Check the following:
- Crypto ACL at either end is a mirror of each other. Use host to host /32 addresses don't use subnets
- Check routing at remote end is in place with correct exit interface
- If traffic passes through a Firewall towards the VPN terminating peer check that NAT Traversal is in place - apply:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
- Check that port 500/4500/ah/esp are permitted on outbound acls to the remote end. Look at ACL's.
- Check that 'sysopt connection permit-vpn' is applied to permit IPSEC protocols to by pass ACLs that are applied to the tunnel interface
No comments:
Post a Comment