• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 913
  • Last Modified:

Cisco Pix VPN tunnel needed between Sonicwall and Pix

Hi experts,

I have a Pix 505e in London and a Sonicwall TZ180 in LA, normally we have an MPLS working between the two which facilitates server sync's, email and the like. This has been severed by some brutal builders.

I have already been given a link for Sonicwall to Pix here which looks very  close to what i need: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

The problem I have is with this line (and others??): "crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac" as I do not have the relevant installed key on my Pix. Can I use DES instead and change the Sonicwall to match? Will there be any other problems that will arise from this or other changes in commands as a result of using a different encryption type? I am new to VPN tunnels but have an understanding of what is going on in principal.

Many thanks in advance!


0
TargetTV
Asked:
TargetTV
  • 4
  • 3
1 Solution
 
lrmooreCommented:
Good news is that you can apply for a free 3DES/AES key for the PIX if you have a CCO login.
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=119

Yes, you can use DES on both ends. Just replace any mention of "aes-256" with "des"

0
 
TargetTVAuthor Commented:
Ok thanks, good news on the DES - ill go down that route i think.

As i have been looking into this a bit further i am worried that if i put in details of the IP's i need for NAT exemption it will knock out anyone coming in on the vpn client? can you have both running? and if so i guess this means setting up separate "crypto map" and isakp commands?

I think the reason i am finding the above difficult is because there is already the commands entered for the client vpn and i didnt know if i could reuse them without messing up vpn clients.

thanks again.


0
 
lrmooreCommented:
Yes, you can do both client and lan-lan vpns at the same time.
Here's a good example.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
TargetTVAuthor Commented:
Hiya,

I have been adding commands as suggested to make this work, but still no joy.
The Sonicwall has crypto suite: ESP DES HMAC MD5 (IKE) with the same password, DH group 1 same life time.

sysopt connection permit-ipsec  <-- already there

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map maptosw 67 ipsec-isakmp
crypto map maptosw 67 match address inside_outbound_nat0_acl
crypto map maptosw 67 set peer xx.xx.xx.xx
crypto map maptosw 67 set transform-set myset
crypto map maptosw interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 67 authentication pre-share
isakmp policy 67 encryption des
isakmp policy 67 hash md5
isakmp policy 67 group 1
isakmp policy 67 lifetime 28800

Is there something i am missing here? I can post other areas if needed...

Thanks for your help.
0
 
TargetTVAuthor Commented:
in the Sonicwall log after trying phase1 negotiation:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
0
 
lrmooreCommented:
Try enabling nat-traversal, but I don't see why it reports that...
 isakmp nat-traversal 20
Also make sure that PFS is disabled on the SonicWall
0
 
TargetTVAuthor Commented:
In the end everything came back online and this remained unsolved. thanks for all help anyhow.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now