Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3

From

Roman Sindarovskiy (2:5020/400)

To

All (2:5054/37.63)

Date

2007-10-28T10:13:54Z

Area

RU.CISCO

From: Roman Sindarovskiy <rakis@electromir.ru>

Hi All

Есть центральный PIX 515 (PIX OS 6.3) и 10+ филиалов PIX 501 (6.3). 
Настроены а работают IPSEC туннели с каждым филиалом. Поднят PIX 515 
(PIX OS 7.2) на который перенесены настройки со старого 515-го.
Но видимо в процессе переноса что-то не донастроил. Туннели не поднимаются.
Переношу настроки со старого 515-го, меняю адрес на филиальском 501-м. 
Далее на обоих пиксах

debug crypto isakmp
debug crypto ipsec
debug crypto engine
conf t
clear isakmp sa
clear ipsec sa
exit

И ничего, т.е. создается впечатление что нет даже попыток поднятия туннеля.

За основу взял с cisco.com документ "PIX/ASA 7.x PIX-to-PIX 
Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example"

Вопрос: Где можно почитать про различия в настроке IPSEC между PIX OS 
6.x и PIX OS 7.x? Хочу понять где я ошибся.

P.S. "Cisco Security Appliance Command Line Configuration Guide 7.2" читал
P.P.S. Кусок из конфигов

PIX 7:
name a2.b2.c2.d2 PIX6
sysopt connection permit-vpn
access-list inside_nonat extended permit ip 172.16.0.0 255.255.0.0 
192.168.0.0 255.255.255.0
access-list inside_nonat extended permit icmp 172.16.0.0 255.255.0.0 
192.168.0.0 255.255.255.0
access-list outside_cryptomap_201 extended permit ip 172.16.0.0 
255.255.0.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_201 extended permit icmp 172.16.0.0 
255.255.0.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nonat
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto map outside_map_pce 201 match address outside_cryptomap_201
crypto map outside_map_pce 201 set peer PIX6
crypto map outside_map_pce 201 set transform-set TRANS
crypto map outside_map_pce interface outside
isakmp enable outside
isakmp identity address
isakmp policy 101 authentication pre-share
isakmp policy 101 encryption 3des
isakmp policy 101 hash md5
isakmp policy 101 group 1
isakmp policy 101 lifetime 86400
tunnel-group PIX6 type ipsec-l2l
tunnel-group PIX6 ipsec-attributes
pre-shared-key secret
peer-id-validate nocheck

PIX 6:
name a1.b1.c1.d1 PIX7
sysopt connection permit-IPSec
access-list outside_cryptomap_202 permit ip 192.168.0.0 255.255.255.0 
172.16.0.0 255.255.0.0
access-list outside_cryptomap_202 permit ip 192.168.0.0 255.255.255.0 
172.16.0.0 255.255.0.0
access-list inside_nonat permit ip 192.168.0.0 255.255.255.0 172.16.0.0 
255.255.0.0
access-list inside_nonat permit icmp 192.168.0.0 255.255.255.0 
172.16.0.0 255.255.0.0
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto map outside_map_em 202 ipsec-isakmp
crypto map outside_map_em 202 match address outside_cryptomap_202
crypto map outside_map_em 202 set peer PIX7
crypto map outside_map_em 202 set transform-set TRANS
crypto map outside_map_em interface outside
isakmp key 12131415 address PIX7 netmask 255.255.255.255 no-xauth 
no-config-mode
isakmp enable outside
isakmp identity address
isakmp policy 102 authentication pre-share
isakmp policy 102 encryption 3des
isakmp policy 102 hash md5
isakmp policy 102 group 1
isakmp policy 102 lifetime 86400
--- ifmail v.2.15dev5.4
 * Origin: Demos online service (2:5020/400)
SEEN-BY: 400/814 450/1024 461/43 640 465/11 469/999 4625/8 4641/444 5000/5000
SEEN-BY: 5006/1 5007/1 5010/70 5011/13 5012/46 5015/28 5019/26 5020/175 400
SEEN-BY: 5020/545 982 1354 1521 1909 1922 2238 4441 5021/29 5025/3 5026/14
SEEN-BY: 5027/12 5030/1080 5034/13 5035/38 5036/1 5042/18 5045/7 5049/1
SEEN-BY: 5051/15 5054/1 4 8 9 28 30 35 36 37 67 75 81 89 5060/88 5061/15
SEEN-BY: 5062/10 5063/3 5066/18 5075/5 5077/70 5084/9 5085/13 5093/57 5095/20
SEEN-BY: 5096/18 6001/10 6009/1

PATH: 5020/400 545 5054/1 37