Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 491
  • Last Modified:

multiple VPNs on the same CISCO-NETSCREEN nodes

Hi all,

I've a problem with the VPNs configured on one customer site. I'll try to explain it the best I can...

These are the equipments involved:
Customer site: CISCO 3620
Local site: Netscreen 208

Currently we have configured one IPsec VPN between both sites to communicate the customer network 10.95.0.0/16 with our local network 10.1.27.0/24.

The problem started when we wanted to include a new network in our site (10.1.29.0/24)... we started to talk time ago to deal with this matter but we don't find a common point of view, I have proposed to open our range to 10.1.0.0/16 in the encriptin domain parameter, and then route the new network through the vpn... but they said that they can't do that because they have internal networks in conflict with that range... ok... we decided to use NAT... they gave us a range to configure our site (172.19.1.0/28).

The problem with the encription domain remains the same... I have to change the parameter to allow the phase II negotiations... I don't know the CISCO equipment and then I don't know why they can't configure this parameter with 0.0.0.0/0 and then route only the networks affected (this is that we have done in our netscreen with other customers...).

Now, hundred mails later... we are trying to configure another IPSec VPN to separate the networks affected... (I think we should have another solution but I don't know how can I convice them because I don't know the CISCO world)... the problem is that they said that we have to use another ip public in our site to configure the new VPN ¿¿??... the say that the can't configure another VPN with the same parameters in the negotiatios (the only parameter that is differente is our local  network...).... please help me with this matter.

Thanks in advanced
0
ecemibm
Asked:
ecemibm
  • 2
2 Solutions
 
deimarkCommented:
Seems a bit mad of them to say that they cannot have 2 VPNs going to the same remote GW

As you say, the netscreen side is quite straightforward if you wanted to go down the route based VPN and set the encryption domain as 0.0.0.0.  If we could set this to the same on the cisco side, then all will be well.

For the 2 VPN approach, teh netscreen again is quite easy, you create a new autokey ike using the same ike GW from the otehr VPN, just with a different proxy-id (encryption domain) set.

I am not a cisco expert but I would be very surprised if the cisco side DOES NOT cater for multiple VPNs to the same remote GW, just using different local and remote networks.

As for trying to configure the netscreen to have a 2nd VPN coming form a new external IP, I am fairly sure that this cannot be done

I would consider asking the cisco side to confirm the reasoning as to why they cannot have multiple VPNs to the same remote GW which will give us a bit more info to work on for a work around
0
 
QlemoC++ DeveloperCommented:
I agree to deimark. It should be possible to have two Phase 2 SAs (for networks, encryption domains, or however you want to call them) using the same Phase 1 SA (VPN gateway). That is one of the reasons why the Phase 1 and Phase 2 definitions are separated, and a major feature of IPSec VPNs.
0
 
ecemibmAuthor Commented:
Hi again...

The customer has answered my statements saying that the CISCO avoid to do that becouse it allows to include more that one encryption domain. Is it true?... I'm starting to think if the technicians in the customer site has real knowledge about he is talking about... the problem is that I don't know how the CISCO firewall works...

The questio now is... Do you know if I can find a configuration example for this deployment with CISCO equipments?... I'm sure this proof is that I need to convice the customer...
0
 
deimarkCommented:
I think that the cisco guy is not too clued up on his router and is only passing on the info he knows.

As I said before, I would be very surprised if cisco does not allow multiple VPN domains to be bound toa single GW< it seems to be the fundamental area that is covered by all other major (and most minor) players in the VPN market.

With regards to an example config, this does need to go to a cisco bod.  Perhaps an admin can put out a call for more cisco experts to comment.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now