCwYgcwAEe7wh5g5ODY
Jv17UHcJMbuSsEAacBcgCcB/gFCxotywsGAUIB8wFsJ3fechZq6Q3LA6oOywF2Ax/DNm3hDQ0BSg
0LD4wP7Q/dnQdZKRdyGrIuLiuNHixf+fQXtgrkDkQfzQ7LB9MeLx/wviuKIeIBAxCxKwFAogEEDP
49MWw9ng4vBsduihsTH/29CxYA9h/PCSwA/ihpHSAf43zKGxMB7gtWCaULEwrqH8YS7RdA9m97AQ
AnchEG//EX8Sjy/wsTB90KvxFE8VX38SrSdAsTCS4BP/GK8ZsymfErxhkBd/HE8ZlGIoIpH/HW8P
ojtAGx8fzyDfIe8xgP8jEhBPJH8ljw8qPxAjHyh//ymPKp9BoCd/LO8t/x2y3uH/i5D54JUQ8jEK
lZq/m8+wn/+xr57+qyFFAdgJkt+1D3dv/7evuL96mJpQyl/Lb8x4n1DngDDByofRbyxGsUEvQj/z
Q0/XZQ0KM5JFP0ZPR19j1/n88GIgSdqw61Eg7+UgfeED8JnyIDgQqPHzcN9/EIEQvPA08NIwINiw
reBjTqLIMG9rIPBRvQBuznm9AD0RfRFzIH9ATzG5VpAgcVmQ0t F/QCxPwP1OwElJb0p/S4/X+lIw
5OF/Ux9UL1U/wcmH4E8xBVB1fTjAIAegUaA4AE8yY7Au/iBS/1hPWV9WL1c/Xd9e7+VEC21OoHJ5
5pFOos+ATakgcL0ATXBQU+LwIPhWUE5OoAPwe1CZwK3Am89AZh FDT5DcUCBSXBH1CQEoUbF3faBP
EWEvYj//Y0/ByU2EaT9qT2tfwclpL79uf2+PwbrPgIjBmbFoA/C9vTFkcW9yf3OPcKpzE9Bbh8C9
YGY2kE/DLTgQLXNP1Gbzcymo8GbxZVJJCE9TINjgLjQoN+d8EE6xZiBTe dCw6tFmgPpSAbJyXKHV
APBRZuHR4e/6wFKwTYD4wG52P3dPeF//YB+AL4E/gk/ByVvwTuHIIP1RAHAFUPfQmTBk8BPQW8Dv
mTD88NDQvQBiXBV9uOUg//jA/XFxX4Vvhn/BugehhAT/T8C9AIvPjN+N73CvkM+R37uS78IUYzhx
z0DssC/nkf+msElflW+Wf4NPhF+aP5tP33SLiZH30HpQXKFBW/GnEL2IwG85EIpUZuUCIGRowPXd
EGtSsGJcITCzyGBQkO/QweaRUrD3ASDVMVvSpOL/UZBo0E4RzsCYkFHhZWHlIP+nIaOgins4kVGB
TrE5EMnx/9HhZhFm5KQE5NGmf6eIaCX3qUao8aLnLkkPni+fP5wP9U1CVFA xYVEAXBKrQomV/VGQ
KGjUTagA4HqQ+LGkov9OsYjRfhFb8IkRGbAHoFEBm6WB4uF1OK DRACk6rlT3rlRntdixZbglrr+v
z7Df/2xquh+7L7w/bGnZ4IkSZkDiOnzgMC4xwqE8wL4Pd78fwC+TqijToXWReiBi//sgW/BNoFGQ
W4HS4GVk7cD/29CJkM9AM2DDL8Q/xU9sd++5v8ofyy/F70/Nn86vz7/PbGn8UcIHwuAuM30Q0Y/n
0p/Tr8yeIFDqQPDxdgHwIGtlec0/1z/YT9RffFAxwmDb/90P3h9saTPkREV80E1Eww/hH+Iv8ZOb
REgy25/lL+Y/50+cUDLCYOP2paEtcEeQ/+j/6g/rH8yf7h/vL/A/bHh+TPI/80/0X2xpxyPI0nn/
9i/3P/hPbGkBQFKB+q/7v//8z5OqySH+3//vAP9saTQR7wL/BA8FH2xoOgcPCB8JLwGTqjcuOC45
LjD2LzwgaIBwx4A08GaANuH/elDJXwvvDP/xLxBvEX8Sj/FsaVNhbTPwnW8Vnxav8ZObQUNMUJP6
cX5xZPD/NjC4JU0yGN8Z7xr//dpoYNptW+FpZgAO1SDCkCOS0zzA7YBob0+hMTGgwqDmNsKgwpA 1
NhQ1M5Q0WPxmaTGiNP82DzcfOC85P/9sWR6vH78gzyHfIu8j/8KQjx6fLh8vL2xpMTEzM5//NK81
vxOfN784zznfME8xX58ybzN/PM8932xLNzhCb/9Df0SPOt8lvicfKC8pPypP/ytfLG9G30fvSP/a
J7iVfc3/uVRGb1KvU79Jn1efWK9Zv/+9X1wfXS9eP8GdX69gv2HP/zbKJJdBMNZ/ZS9mP1qvaN//
ae9q/9DPbV9ub29/1Q9w/7dyD3MfXukywtF9ADLWUP8PUHWPdp93r9m/2s9s73sP/3wf3w9/j4Cf
ga/jT+RfhJ//ha/nj38viL+Jz4rf7N/t7/+Nf46PfS+Mf5Kfk6/1W/oI7/6DyRIG0cJgZ8ghQDC5
MP+ioAbRq6KVz5bfl+9nXyTk/5xPnV+eb31IqlCg76H/ow//n39CL6Wvpr82jzefql+rb/+kD62v
rr+vz6hPsV+yb7N//0Wfth+3L7g/lQ+6L7s/vE/hXzRSZW1vVoCZ/5sB70BWQTFBIsQzML2vvr+/
z/+8r1V5HlLVwEAATyDVsB2BOncdEGsc8FAQymFoafJzyqBhebEw TCDLUAbA51chnBAYsCBs+gOb
NB0C/8tQ1bAkMsuAmoHN0lbJsTB/VmB+0MxBD6DLIEAAznVD98twm5DPSWUQIMwgJDNN4Ld+0D/w
zlF3mpDV0FNWkURTQQ9wdHVuyyBsXinKcs3S0B/RJS4CoFT/zeCakMU/xk/HX17pzqjW79/X/9kP
izrdEFZgZ37B22+n3H/dj17pYmVN4Hb+oP/bX+Df4e+LK+Q/5U/mXwYq/8/BJFAeMFaAftDUch1Q
ynLnykJWYO0QZXjLcMKwnBFX07EdAu2iMfnwZs3DM//OBR2BwlXs4elAJrAP4M2W98IQzeAdIDLK
oNav6P/qD/sF7lcgeSRQwfDjolAQ7KG/zrjLoPARzeGb4cKwYVby7+9C8PXPsssgZ8IQ+QH+ofpz
1mBJ71TQ+Pi2fnDKcr9NsJng77DKUFCyVoBsy8H/wnDR8O4jzdLTsMuA8r/zz+/0317p0tHUMGax
MM3RzoTn0/TKo8uAYmn/XwBvAXc9Xq0tBT8GTwF/Xulkaf9+YExQwsH9Ie0Q+FE/8X6A+ZtQbGSx
MNQAwrCZ4M3Sv5Bg/w8Jrwq/Xp7t4HAM0V3WYUHwwc3hwgBtwlB0/wOTfmBAEMuAkTDLkspyV0H9
DpFm7RDyYPkQyvE/0Mug/xUh31SxMB0Sm6AmsJwg31S/zm3M8MpB93LLcLEwcx2Q/5tA/TD+lJwB
BPHSAMrgFVO7QADMQHBM0A0BzPJvmlT2KNQAzKBzy4Aa0BSQm6 D1dSBrkTB3y4Dt4BzxDXGXFrP4
gx4wdRUyKS7E3+8QTxFfEm7Jw1fKYU9QfsH9DMBzyeAbNRbRmz TPsgRF9ig/sU3gcMuATQDMoO4j
/z/xyrAOMeOhFGEVIctQ+TDvm1BPcM+l47B0VoDNsX5w/UAAP9RQz7L+R++w1HCbwP8NYv2GBDIh
XyJvI39i2tQw785dDmHMYtSUYRSQfuKxMH/VIPnx+GTvIE0ByxF+0FN4LTItkNAERdVasTBi/06w
9q/OyA6hmeDM8NMwHHL//FbMMS4fLy8wPzFPE9LLgP5JM/HIcLEwKB/xoymBHqL+KBxyTxIl+Q3Q
1FAVUlaQ+x4hTJB5IOXJxBrwOeFQEL/UdjQSIFTL9Bxx8gJjTyHxFIFyL3bCUJqw+UAzZP/MQDLm
8mEqA38AyqAVEkhm/5szOz88Tz1fsJrsA8vxTOAv/pU4MBXyz8Bp4/Bkdf+Z0dP0y4B+YRsQR/D3
dAUQvi0Myfi2wsIgU8uAKA3R/0VRm0BQ4EPA7CEUgRRgw0D7+TEc0G8mQMHw+GIW0V+fx0w/TU8k
enJxdcIRVy//WD9ZT5j5ODAYgFXxnAIVAvsg1skPQe7wHqLj0e2GQCH/JcDCYEZ20OXUcTkFBEbM
BXfU9M+yzhQo7rQbg8zAaf9+8MtD1FEWwpuQKXJ+gFVWb0LgKp DVNctwP2Bf+UBOv/yhW29cf12P
JInfUXLIX2p9IPRkySBsmuFuEDV6N25DIGwAcWpuAWygOKYgbW DLEi0tc+VOGuD94/ByykDNgR3w
0rFqFO8wvzew+nCcAhSQQ+HfkC5z9C5DzeAcEH7BYu0QQVbYRy BGfmAPAEUMwMKyfXdVVvIQfUCb
oMNixCA02jPyQC950HUjRBbQRMCl+FBlkIAyNsOgMcQg8aBgLz U48kB0YMHgzKBHe8F7YnvhMTIv
rTAvQW1AMDYgNDp6wVAuTXP0D4DJJH2AAAAAAwDeP+IEAAADAA lZAwAAAAsAAIAIIAYAAAAAAMAA
AAAAAABGAAAAAAOFAAAAAAAAAwACgAggBgAAAAAAwAAAAAAAAE YAAAAAEIUAAAAAAAALAA2ACCAG
AAAAAADAAAAAAAAARgAAAACChQAAAAAAAAsAEYAIIAYAAAAAAM AAAAAAAABGAAAAAAaFAAAAAAAA
AwASgAggBgAAAAAAwAAAAAAAAEYAAAAAAYUAAAAAAABAABSACC AGAAAAAADAAAAAAAAARgAAAABg
hQAAAHCaSjIAAAALABuACCAGAAAAAADAAAAAAAAARgAAAAAOhQ AAAAAAAAMAHoAIIAYAAAAAAMAA
AAAAAABGAAAAABiFAAAAAAAAAwBKhzdHVkEAMqEQmJsAAOh7T7 EBAAAAIAAAAEEAVgBHACAARgBM
AEEARwBTACAAKABPAFUAVAApAAAA0IMhAwsAHw4BAAAAAgH4Dw EAAAAQAAAAwYyQaCDO0xGJ5rAv
nQAAAAIB+g8BAAAAEAAAAMGMkGggztMRieawL50AAAADAP4PBQ AAAAMADTT9PwMAAwAPNP0/AwAC
ARQ0AQAAABAAAABOSVRB+b+4AQCqADfZbgAAAgF/AAEAAAAxAAAAMDAwMDAwMDBDMThDOTA2ODIw
Q0VEMzExODlFNkIwMkY5RDAwMDAwMDQ0M0E2RTAwAAAAAAMABh Dl4XTTAwAHEG0JAAADABAQAAAA
AAMAERAAAAAAHgAIEAEAAABlAAAASEVMTE8sSUhBVkVCRUVOVU 5BQkxFVE9SRUFDSFRIRUxJU1RT
SVRFVE9MT09LRk9SQU5ZQVJDSElWRVNPTlRISVNRVUVTVElPTi xTT0mSTExUSFJPVUdISVRPVVRU
SEVSRUmSTQAAAABI6A==

------=_NextPart_000_011A_01C71E0E.AC75DF90
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
------=_NextPart_000_011A_01C71E0E.AC75DF90--