TargetTV
asked on
Cisco Pix VPN tunnel needed between Sonicwall and Pix
Hi experts,
I have a Pix 505e in London and a Sonicwall TZ180 in LA, normally we have an MPLS working between the two which facilitates server sync's, email and the like. This has been severed by some brutal builders.
I have already been given a link for Sonicwall to Pix here which looks very close to what i need: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml
The problem I have is with this line (and others??): "crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac" as I do not have the relevant installed key on my Pix. Can I use DES instead and change the Sonicwall to match? Will there be any other problems that will arise from this or other changes in commands as a result of using a different encryption type? I am new to VPN tunnels but have an understanding of what is going on in principal.
Many thanks in advance!
I have a Pix 505e in London and a Sonicwall TZ180 in LA, normally we have an MPLS working between the two which facilitates server sync's, email and the like. This has been severed by some brutal builders.
I have already been given a link for Sonicwall to Pix here which looks very close to what i need: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml
The problem I have is with this line (and others??): "crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac" as I do not have the relevant installed key on my Pix. Can I use DES instead and change the Sonicwall to match? Will there be any other problems that will arise from this or other changes in commands as a result of using a different encryption type? I am new to VPN tunnels but have an understanding of what is going on in principal.
Many thanks in advance!
ASKER
Ok thanks, good news on the DES - ill go down that route i think.
As i have been looking into this a bit further i am worried that if i put in details of the IP's i need for NAT exemption it will knock out anyone coming in on the vpn client? can you have both running? and if so i guess this means setting up separate "crypto map" and isakp commands?
I think the reason i am finding the above difficult is because there is already the commands entered for the client vpn and i didnt know if i could reuse them without messing up vpn clients.
thanks again.
As i have been looking into this a bit further i am worried that if i put in details of the IP's i need for NAT exemption it will knock out anyone coming in on the vpn client? can you have both running? and if so i guess this means setting up separate "crypto map" and isakp commands?
I think the reason i am finding the above difficult is because there is already the commands entered for the client vpn and i didnt know if i could reuse them without messing up vpn clients.
thanks again.
Yes, you can do both client and lan-lan vpns at the same time.
Here's a good example.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml
Here's a good example.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml
ASKER
Hiya,
I have been adding commands as suggested to make this work, but still no joy.
The Sonicwall has crypto suite: ESP DES HMAC MD5 (IKE) with the same password, DH group 1 same life time.
sysopt connection permit-ipsec <-- already there
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map maptosw 67 ipsec-isakmp
crypto map maptosw 67 match address inside_outbound_nat0_acl
crypto map maptosw 67 set peer xx.xx.xx.xx
crypto map maptosw 67 set transform-set myset
crypto map maptosw interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 67 authentication pre-share
isakmp policy 67 encryption des
isakmp policy 67 hash md5
isakmp policy 67 group 1
isakmp policy 67 lifetime 28800
Is there something i am missing here? I can post other areas if needed...
Thanks for your help.
I have been adding commands as suggested to make this work, but still no joy.
The Sonicwall has crypto suite: ESP DES HMAC MD5 (IKE) with the same password, DH group 1 same life time.
sysopt connection permit-ipsec <-- already there
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map maptosw 67 ipsec-isakmp
crypto map maptosw 67 match address inside_outbound_nat0_acl
crypto map maptosw 67 set peer xx.xx.xx.xx
crypto map maptosw 67 set transform-set myset
crypto map maptosw interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 67 authentication pre-share
isakmp policy 67 encryption des
isakmp policy 67 hash md5
isakmp policy 67 group 1
isakmp policy 67 lifetime 28800
Is there something i am missing here? I can post other areas if needed...
Thanks for your help.
ASKER
in the Sonicwall log after trying phase1 negotiation:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
Try enabling nat-traversal, but I don't see why it reports that...
isakmp nat-traversal 20
Also make sure that PFS is disabled on the SonicWall
isakmp nat-traversal 20
Also make sure that PFS is disabled on the SonicWall
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=119
Yes, you can use DES on both ends. Just replace any mention of "aes-256" with "des"