mark-wa
asked on
PIX515E to PIX515E VPN connection....
Hello,
I am working with another office trying to setup a VPN connection between our PIX firewalls. Could someone give me an example of the entries that would be needed? I know there's a lot, but I am not too familiar with doing this. Any help would be greatly appreciated. Thanks.
Mark
I am working with another office trying to setup a VPN connection between our PIX firewalls. Could someone give me an example of the entries that would be needed? I know there's a lot, but I am not too familiar with doing this. Any help would be greatly appreciated. Thanks.
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually, there's this part that was given before that section I just gave you:
Finally, configure the preshared key and assign a peer address by using the isakmp key command. The same preshared key must match on the IPSec peers when using preshared keys. The address will differ depending on the IP address of the remote peer.
isakmp key ********** address 172.22.112.12 netmask 255.255.255.255
Thanks.
Mark
Finally, configure the preshared key and assign a peer address by using the isakmp key command. The same preshared key must match on the IPSec peers when using preshared keys. The address will differ depending on the IP address of the remote peer.
isakmp key ********** address 172.22.112.12 netmask 255.255.255.255
Thanks.
Mark
><crypto map transam 1 set peer 172.22.112.12>
>isakmp key ********** address 172.22.112.12 netmask 255.255.255.255
Each PIX will consider the outside public IP address of the other PIX as its peer, and the same IP is used in both the crypto map peer statement and the isakmp shared key definition...the "key" is a password - use whatever you like..
ie. PIX#1 outside IP = 12.34.56.7, PIX#2 = 56.78.9.9
PIX#1
crypto map transam 1 set peer 56.78.9.9
isakmp key <your secret key> address 56.78.9.9 netmask 255.255.255.255
PIX#2
crypto map transam 1 set peer 12.34.56.7
isakmp key <your secret key> address 12.34.56.7 netmask 255.255.255.255
>isakmp key ********** address 172.22.112.12 netmask 255.255.255.255
Each PIX will consider the outside public IP address of the other PIX as its peer, and the same IP is used in both the crypto map peer statement and the isakmp shared key definition...the "key" is a password - use whatever you like..
ie. PIX#1 outside IP = 12.34.56.7, PIX#2 = 56.78.9.9
PIX#1
crypto map transam 1 set peer 56.78.9.9
isakmp key <your secret key> address 56.78.9.9 netmask 255.255.255.255
PIX#2
crypto map transam 1 set peer 12.34.56.7
isakmp key <your secret key> address 12.34.56.7 netmask 255.255.255.255
ASKER
Perfect! Thank you! I'll let you know how it goes.
Thanks again!
Mark
Thanks again!
Mark
ASKER
Hi Irmoore,
I have posted another question in the TA while I'm waiting to hear back from the other office about this issue. You have been very helpful! Thanks again!
Mark
I have posted another question in the TA while I'm waiting to hear back from the other office about this issue. You have been very helpful! Thanks again!
Mark
mark. download and load PIX Device Manager (PDM) on both 515's. free download.
PDM connects to the pix using https on a browser.
There is a wizard in PDM that lets you configure VPN with ease. and error free :)
PDM connects to the pix using https on a browser.
There is a wizard in PDM that lets you configure VPN with ease. and error free :)
ASKER
Ok, we're also in the middle of implementing a new RS6000. Our application vendor now wants a "site to site" VPN connection, also. Is it possible to setup 2 "site to site" VPN connections at the same time? Is it advisable? Thanks.
Mark
Mark
Not a problem at all....
You can setup 100 site-site connections if you want...
However, I would question how the application vendor proposes to secure this site-site VPN connection, and be sure to lock down your acls that define the traffic to be as specific as possible.
You can setup 100 site-site connections if you want...
However, I would question how the application vendor proposes to secure this site-site VPN connection, and be sure to lock down your acls that define the traffic to be as specific as possible.
ASKER
Ok, I'm almost done with this. I apologize because I know I've way over-used the point value on this (wish I could give more).
Can someone look at these lines and tell me what the "20" and "30" values mean (after outside_map)? Are they just a way of differentiating between the 2 different site connections or is there a significant meaning to those?
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set standard esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address inland_match
crypto map outside_map 20 set peer 63.149.220.10
crypto map outside_map 20 set transform-set standard
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address PAML_match
crypto map outside_map 30 set peer 205.158.190.162
crypto map outside_map 30 set transform-set esp-3des-md5
crypto map outside_map interface outside
isakmp enable outside
Thanks.
Mark
Can someone look at these lines and tell me what the "20" and "30" values mean (after outside_map)? Are they just a way of differentiating between the 2 different site connections or is there a significant meaning to those?
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set standard esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address inland_match
crypto map outside_map 20 set peer 63.149.220.10
crypto map outside_map 20 set transform-set standard
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address PAML_match
crypto map outside_map 30 set peer 205.158.190.162
crypto map outside_map 30 set transform-set esp-3des-md5
crypto map outside_map interface outside
isakmp enable outside
Thanks.
Mark
20 and 30 are the priorities of the crypto maps. Higher priorities are tried first. If successful, the connection is established. If the parameters dont match, it moves on to the next priority and tries to connect.
ASKER
is a priority setting required?
Thanks.
Mark
Thanks.
Mark
Not really. Its useful for large corporations to set up priorities in which users will login and access information.
I'm guessing you dont really need. it 20 and 30 is fine the way it is.
Also, I'd recommend you download and install PIX Device Manager. Its a free download from cisco and will help you manage your box using a browser on your machine. It will help you configure everything on the PIX with relative easy compared to the CLI
I'm guessing you dont really need. it 20 and 30 is fine the way it is.
Also, I'd recommend you download and install PIX Device Manager. Its a free download from cisco and will help you manage your box using a browser on your machine. It will help you configure everything on the PIX with relative easy compared to the CLI
ASKER
when having multiple site-to-site vpn's setup, do any of the following lines need to be duplicated or matched with anything in the crypto commands?
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
Is the "1" after "policy" also just a priority number?
Mark
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
Is the "1" after "policy" also just a priority number?
Mark
You only need as many policies as you have unique requirements.
You can create multiple policies to match remote ends, i.e.
des/sha/group 1
3des/sha/group 1
3des/md5/group 2
aes/sha/group 5
<etc>
Each policy gets a different priority number. Hopefully, one of the policies will match the remote end (and the transform-set on your own end)
For the individual maps, you do have to have a priority number
You can create multiple policies to match remote ends, i.e.
des/sha/group 1
3des/sha/group 1
3des/md5/group 2
aes/sha/group 5
<etc>
Each policy gets a different priority number. Hopefully, one of the policies will match the remote end (and the transform-set on your own end)
For the individual maps, you do have to have a priority number
ASKER
Ok, here's one of the other office's isakmp stuff:
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Here's my isakmp stuff for a vpn setup I did a while back that's for connecting via a vpn client:
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
So their encryption is 3des and mine is des. Would I create another group for this site-to-site connection or would I just change the encryption to 3des? Would that then affect the vpn clients and they too would need to be changed?
Mark
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Here's my isakmp stuff for a vpn setup I did a while back that's for connecting via a vpn client:
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
So their encryption is 3des and mine is des. Would I create another group for this site-to-site connection or would I just change the encryption to 3des? Would that then affect the vpn clients and they too would need to be changed?
Mark
ASKER
Oops, actually, my isakmp lines are as follows for the vpn config for a client:
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
The one's above are the ones I was going to enter based on that link Irmoore gave me on the site-to-site vpn stuff.
Mark
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
The one's above are the ones I was going to enter based on that link Irmoore gave me on the site-to-site vpn stuff.
Mark
You can just create another group
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 1
isakmp policy 2 lifetime 1000
and make sure your transform set matches in the crypto map statements..
i.e.
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set standard esp-des esp-md5-hmac
crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address inland_match
crypto map outside_map 20 set peer 63.149.220.10 <== peer #1
crypto map outside_map 20 set transform-set standard <== DES
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address <acl>
crypto map outside_map 30 set peer 163.19.22.65 <== peer #2
crypto map outside_map 30 set transform-set esp-3des-md5 <== 3DES
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address <acl>
crypto map outside_map 40 set peer 13.191.2.5 <== peer #3
crypto map outside_map 40 set transform-set AES-SHA <== AES
You just have to make sure that you have a policy on your end that will match the transform-set that you have identified for that peer....
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 1
isakmp policy 2 lifetime 1000
and make sure your transform set matches in the crypto map statements..
i.e.
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set standard esp-des esp-md5-hmac
crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address inland_match
crypto map outside_map 20 set peer 63.149.220.10 <== peer #1
crypto map outside_map 20 set transform-set standard <== DES
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address <acl>
crypto map outside_map 30 set peer 163.19.22.65 <== peer #2
crypto map outside_map 30 set transform-set esp-3des-md5 <== 3DES
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address <acl>
crypto map outside_map 40 set peer 13.191.2.5 <== peer #3
crypto map outside_map 40 set transform-set AES-SHA <== AES
You just have to make sure that you have a policy on your end that will match the transform-set that you have identified for that peer....
ASKER
Thank you so much for all of the info! Looks like my client at the other office has left for the day, but we should be able to finish this up tomorrow. Thanks again.
Mark
Mark
ASKER
I was starting to enter the configuration into my PIX and got this:
pixfirewall(config)# isakmp policy 1 encryption 3des
VPN-3DES-AES is not enabled with current activation key.
Usage: isakmp policy <priority> authen <pre-share|rsa-sig>
isakmp policy <priority> encrypt <aes|aes-192|aes-256|des|3
isakmp policy <priority> hash <md5|sha>
isakmp policy <priority> group <1|2|5>
isakmp policy <priority> lifetime <seconds>
isakmp key <key-string> address <ip> [netmask <mask>] [no-xauth] [no-con
fig-mode]
isakmp enable <if_name>
isakmp identity <address|hostname|key-id> [<key-id-string>]
isakmp keepalive <seconds> [<retry seconds>]
isakmp nat-traversal [<natkeepalive>]
isakmp client configuration address-pool local <poolname> [<pif_name>]
isakmp peer fqdn|ip <fqdn|ip> [no-xauth] [no-config-mode]
pixfirewall(config)#
What does that mean? Can I use 3des? Thanks.
Mark
pixfirewall(config)# isakmp policy 1 encryption 3des
VPN-3DES-AES is not enabled with current activation key.
Usage: isakmp policy <priority> authen <pre-share|rsa-sig>
isakmp policy <priority> encrypt <aes|aes-192|aes-256|des|3
isakmp policy <priority> hash <md5|sha>
isakmp policy <priority> group <1|2|5>
isakmp policy <priority> lifetime <seconds>
isakmp key <key-string> address <ip> [netmask <mask>] [no-xauth] [no-con
fig-mode]
isakmp enable <if_name>
isakmp identity <address|hostname|key-id> [<key-id-string>]
isakmp keepalive <seconds> [<retry seconds>]
isakmp nat-traversal [<natkeepalive>]
isakmp client configuration address-pool local <poolname> [<pif_name>]
isakmp peer fqdn|ip <fqdn|ip> [no-xauth] [no-config-mode]
pixfirewall(config)#
What does that mean? Can I use 3des? Thanks.
Mark
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks periferral! I appreciate it.
Mark
Mark
ASKER
Ok, I received a 3des activation key. It says that I'll need to reboot the PIX after I've entered the key. By 'reboot', do they mean just shut it off and turn it back on? Or is there a 'reboot' type command that reboots the OS? Thanks.
Mark
Mark
both work. Type 'wr mem' and reload on the box and it will reboot.
ASKER
Thank you both so much for all of your help!
One last question if I may...
I have now entered everything into my PIX and into the PIX at the other site. Now I need to test the connection. Once the config is entered on both sides, does the PIX just automatically connect to the other PIX or is there something you have to do to initiate it?
Thanks.
Mark
One last question if I may...
I have now entered everything into my PIX and into the PIX at the other site. Now I need to test the connection. Once the config is entered on both sides, does the PIX just automatically connect to the other PIX or is there something you have to do to initiate it?
Thanks.
Mark
There must be actual traffic between the sites to "trigger" the VPN.
Just try pinging a remote host and that's all it should take.
On the PIX, you can see if it is established with "sho cry is sa" and you should see the remote IP and QM_IDLE if it's good.
"sho cry ip sa" will show you packets encrypted/decrypted and the access-list applied. Good troubleshooting tool...
Just try pinging a remote host and that's all it should take.
On the PIX, you can see if it is established with "sho cry is sa" and you should see the remote IP and QM_IDLE if it's good.
"sho cry ip sa" will show you packets encrypted/decrypted and the access-list applied. Good troubleshooting tool...
Traffic through the VPN tunnel will initiate the tunnel. A simple ping from inside to remote inside to do the trick.
show isakmp sa will show you if isakmp was successful. You should see QM_IDLE state.
show ipsec sa will show ipsec tunnel information.
show isakmp sa will show you if isakmp was successful. You should see QM_IDLE state.
show ipsec sa will show ipsec tunnel information.
ASKER
Ok, here's what I'm getting. Something must not be configured right:
pixfirewall(config)# show cry is sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall(config)# show cry ip sa
interface: outside
Crypto map tag: mustang, local addr. 64.106.169.161
local ident (addr/mask/prot/port): (172.28.228.0/255.255.255.
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
current_peer: 207.162.188.202:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 64.106.169.161, remote crypto endpt.: 207.162.188.202
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
pixfirewall(config)# ping 207.162.188.202
207.162.188.202 response received -- 80ms
207.162.188.202 response received -- 80ms
207.162.188.202 response received -- 220ms
pixfirewall(config)# ping 192.168.0.4
192.168.0.4 NO response received -- 1000ms
192.168.0.4 NO response received -- 1000ms
192.168.0.4 NO response received -- 1000ms
pixfirewall(config)# show isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall(config)# show ipsec sa
interface: outside
Crypto map tag: mustang, local addr. 64.106.169.161
local ident (addr/mask/prot/port): (172.27.227.0/255.255.255.
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
current_peer: 207.162.188.202:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 64.106.169.161, remote crypto endpt.: 207.162.188.202
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Mark
pixfirewall(config)# show cry is sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall(config)# show cry ip sa
interface: outside
Crypto map tag: mustang, local addr. 64.106.169.161
local ident (addr/mask/prot/port): (172.28.228.0/255.255.255.
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
current_peer: 207.162.188.202:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 64.106.169.161, remote crypto endpt.: 207.162.188.202
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
pixfirewall(config)# ping 207.162.188.202
207.162.188.202 response received -- 80ms
207.162.188.202 response received -- 80ms
207.162.188.202 response received -- 220ms
pixfirewall(config)# ping 192.168.0.4
192.168.0.4 NO response received -- 1000ms
192.168.0.4 NO response received -- 1000ms
192.168.0.4 NO response received -- 1000ms
pixfirewall(config)# show isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall(config)# show ipsec sa
interface: outside
Crypto map tag: mustang, local addr. 64.106.169.161
local ident (addr/mask/prot/port): (172.27.227.0/255.255.255.
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
current_peer: 207.162.188.202:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 64.106.169.161, remote crypto endpt.: 207.162.188.202
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Mark
You isakmp connection isnt going through. If successful you will see state Qm_IDLE.
You can do debug crypto isakmp and send the logs.
Confirm that the isakmp preshared key is the same on both sides.
You can do debug crypto isakmp and send the logs.
Confirm that the isakmp preshared key is the same on both sides.
The host >192.168.0.4
What is it's default gatway?
>pixfirewall(config)# ping 192.168.0.4
Can't do it from the firewall console, you must do it from a 172.27.227.x host. That host must have the local PIX as its default gateway...or at least routing to 192.168.0.x subnet that ends up at the pix.
What is it's default gatway?
>pixfirewall(config)# ping 192.168.0.4
Can't do it from the firewall console, you must do it from a 172.27.227.x host. That host must have the local PIX as its default gateway...or at least routing to 192.168.0.x subnet that ends up at the pix.
ASKER
Hi,
I've accepted your answers because this is dragging out way too far for one question.
I've created another question at:
https://www.experts-exchange.com/questions/21310124/PIX-to-PIX-site-vpn-connection-continued.html
Please continue to help! I really appreciate it. You've been outstanding!
Mark
I've accepted your answers because this is dragging out way too far for one question.
I've created another question at:
https://www.experts-exchange.com/questions/21310124/PIX-to-PIX-site-vpn-connection-continued.html
Please continue to help! I really appreciate it. You've been outstanding!
Mark
ASKER
Thanks for the link! It's very helpful! Could you please explain this section to me?
Crypto maps set up IPSec SAs for the encrypted traffic. To create a crypto map, you must assign a map name and a sequence number, and define the crypto map parameters. The crypto map "transam" shown below uses IKE to establish IPSec SAs, encrypts anything that matches access-list 101, has a set peer, and uses the chevelle transform-set to enact its security policy for traffic.
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 172.22.112.12
crypto map transam 1 set transform-set chevelle
The part that is kind of "hanging me up" is <crypto map transam 1 set peer 172.22.112.12>
What is that ip address? It's specific, so is that supposed to be the actual Outside address for the PIX you're trying to connect to?
Thanks.
Mark