IPsec tunnel within an IPsec tunnel
I am having a tunnel established between two of my sites using Concentrator 3030. Due to my customer requirements we need to place pix firewall behind these two existing VPN boxes and create a tunnel using between the two pix firewall using 3Des.
The parameters configured on both the Pix firewall are identical. But the SA is getting timed out in first phase.
If the command Sh isakmp sa is executed the status show " MM_NO_SETUO"
Please suggest a remedy to this problem.
You have an interesting setup. You are trying to do an IPsec tunnel within an IPsec tunnel. Theoretically this should work, although I don't understand why you would want to do that. If, however, you are doing this you need to be careful with your security association definitions on the original 3030 concentrator. Make sure you have the appropriate filter rules to allow the PIX IPsec tunnels to be established "through" the existing 3030 IPsec tunnel.
BTW the status MM_NO_SETUP means that the peers (PIX) have agreed on parameters for the ISAKMP SA. Now it seems you need to ensure that the IPsec SA can successfully be setup.
This was first published in December 2003