Posted on 2007-07-23
Medium Priority
Last Modified: 2008-01-09
Current implementation rtr->pix->isa where the vpn site to tsite is established through the isa and the protocols are forwarded to the pix. want to remove isa due it being a single point of failure and taking advantage of the failover i have implemented on the pix 515E 6.3.3

i started to try config from the isa config

Remote Site X.Y.Z.46
ESP - Triple DES with SHA1 Integrity
IKE Encryption and Diffie-Hellman Group Triple DES with Group 2 (1024-bit prime)
Perfect Forward Secrecy (Disabled)
Compression (Disabled)
Rekey Timeout (08:00:00)  "in hours"
Rekey Data Count (None)
ISAKMP Retransmission Interval (1440)  "in minutes"
ISAKMP Retransmission Max Attempts (4)
Pre-Shared Key ( to be negotiated )

Network routing on our side (hosts):

My Site

Our Endpoint X.X.X.173
ESP  Triple DES with SHA1 Integrity
IKE Encryption and Diffie-Hellman Group Triple DES with Group 2 (1024-bit prime)
Perfect Forward Secrecy (Disabled)
Rekey Timeout 28800 seconds = 8 hours
Rekey Data Count (None)
Pre-Shared Key (to be negotiated)

This is what i started to create, some guidance please

isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
crypto isakmp key 12345678 address X.Y.Z.46
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip host X.Y.Z.46

networks on my side /24 /22

hosts on remote site

Question by:adrianjfx

Accepted Solution

charan_jeetsingh earned 1500 total points
ID: 19547788
here is a standard configuration for VPN on pix :

 isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
 isakmp policy 10 group 2
 isakmp policy 10 hash md5
 isakmp policy 10 lifetime 86400
 isakmp enable outside
 isakmp identity address
 isakmp key abc123 address netmask
 nat (inside) 0 access list 90
access-list 90 permit ip
 crypto ipsec transform-set strong esp-3des esp-md5-hmac
 crypto ipsec security-association lifetime seconds 900
crypto map gonder 10 ipsec-isakmp
crypto map gonder 10 match address 90
crypto map gonder 10 set transform-set strong
crypto map gonder 10 set peer
crypto map gonder interface outside
sysopt connection permit-ipsec

these are just some basic set of commands which necessarily be there for creating a site to site VPN

you can get futrher information from this link :

Author Comment

ID: 19549522
thanks charan
will try it out

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question