?
Solved

Cisco Pix VPN tunnel needed between Sonicwall and Pix

Posted on 2008-10-01
7
Medium Priority
?
905 Views
Last Modified: 2012-08-13
Hi experts,

I have a Pix 505e in London and a Sonicwall TZ180 in LA, normally we have an MPLS working between the two which facilitates server sync's, email and the like. This has been severed by some brutal builders.

I have already been given a link for Sonicwall to Pix here which looks very  close to what i need: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

The problem I have is with this line (and others??): "crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac" as I do not have the relevant installed key on my Pix. Can I use DES instead and change the Sonicwall to match? Will there be any other problems that will arise from this or other changes in commands as a result of using a different encryption type? I am new to VPN tunnels but have an understanding of what is going on in principal.

Many thanks in advance!


0
Comment
Question by:TargetTV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22615844
Good news is that you can apply for a free 3DES/AES key for the PIX if you have a CCO login.
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=119

Yes, you can use DES on both ends. Just replace any mention of "aes-256" with "des"

0
 

Author Comment

by:TargetTV
ID: 22615922
Ok thanks, good news on the DES - ill go down that route i think.

As i have been looking into this a bit further i am worried that if i put in details of the IP's i need for NAT exemption it will knock out anyone coming in on the vpn client? can you have both running? and if so i guess this means setting up separate "crypto map" and isakp commands?

I think the reason i am finding the above difficult is because there is already the commands entered for the client vpn and i didnt know if i could reuse them without messing up vpn clients.

thanks again.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22615989
Yes, you can do both client and lan-lan vpns at the same time.
Here's a good example.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 

Author Comment

by:TargetTV
ID: 22616792
Hiya,

I have been adding commands as suggested to make this work, but still no joy.
The Sonicwall has crypto suite: ESP DES HMAC MD5 (IKE) with the same password, DH group 1 same life time.

sysopt connection permit-ipsec  <-- already there

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map maptosw 67 ipsec-isakmp
crypto map maptosw 67 match address inside_outbound_nat0_acl
crypto map maptosw 67 set peer xx.xx.xx.xx
crypto map maptosw 67 set transform-set myset
crypto map maptosw interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 67 authentication pre-share
isakmp policy 67 encryption des
isakmp policy 67 hash md5
isakmp policy 67 group 1
isakmp policy 67 lifetime 28800

Is there something i am missing here? I can post other areas if needed...

Thanks for your help.
0
 

Author Comment

by:TargetTV
ID: 22616978
in the Sonicwall log after trying phase1 negotiation:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22617022
Try enabling nat-traversal, but I don't see why it reports that...
 isakmp nat-traversal 20
Also make sure that PFS is disabled on the SonicWall
0
 

Accepted Solution

by:
TargetTV earned 0 total points
ID: 22931239
In the end everything came back online and this remained unsolved. thanks for all help anyhow.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question