pix1 was version 8 pix2 was version 6 I configured pix1 as per the version 7 tutorial, and configured pix2 as per the version 6 tutorial. I then made the following adjustments: - adjusted the IP addressing on pix2 to match the network diagram in the version 7 tutorial - adjusted the ipsec transform sets and isakmp policies on both pixes so that they matched. I went with a compromise between what I thought each could support (3des), but did not research this in depth; you can probably find other encryption standards in common between the two. - adjusted things like session lifetime parameters to match on both units. To test this configuration, I connected the outside interfaces on both PIXes to a Cisco 1800 router. I connected them on the switchports, then started a SPAN session to monitor (mirror traffic) from one of these ports onto a third one, where I had a laptop running wireshark. Wireshark is able to decode many of the ISAKMP negotiation packets, so it was reasonably easy to see when something was mismatched and not connecting properly. On the inside interfaces of each PIX, I had a computer with a local IP address on the "inside" range for that PIX. I then attempted to ping the machine on the other PIX, which (if everything is configured correctly) initiates the tunnel.