Solved

multiple VPNs on the same CISCO-NETSCREEN nodes

Posted on 2010-09-14
4
482 Views
Last Modified: 2012-05-10
Hi all,

I've a problem with the VPNs configured on one customer site. I'll try to explain it the best I can...

These are the equipments involved:
Customer site: CISCO 3620
Local site: Netscreen 208

Currently we have configured one IPsec VPN between both sites to communicate the customer network 10.95.0.0/16 with our local network 10.1.27.0/24.

The problem started when we wanted to include a new network in our site (10.1.29.0/24)... we started to talk time ago to deal with this matter but we don't find a common point of view, I have proposed to open our range to 10.1.0.0/16 in the encriptin domain parameter, and then route the new network through the vpn... but they said that they can't do that because they have internal networks in conflict with that range... ok... we decided to use NAT... they gave us a range to configure our site (172.19.1.0/28).

The problem with the encription domain remains the same... I have to change the parameter to allow the phase II negotiations... I don't know the CISCO equipment and then I don't know why they can't configure this parameter with 0.0.0.0/0 and then route only the networks affected (this is that we have done in our netscreen with other customers...).

Now, hundred mails later... we are trying to configure another IPSec VPN to separate the networks affected... (I think we should have another solution but I don't know how can I convice them because I don't know the CISCO world)... the problem is that they said that we have to use another ip public in our site to configure the new VPN ¿¿??... the say that the can't configure another VPN with the same parameters in the negotiatios (the only parameter that is differente is our local  network...).... please help me with this matter.

Thanks in advanced
0
Comment
Question by:ecemibm
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 300 total points
ID: 33670720
Seems a bit mad of them to say that they cannot have 2 VPNs going to the same remote GW

As you say, the netscreen side is quite straightforward if you wanted to go down the route based VPN and set the encryption domain as 0.0.0.0.  If we could set this to the same on the cisco side, then all will be well.

For the 2 VPN approach, teh netscreen again is quite easy, you create a new autokey ike using the same ike GW from the otehr VPN, just with a different proxy-id (encryption domain) set.

I am not a cisco expert but I would be very surprised if the cisco side DOES NOT cater for multiple VPNs to the same remote GW, just using different local and remote networks.

As for trying to configure the netscreen to have a 2nd VPN coming form a new external IP, I am fairly sure that this cannot be done

I would consider asking the cisco side to confirm the reasoning as to why they cannot have multiple VPNs to the same remote GW which will give us a bit more info to work on for a work around
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 200 total points
ID: 33671128
I agree to deimark. It should be possible to have two Phase 2 SAs (for networks, encryption domains, or however you want to call them) using the same Phase 1 SA (VPN gateway). That is one of the reasons why the Phase 1 and Phase 2 definitions are separated, and a major feature of IPSec VPNs.
0
 

Author Comment

by:ecemibm
ID: 33673259
Hi again...

The customer has answered my statements saying that the CISCO avoid to do that becouse it allows to include more that one encryption domain. Is it true?... I'm starting to think if the technicians in the customer site has real knowledge about he is talking about... the problem is that I don't know how the CISCO firewall works...

The questio now is... Do you know if I can find a configuration example for this deployment with CISCO equipments?... I'm sure this proof is that I need to convice the customer...
0
 
LVL 18

Expert Comment

by:deimark
ID: 33673724
I think that the cisco guy is not too clued up on his router and is only passing on the info he knows.

As I said before, I would be very surprised if cisco does not allow multiple VPN domains to be bound toa single GW< it seems to be the fundamental area that is covered by all other major (and most minor) players in the VPN market.

With regards to an example config, this does need to go to a cisco bod.  Perhaps an admin can put out a call for more cisco experts to comment.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now