[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] IPSec tunnel to a PIX firewall
From: Franz Herrmann <herrmann () symbiose ! com>
Date: 2002-01-09 17:58:12
[Download RAW message or body]
Hello Jim,
e.g. if you want to do VPN between Net 172.16.1.0/24 behind PIX and
172.16.10.0/24 behind Sidewinder, the Placeholders would be:
<NET-Address behind PIX> 172.16.1.0
<Netmask behind PIX> 255.255.255.0
<NET-Address behind Sidewinder> 172.16.10.0
<Netmask behind Sidewinder> 255.255.255.0
<ext. IP-Address of sidewinder> is the external IP-Address of sidewinder
through which VPN should be established:
Extract of the configuration on the PIX (the corresponding parameters in
the definition of the SA on Sidewinder should be obvious):
access-list acl_vpn permit ip <NET-Address behind PIX> <Netmask behind
PIX> <NET-Address behind Sidewinder> <Netmask behind Sidewinder>
...
access-list acl_in permit ip <NET-Address behind PIX> <Netmask behind
PIX> <NET-Address behind Sidewinder> <Netmask behind Sidewinder>
access-list acl_in permit ... other Rules to allow access to Internet,
e.g. http, ftp, https
access-list 80 permit ip <NET-Address behind PIX> <Netmask behind PIX>
<NET-Address behind Sidewinder> <Netmask behind Sidewinder>
...
access-group acl_in in interface inside
...
nat (inside) 0 access-list 80
...
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map map_2Sidewinder 20 ipsec-isakmp
crypto map map_2Sidewinder 20 match address acl_vpn
crypto map map_2Sidewinder 20 set peer <ext. IPAddress Sidewinder>
crypto map map_2Sidewinder 20 set transform-set strong
crypto map map_2Sidewinder interface outside
isakmp enable outside
isakmp key <PRE-SHARED KEY> address <ext. IPAddress Sidewinder> netmask
255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
For the access-list to filter traffic going through the internal
interface you must allow traffic between the two nets connected via VPN.
This is done with elements in acl_in in the example above.
The access_list 80 is used to decide what kind of traffic should not run
through NAT. This should be the traffic between the two nets you want to
connect via VPN.
The acl_vpn defines which nets should be tried to negotiate during setup
of the SA.
One of the common points one can easily forget is to set "isakmp
identity address" and not to the name of the pix as the standard would be.
We have several PIXes (PIX OS 6.0.1 and higher) running very stable with
Sidewinders.
Hope this helps,
Best regards
Franz Herrmann
software symbiose gmbh
hundingstrasse 12
95445 bayreuth
germany
James C. McDonald wrote:
> Does anyone have experience establishing
> a IPSec tunnel between a sidewinder (v5.2.0.01)
> and a Cisco PIX firewall?
>
> I'm trying to setup a 3des pre-shared secret
> ISAKMP tunnel.
>
> I've tried
> - the default settings
> - SHA1 and MD5 crypto hash
> - tried enabling and disabling PFS
> - called Secure Computing
>
> but so far no luck.
>
> A showaudit -v on my end shows:
> Received transaction exchange with unsupported attribute payload type:
> SET(3), packet dropped|
>
> Any ideas or help are appreciated.
>
> thanks,
> Jim C. McDonald
>
>
>
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic