Cisco Pix VPN tunnel needed between Sonicwall and Pix

Hi experts,

I have a Pix 505e in London and a Sonicwall TZ180 in LA, normally we have an MPLS working between the two which facilitates server sync's, email and the like. This has been severed by some brutal builders.

I have already been given a link for Sonicwall to Pix here which looks very  close to what i need:

The problem I have is with this line (and others??): "crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac" as I do not have the relevant installed key on my Pix. Can I use DES instead and change the Sonicwall to match? Will there be any other problems that will arise from this or other changes in commands as a result of using a different encryption type? I am new to VPN tunnels but have an understanding of what is going on in principal.

Many thanks in advance!

Who is Participating?
TargetTVConnect With a Mentor Author Commented:
In the end everything came back online and this remained unsolved. thanks for all help anyhow.
Good news is that you can apply for a free 3DES/AES key for the PIX if you have a CCO login.

Yes, you can use DES on both ends. Just replace any mention of "aes-256" with "des"

TargetTVAuthor Commented:
Ok thanks, good news on the DES - ill go down that route i think.

As i have been looking into this a bit further i am worried that if i put in details of the IP's i need for NAT exemption it will knock out anyone coming in on the vpn client? can you have both running? and if so i guess this means setting up separate "crypto map" and isakp commands?

I think the reason i am finding the above difficult is because there is already the commands entered for the client vpn and i didnt know if i could reuse them without messing up vpn clients.

thanks again.

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Yes, you can do both client and lan-lan vpns at the same time.
Here's a good example.
TargetTVAuthor Commented:

I have been adding commands as suggested to make this work, but still no joy.
The Sonicwall has crypto suite: ESP DES HMAC MD5 (IKE) with the same password, DH group 1 same life time.

sysopt connection permit-ipsec  <-- already there

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map maptosw 67 ipsec-isakmp
crypto map maptosw 67 match address inside_outbound_nat0_acl
crypto map maptosw 67 set peer xx.xx.xx.xx
crypto map maptosw 67 set transform-set myset
crypto map maptosw interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask
isakmp identity address
isakmp policy 67 authentication pre-share
isakmp policy 67 encryption des
isakmp policy 67 hash md5
isakmp policy 67 group 1
isakmp policy 67 lifetime 28800

Is there something i am missing here? I can post other areas if needed...

Thanks for your help.
TargetTVAuthor Commented:
in the Sonicwall log after trying phase1 negotiation:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
Try enabling nat-traversal, but I don't see why it reports that...
 isakmp nat-traversal 20
Also make sure that PFS is disabled on the SonicWall
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.