[c-nsp] Pix 501 Terminating Multiple IKE sessions over same tunnel?
dalton
daltons at panix.com
Mon Mar 12 21:30:18 EST 2007
Hi,
Are the 66.x.x.x entries two different peers, or the same peer?
Are you perhaps turning off nat on the inside int on only 1 list?
What happens if you run, debug icmp trace? do you see the packets from
list_2 hitting the pix?
If you see the packets hit the pix, then try running
debug crypto isakmp and see if its trying to establish the tunnell at all
with list_2.
If you can post the rest of your config, (routes and nat, etc), that would
help as well.
-Dalton
> Hello All:
>
> I am trying to configure two IKE sessions over a single tunnel. Here is
> the configuration I have:
>
> crypto map TEST 70 ipsec-isakmp
> crypto map TEST 70 match address list_1
> crypto map TEST 70 set peer 66.x.x.x
> crypto map TEST 70 set transform-set TESTSET
> crypto map TEST 80 ipsec-isakmp
> crypto map TEST 80 match address list_2
> crypto map TEST 80 set peer 66.x.x.x
> crypto map TEST 80 set transform-set TESTSET
> crypto map TEST interface outside
>
> access-list list_2 permit ip 192.168.133.0 255.255.255.0 192.168.213.0
> 255.255.255.0
> access-list list_1 permit ip 192.168.133.0 255.255.255.0 192.168.120.0
> 255.255.255.0
>
> The remote end is a Netscreen 50. The Phase 1 session gets established
> with interesting traffic from list_1, but no interesting traffic from
> list_2 gets over the tunnel. Is the configuration above possible? And,
> is it possible but I've just messed up the configuration?
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Mike
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list