Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN

---

• From: "Christopher J. Wargaski" <wargo1@xxxxxxxxx>
• Date: Wed, 12 Sep 2007 10:56:03 -0500

---

I have seen this when there is a routing problem. Can the 515 ping the
outside interface of the 501?

On 9/12/07, Jerry B. Altzman <jbaltz@xxxxxxxxxxx> wrote:

Hi,

I wonder if any of you have encountered this problem before with
PIX<->PIX VPNs.

A client of mine has 3 firewalls: a Fortigate, a 515 and a 501. The 515
and FG already have an IPSec lan-to-lan VPN between them that works fine.

We'd like to set up a mesh of L2L VPNs, but first steps first: we need
to connect the 515 to the new 501.

I've gone through the configurations, followed the directions from
cisco's website, cleared everything out and done everything *but*
restarted the 515 (which is in production and might cause some
consternation if it were rebooted willy-nilly)

I've watched the logging output, and it doesn't seem that the 501/515
pair even attempt to do the phase 1 IPSec negotiations. It's just that
NOTHING happens at all.

Has anyone seen this? Any received wisdom on this? My search-engine-fu
must be weak, I've not managed to tease out a solution to this from the
all-seeing GoogleEye.

Thanks!

//jbaltz
--
jerry b. altzman jbaltz@xxxxxxxxxxx www.jbaltz.com
thank you for contributing to the heat death of the universe.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

---

• Follow-Ups:
  • Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
    • From: Jerry B. Altzman

• References:
  • [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
    • From: Jerry B. Altzman

• Prev by Date: Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
• Next by Date: Re: [fw-wiz] Isolating internal servers behind firewalls
• Previous by thread: Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
• Next by thread: Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
• Index(es):
  • Date
  • Thread

---

Relevant Pages Routing with multiple IPs ... I've got a routing problem that's more or less covered on the URL ... The eth2 interface will be for the ... ip, on the box the ping comes through the eth1 interface, when it ... should come from the eth2 interface, and the reply also goes out ... (comp.os.linux.networking) Re: Cisco 1401/routing ... I have a routing problem. ... The problem is that i can't reach a special web site. ... no ip directed-broadcast ... interface ATM0 ... (comp.dcom.sys.cisco) Re: Routing im 2000 Netz ... > Die Ping vom einen Netz ins andere gehen auch nicht durch, also kein DNS ... > Problem, sondern ein Routing Problem. ... (microsoft.public.de.german.win2000.networking) Re: IP forwarding on NT4 ... The fact that you cannot ping suggests a NIC, ... cable, or routing problem. ... the clients on it's own subnet you can rule out NIC and Cable ... I'll cross that road when I get to it, and your posts along ... (microsoft.public.windows.server.networking) Re: Internet browsing problem in Redhat Linux FC 4 ... That only means that the networking code is alive. ... NORMALLY, that would mean that you have a DNS or routing problem, or that ... PING www.l.google.com 56bytes of data. ... That says DNS and default route is OK. ... (linux.redhat)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)