Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX-to-PIX IPSec VPN Tunnel

Reply
Thread Tools

PIX-to-PIX IPSec VPN Tunnel

 
 
Aaron Gitlin
Guest
Posts: n/a
 
      07-21-2006
Hello All,

We have recently inherited a network that has multiple locations with
multiple tunnels over a few PIX units. The existing tunnels work perfectly.
There are three offices: DI, DL and the owner, Dale's, house. There is a
working tunnel between DI and DL, one between DL and Dale and a few from DL
to other offices. We need to configure a tunnel between DI and Dale, but
have had no luck. I have mimiced the existing configuration, attempted to
follow Cisco document 6211 to setup a new tunnel, but I can't seem to get
the configuration to work. crypto isakmp sa shows nothing on either device,
and show crypto ipsec sa does not list anyhing under inbound or outbound
SAs. Any insight or direction re: this may be helpful. I have provided
configs of the routers (omitting WAN IPs - I confirmed that each WAN IP is
configured correctly). FYI: Dale has a PPoE DSL connection and a non-static
IP.

Thanks in advance,

Aaron

-----------------------------------------
DL PIX Config

:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <***>
passwd <***>
hostname DL-<***>
domain-name secure.local
clock timezone PST
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-out permit tcp any host <***> eq smtp
access-list acl-out permit tcp any host <***> eq https
access-list acl-out permit tcp any host <***> eq ssh
access-list acl-out permit icmp any any echo-reply
access-list acl-out permit icmp any any unreachable
access-list acl-out permit icmp any any time-exceeded
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.201.0
255.255.255.
0
access-list nonat permit ip 192.168.7.0 255.255.255.0 10.20.30.0
255.255.255.0
access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.8.0
255.255.255.0

access-list split permit ip 192.168.7.0 255.255.255.0 19
0
access-list RISCbox permit ip host 192.168.7.243 192.168.201.0 255.255.255.0
access-list DI permit ip 192.168.7.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list DL-<***> permit ip 192.168.7.0 255.255.255.0 192.168.8.0
255.255.2
55.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside <***> 255.255.255.248
ip address inside 192.168.7.248 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.201.1-192.168.201.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.7.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp <***> ssh 192.168.7.243 ssh netmask 255.255.
255.255 0 0
static (inside,outside) <***> 192.168.7.246 netmask 255.255.255.255 0 0

access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 <***>
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server IAS protocol radiu
aaa-server IAS max-failed-attempts 3
aaa-server IAS deadtime 10
aaa-server IAS (inside) host 192.168.7.246 sH@r3dSEc019 timeout 10
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
ntp server 192.168.7.249 source inside
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatibl
crypto ipsec transform-set ENCRYPT1 esp-3des esp-md5-hmac
crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 90 set transform-set AES-256 ENCRYPT1
crypto map 1VPN 10 ipsec-isakmp
crypto map 1VPN 10 match address DI
crypto map 1VPN 10 set peer 216.241.48.186
crypto map 1VPN 10 set transform-set AES-256
crypto map 1VPN 15 ipsec-isakmp
crypto map 1VPN 15 match address DL-<***>
crypto map 1VPN 15 set peer 12.176.203.186
crypto map 1VPN 15 set transform-set AES-256
crypto map 1VPN 90 ipsec-isakmp dynamic dynmap
crypto map 1VPN client configuration address initiate
crypto map 1VPN client configuration address respond
crypto map 1VPN interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address <*** DI's IP ***> netmask 255.255.255.255
isakmp key ******** address <***> netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 5
isakmp policy 5 lifetime 28800
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption aes-256
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote address-pool vpnpool
vpngroup Remote dns-server 192.168.7.246
vpngroup Remote default-domain <***>
vpngroup Remote split-tunnel split
vpngroup Remote split-dns <***>
vpngroup Remote idle-time 1800
vpngroup Remote authentication-server IAS
vpngroup Remote user-authentication
vpngroup Remote password ********
vpngroup redrock address-pool vpnpool
vpngroup redrock split-tunnel split
vpngroup redrock split-dns ad.deser
vpngroup redrock idle-time 1800
vpngroup redrock password ********
vpngroup nolanMicro address-pool vpnpool
vpngroup nolanMicro split-tunnel RISCbox
vpngroup nolanMicro idle-time 1800
vpngroup nolanMicro password ********
vpngroup DI-Remote address-pool vpnpool
vpngroup DI-Remote dns-server 192.168.7.246
vpngroup DI-Remote default-domain di.local
vpngroup DI-Remote split-tunnel split
vpngroup DI-Remote idle-time 1800
vpngroup DI-Remote authentication-server IAS
vpngroup DI-Remote user-authentication
vpngroup DI-Remote password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username <***> encrypted privilege 15
username <***> encrypted privilege 15
terminal width 80
Cryptochecksum:855acbe960dc96023eae799eafa2bf22
: end


---------
Dale's PIX Config:


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <***> encrypted
passwd <***> encrypted
hostname DLdale-PIX
domain-name <***>
clock timezone PST -8
clock summer-time PST recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list NONAT permit ip 192.168.198.16 255.255.255.240 192.168.7.0
255.255.255.0
access-list NONAT permit ip 192.168.198.16 255.255.255.240 10.20.30.0
255.255.255.0
access-list tunnel permit ip 192.168.198.16 255.255.255.240 192.168.7.0
255.255.255.0
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list 2DI permit ip 192.168.198.16 255.255.255.240 10.20.30.0
255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered errors
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.198.17 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list tunnel
nat (inside) 1 192.168.198.16 255.255.255.240 0 0
access-group acl_out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 128.9.176.30 source outside
ntp server 209.81.9.7 source outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set DE-DI esp-des esp-md5-hmac
crypto map PIXRemote 20 ipsec-isakmp
crypto map PIXRemote 20 match address tunnel
crypto map PIXRemote 20 set peer <*** DL's IP ***>
crypto map PIXRemote 20 set transform-set strong
crypto map PIXRemote 25 ipsec-isakmp
crypto map PIXRemote 25 match address 2DI
crypto map PIXRemote 25 set peer <*** DI's IP ***>
crypto map PIXRemote 25 set transform-set DE-DI
crypto map PIXRemote interface outside
isakmp enable outside
isakmp key ******** address <*** DL's IP ***> netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address <*** DI's IP ***> netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 5
isakmp policy 5 lifetime 28800
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption aes-256
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.7.0 255.255.255.0 inside
telnet 192.168.198.0 255.255.255.0 inside
telnet 192.168.199.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group sprintDsl request dialout pppoe
vpdn group sprintDsl localname <***>
vpdn group sprintDsl ppp authentication chap
vpdn username <***> password *********
dhcpd address 192.168.198.19-192.168.198.25 inside
dhcpd dns 192.168.7.246
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain <***>
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:0bec5c75b00322ba0d6178f4375d36d0
: end

--------------------------

DI PIX Config:


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <***> encrypted
passwd <***> encrypted
hostname di-pix
domain-name secure.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list SPLIT permit ip 10.20.30.0 255.255.255.0 10.254.254.0
255.255.255.0
access-list nonat permit ip 10.20.30.0 255.255.255.0 10.254.254.0
255.255.255.0
access-list nonat permit ip 10.20.30.0 255.255.255.0 192.168.7.0
255.255.255.0
access-list nonat permit ip 10.20.30.0 255.255.255.0 192.168.198.16
255.255.255.240
access-list acl-out permit icmp any any echo-reply
access-list acl-out permit icmp any any unreachable
access-list acl-out permit icmp any any time-exceeded
access-list DL permit ip 10.20.30.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list DE-home permit ip 10.20.30.0 255.255.255.0 192.168.198.16
255.255.255.240
pager lines 24
logging on
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside <***> 255.255.255.248
ip address inside 10.20.30.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.254.254.1-10.254.254.5
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 216.241.48.185 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
ntp server 128.9.176.30 source outside
ntp server 209.81.9.7 source outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set DI-DE esp-des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set AES-256
crypto map DI-VPN 10 ipsec-isakmp
crypto map DI-VPN 10 match address DL
crypto map DI-VPN 10 set peer <*** DL's IP ***>
crypto map DI-VPN 10 set transform-set AES-256
crypto map DI-VPN 90 ipsec-isakmp dynamic dynmap
crypto map DI-VPN client configuration address initiate
crypto map DI-VPN client configuration address respond
crypto map DI-VPN interface outside
isakmp enable outside
isakmp key ******** address <*** DL's IP ***>netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 5
isakmp policy 5 lifetime 28800
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption aes-256
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup secGroup address-pool vpnpool
vpngroup secGroup dns-server 10.20.30.246
vpngroup secGroup default-domain secure.local
vpngroup secGroup split-tunnel SPLIT
vpngroup secGroup split-dns <***>
vpngroup secGroup idle-time 1800
vpngroup secGroup password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
username <***>encrypted privilege 15
username <***>encrypted privilege 15
terminal width 80
Cryptochecksum:e3d5c96f573c0693ea72f426bf22171a
: end
di-pix#




 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-24-2006
In article <44c1629c$(E-Mail Removed)>,
Aaron Gitlin <(E-Mail Removed)> wrote:
>We have recently inherited a network that has multiple locations with
>multiple tunnels over a few PIX units. The existing tunnels work perfectly.
>There are three offices: DI, DL and the owner, Dale's, house. There is a
>working tunnel between DI and DL, one between DL and Dale and a few from DL
>to other offices. We need to configure a tunnel between DI and Dale, but
>have had no luck.


>DL PIX Config


>access-list split permit ip 192.168.7.0 255.255.255.0 19
>0


Unfortunately that line (or those lines) were munged and I can't
reasonably interpolate what they are in the configuration. If that
line was overly general, it could cause the problem you are seeing.
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-24-2006
In article <44c1629c$(E-Mail Removed)>,
Aaron Gitlin <(E-Mail Removed)> wrote:

>DL PIX Config


>PIX Version 6.3(5)


>sysopt ipsec pl-compatibl


You never need that anymore. It's a rare PIX that is still running
the Private Link encryption cards.

>crypto ipsec transform-set ENCRYPT1 esp-3des esp-md5-hmac
>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
>crypto dynamic-map dynmap 90 set transform-set AES-256 ENCRYPT1


>isakmp policy 10 encryption 3des
>isakmp policy 10 hash md5
>isakmp policy 10 group 1
>isakmp policy 10 lifetime 28800


PIX 6.3 limitation: 3DES MD5 is not supported. For 3DES you
should use 3DES SHA Group 2 (Group 1 if you -really- need to.)
DES MD5 Group 1 -is- supported.

>isakmp policy 20 authentication pre-share
>isakmp policy 20 encryption 3des
>isakmp policy 20


Missing end of line there?

>isakmp policy 20 group 2


The default hash is MD5, so unless the missing end of line was
for an SHA hash, the only difference between this and the previous
is that this one is group 2 instead of group 1. But why put the
stronger encryption as lower priority? And if the missing end of
line is SHA, then you do not have a corresponding phase 2 encryption
setup; differences in encryption between the two phases don't cause
problems in theory, but can in practice.


>Dale's PIX Config:


>PIX Version 6.3(3)


There is a PIX security advisory that you can use to take that
to 6.3(5)rebuild even if you do not have a support contract.

>crypto ipsec transform-set strong esp-3des esp-md5-hmac
>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
>crypto ipsec transform-set DE-DI esp-des esp-md5-hmac


>crypto map PIXRemote 20 set peer <*** DL's IP ***>
>crypto map PIXRemote 20 set transform-set strong


Why not use AES-128? It's actually faster than 3DES on a PIX 501.
AES-256 might only be able the same speed as 3DES, but somehow
I doubt you are maxing out the crypto tranform rate on this link...

>crypto map PIXRemote 25 set peer <*** DI's IP ***>
>crypto map PIXRemote 25 set transform-set DE-DI


Again, why not AES, considering you are talking to a PIX 6.3 ?
Or at least 3DES?

>isakmp policy 10 encryption 3des
>isakmp policy 10 hash md5
>isakmp policy 10 group 1


>isakmp policy 20 encryption 3des
>isakmp policy 20 hash md5
>isakmp policy 20 group 2


As per above: why put the strong encryption as lower priority?


>DI PIX Config:


>PIX Version 6.3(4)


You can get that up to 6.3(5)rebuild via the security advisory.

>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac


You wouldn't even be able to enter that command if you didn't
have a 3DES/AES license, so you might as well take advantage of the
security when communicating with Dale's PIX.

>crypto map DI-VPN client configuration address initiate
>crypto map DI-VPN client configuration address respond


I'd recommend turning those off if Dale is the only client.
Alternately, in the isakmp key that matches Dale's potential range
of IPs, add no-xauth no-config-mode to the line. You don't appear
to have a shared key specific to Dale, but I would suggest that you
should: although he has a dynamic IP, his ISP is only going to give
him an IP from a limited pool, and things get easier for you if you
can allow him to use his internal IP range instead of having him
allocated an link IP by the PIXen.

 
Reply With Quote
 
Aaron Gitlin
Guest
Posts: n/a
 
      07-24-2006
Wow...Thank you Walter! I will take a look at your suggestions and work
from there - these pointers are exactly what I needed.

Thanks again, I'll post and let you know how this turns out,


"Walter Roberson" <(E-Mail Removed)> wrote in message
newsUWwg.223215$Mn5.104485@pd7tw3no...
> In article <44c1629c$(E-Mail Removed)>,
> Aaron Gitlin <(E-Mail Removed)> wrote:
>
>>DL PIX Config

>
>>PIX Version 6.3(5)

>
>>sysopt ipsec pl-compatibl

>
> You never need that anymore. It's a rare PIX that is still running
> the Private Link encryption cards.
>
>>crypto ipsec transform-set ENCRYPT1 esp-3des esp-md5-hmac
>>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
>>crypto dynamic-map dynmap 90 set transform-set AES-256 ENCRYPT1

>
>>isakmp policy 10 encryption 3des
>>isakmp policy 10 hash md5
>>isakmp policy 10 group 1
>>isakmp policy 10 lifetime 28800

>
> PIX 6.3 limitation: 3DES MD5 is not supported. For 3DES you
> should use 3DES SHA Group 2 (Group 1 if you -really- need to.)
> DES MD5 Group 1 -is- supported.
>
>>isakmp policy 20 authentication pre-share
>>isakmp policy 20 encryption 3des
>>isakmp policy 20

>
> Missing end of line there?
>
>>isakmp policy 20 group 2

>
> The default hash is MD5, so unless the missing end of line was
> for an SHA hash, the only difference between this and the previous
> is that this one is group 2 instead of group 1. But why put the
> stronger encryption as lower priority? And if the missing end of
> line is SHA, then you do not have a corresponding phase 2 encryption
> setup; differences in encryption between the two phases don't cause
> problems in theory, but can in practice.
>
>
>>Dale's PIX Config:

>
>>PIX Version 6.3(3)

>
> There is a PIX security advisory that you can use to take that
> to 6.3(5)rebuild even if you do not have a support contract.
>
>>crypto ipsec transform-set strong esp-3des esp-md5-hmac
>>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
>>crypto ipsec transform-set DE-DI esp-des esp-md5-hmac

>
>>crypto map PIXRemote 20 set peer <*** DL's IP ***>
>>crypto map PIXRemote 20 set transform-set strong

>
> Why not use AES-128? It's actually faster than 3DES on a PIX 501.
> AES-256 might only be able the same speed as 3DES, but somehow
> I doubt you are maxing out the crypto tranform rate on this link...
>
>>crypto map PIXRemote 25 set peer <*** DI's IP ***>
>>crypto map PIXRemote 25 set transform-set DE-DI

>
> Again, why not AES, considering you are talking to a PIX 6.3 ?
> Or at least 3DES?
>
>>isakmp policy 10 encryption 3des
>>isakmp policy 10 hash md5
>>isakmp policy 10 group 1

>
>>isakmp policy 20 encryption 3des
>>isakmp policy 20 hash md5
>>isakmp policy 20 group 2

>
> As per above: why put the strong encryption as lower priority?
>
>
>>DI PIX Config:

>
>>PIX Version 6.3(4)

>
> You can get that up to 6.3(5)rebuild via the security advisory.
>
>>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac

>
> You wouldn't even be able to enter that command if you didn't
> have a 3DES/AES license, so you might as well take advantage of the
> security when communicating with Dale's PIX.
>
>>crypto map DI-VPN client configuration address initiate
>>crypto map DI-VPN client configuration address respond

>
> I'd recommend turning those off if Dale is the only client.
> Alternately, in the isakmp key that matches Dale's potential range
> of IPs, add no-xauth no-config-mode to the line. You don't appear
> to have a shared key specific to Dale, but I would suggest that you
> should: although he has a dynamic IP, his ISP is only going to give
> him an IP from a limited pool, and things get easier for you if you
> can allow him to use his internal IP range instead of having him
> allocated an link IP by the PIXen.
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
One IPsec tunnel and no ISAKMP tunnel. AM Cisco 7 07-19-2007 03:11 PM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM



Advertisments