Ask the Expert

IPsec tunnel within an IPsec tunnel

I am having a tunnel established between two of my sites using Concentrator 3030. Due to my customer requirements we need to place pix firewall behind these two existing VPN boxes and create a tunnel using between the two pix firewall using 3Des.

The parameters configured on both the Pix firewall are identical. But the SA is getting timed out in first phase.

If the command Sh isakmp sa is executed the status show " MM_NO_SETUO"

Please suggest a remedy to this problem.

    Requires Free Membership to View

You have an interesting setup. You are trying to do an IPsec tunnel within an IPsec tunnel. Theoretically this should work, although I don't understand why you would want to do that. If, however, you are doing this you need to be careful with your security association definitions on the original 3030 concentrator. Make sure you have the appropriate filter rules to allow the PIX IPsec tunnels to be established "through" the existing 3030 IPsec tunnel.

BTW the status MM_NO_SETUP means that the peers (PIX) have agreed on parameters for the ISAKMP SA. Now it seems you need to ensure that the IPsec SA can successfully be setup.

This was first published in December 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: