PIX-to-PIX IPSec VPN Tunnel

Discussion in 'Cisco' started by Aaron Gitlin, Jul 22, 2006.

  1. Aaron Gitlin

    Aaron Gitlin Guest

    Hello All,

    We have recently inherited a network that has multiple locations with
    multiple tunnels over a few PIX units. The existing tunnels work perfectly.
    There are three offices: DI, DL and the owner, Dale's, house. There is a
    working tunnel between DI and DL, one between DL and Dale and a few from DL
    to other offices. We need to configure a tunnel between DI and Dale, but
    have had no luck. I have mimiced the existing configuration, attempted to
    follow Cisco document 6211 to setup a new tunnel, but I can't seem to get
    the configuration to work. crypto isakmp sa shows nothing on either device,
    and show crypto ipsec sa does not list anyhing under inbound or outbound
    SAs. Any insight or direction re: this may be helpful. I have provided
    configs of the routers (omitting WAN IPs - I confirmed that each WAN IP is
    configured correctly). FYI: Dale has a PPoE DSL connection and a non-static
    IP.

    Thanks in advance,

    Aaron

    -----------------------------------------
    DL PIX Config

    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password <***>
    passwd <***>
    hostname DL-<***>
    domain-name secure.local
    clock timezone PST
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list acl-out permit tcp any host <***> eq smtp
    access-list acl-out permit tcp any host <***> eq https
    access-list acl-out permit tcp any host <***> eq ssh
    access-list acl-out permit icmp any any echo-reply
    access-list acl-out permit icmp any any unreachable
    access-list acl-out permit icmp any any time-exceeded
    access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.201.0
    255.255.255.
    0
    access-list nonat permit ip 192.168.7.0 255.255.255.0 10.20.30.0
    255.255.255.0
    access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.8.0
    255.255.255.0

    access-list split permit ip 192.168.7.0 255.255.255.0 19
    0
    access-list RISCbox permit ip host 192.168.7.243 192.168.201.0 255.255.255.0
    access-list DI permit ip 192.168.7.0 255.255.255.0 10.20.30.0 255.255.255.0
    access-list DL-<***> permit ip 192.168.7.0 255.255.255.0 192.168.8.0
    255.255.2
    55.0
    pager lines 24
    logging on
    logging timestamp
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside <***> 255.255.255.248
    ip address inside 192.168.7.248 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.201.1-192.168.201.50
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.7.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp <***> ssh 192.168.7.243 ssh netmask 255.255.
    255.255 0 0
    static (inside,outside) <***> 192.168.7.246 netmask 255.255.255.255 0 0

    access-group acl-out in interface outside
    route outside 0.0.0.0 0.0.0.0 <***>
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server IAS protocol radiu
    aaa-server IAS max-failed-attempts 3
    aaa-server IAS deadtime 10
    aaa-server IAS (inside) host 192.168.7.246 sH@r3dSEc019 timeout 10
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    ntp server 192.168.7.249 source inside
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt ipsec pl-compatibl
    crypto ipsec transform-set ENCRYPT1 esp-3des esp-md5-hmac
    crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
    crypto dynamic-map dynmap 90 set transform-set AES-256 ENCRYPT1
    crypto map 1VPN 10 ipsec-isakmp
    crypto map 1VPN 10 match address DI
    crypto map 1VPN 10 set peer 216.241.48.186
    crypto map 1VPN 10 set transform-set AES-256
    crypto map 1VPN 15 ipsec-isakmp
    crypto map 1VPN 15 match address DL-<***>
    crypto map 1VPN 15 set peer 12.176.203.186
    crypto map 1VPN 15 set transform-set AES-256
    crypto map 1VPN 90 ipsec-isakmp dynamic dynmap
    crypto map 1VPN client configuration address initiate
    crypto map 1VPN client configuration address respond
    crypto map 1VPN interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp key ******** address <*** DI's IP ***> netmask 255.255.255.255
    isakmp key ******** address <***> netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 10 3
    isakmp nat-traversal 20
    isakmp policy 5 authentication pre-share
    isakmp policy 5 encryption aes-256
    isakmp policy 5 hash sha
    isakmp policy 5 group 5
    isakmp policy 5 lifetime 28800
    isakmp policy 7 authentication pre-share
    isakmp policy 7 encryption aes-256
    isakmp policy 7 hash sha
    isakmp policy 7 group 2
    isakmp policy 7 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 28800
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup Remote address-pool vpnpool
    vpngroup Remote dns-server 192.168.7.246
    vpngroup Remote default-domain <***>
    vpngroup Remote split-tunnel split
    vpngroup Remote split-dns <***>
    vpngroup Remote idle-time 1800
    vpngroup Remote authentication-server IAS
    vpngroup Remote user-authentication
    vpngroup Remote password ********
    vpngroup redrock address-pool vpnpool
    vpngroup redrock split-tunnel split
    vpngroup redrock split-dns ad.deser
    vpngroup redrock idle-time 1800
    vpngroup redrock password ********
    vpngroup nolanMicro address-pool vpnpool
    vpngroup nolanMicro split-tunnel RISCbox
    vpngroup nolanMicro idle-time 1800
    vpngroup nolanMicro password ********
    vpngroup DI-Remote address-pool vpnpool
    vpngroup DI-Remote dns-server 192.168.7.246
    vpngroup DI-Remote default-domain di.local
    vpngroup DI-Remote split-tunnel split
    vpngroup DI-Remote idle-time 1800
    vpngroup DI-Remote authentication-server IAS
    vpngroup DI-Remote user-authentication
    vpngroup DI-Remote password ********
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    username <***> encrypted privilege 15
    username <***> encrypted privilege 15
    terminal width 80
    Cryptochecksum:855acbe960dc96023eae799eafa2bf22
    : end


    ---------
    Dale's PIX Config:


    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password <***> encrypted
    passwd <***> encrypted
    hostname DLdale-PIX
    domain-name <***>
    clock timezone PST -8
    clock summer-time PST recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list NONAT permit ip 192.168.198.16 255.255.255.240 192.168.7.0
    255.255.255.0
    access-list NONAT permit ip 192.168.198.16 255.255.255.240 10.20.30.0
    255.255.255.0
    access-list tunnel permit ip 192.168.198.16 255.255.255.240 192.168.7.0
    255.255.255.0
    access-list acl_out permit icmp any any echo-reply
    access-list acl_out permit icmp any any time-exceeded
    access-list 2DI permit ip 192.168.198.16 255.255.255.240 10.20.30.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging buffered errors
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.198.17 255.255.255.240
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list tunnel
    nat (inside) 1 192.168.198.16 255.255.255.240 0 0
    access-group acl_out in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 128.9.176.30 source outside
    ntp server 209.81.9.7 source outside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set DE-DI esp-des esp-md5-hmac
    crypto map PIXRemote 20 ipsec-isakmp
    crypto map PIXRemote 20 match address tunnel
    crypto map PIXRemote 20 set peer <*** DL's IP ***>
    crypto map PIXRemote 20 set transform-set strong
    crypto map PIXRemote 25 ipsec-isakmp
    crypto map PIXRemote 25 match address 2DI
    crypto map PIXRemote 25 set peer <*** DI's IP ***>
    crypto map PIXRemote 25 set transform-set DE-DI
    crypto map PIXRemote interface outside
    isakmp enable outside
    isakmp key ******** address <*** DL's IP ***> netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address <*** DI's IP ***> netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp keepalive 10 3
    isakmp nat-traversal 20
    isakmp policy 5 authentication pre-share
    isakmp policy 5 encryption aes-256
    isakmp policy 5 hash sha
    isakmp policy 5 group 5
    isakmp policy 5 lifetime 28800
    isakmp policy 7 authentication pre-share
    isakmp policy 7 encryption aes-256
    isakmp policy 7 hash sha
    isakmp policy 7 group 2
    isakmp policy 7 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.7.0 255.255.255.0 inside
    telnet 192.168.198.0 255.255.255.0 inside
    telnet 192.168.199.0 255.255.255.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group sprintDsl request dialout pppoe
    vpdn group sprintDsl localname <***>
    vpdn group sprintDsl ppp authentication chap
    vpdn username <***> password *********
    dhcpd address 192.168.198.19-192.168.198.25 inside
    dhcpd dns 192.168.7.246
    dhcpd lease 86400
    dhcpd ping_timeout 750
    dhcpd domain <***>
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:0bec5c75b00322ba0d6178f4375d36d0
    : end

    --------------------------

    DI PIX Config:


    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password <***> encrypted
    passwd <***> encrypted
    hostname di-pix
    domain-name secure.local
    clock timezone PST -8
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list SPLIT permit ip 10.20.30.0 255.255.255.0 10.254.254.0
    255.255.255.0
    access-list nonat permit ip 10.20.30.0 255.255.255.0 10.254.254.0
    255.255.255.0
    access-list nonat permit ip 10.20.30.0 255.255.255.0 192.168.7.0
    255.255.255.0
    access-list nonat permit ip 10.20.30.0 255.255.255.0 192.168.198.16
    255.255.255.240
    access-list acl-out permit icmp any any echo-reply
    access-list acl-out permit icmp any any unreachable
    access-list acl-out permit icmp any any time-exceeded
    access-list DL permit ip 10.20.30.0 255.255.255.0 192.168.7.0 255.255.255.0
    access-list DE-home permit ip 10.20.30.0 255.255.255.0 192.168.198.16
    255.255.255.240
    pager lines 24
    logging on
    logging timestamp
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside <***> 255.255.255.248
    ip address inside 10.20.30.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 10.254.254.1-10.254.254.5
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group acl-out in interface outside
    route outside 0.0.0.0 0.0.0.0 216.241.48.185 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    ntp server 128.9.176.30 source outside
    ntp server 209.81.9.7 source outside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set DI-DE esp-des esp-md5-hmac
    crypto dynamic-map dynmap 90 set transform-set AES-256
    crypto map DI-VPN 10 ipsec-isakmp
    crypto map DI-VPN 10 match address DL
    crypto map DI-VPN 10 set peer <*** DL's IP ***>
    crypto map DI-VPN 10 set transform-set AES-256
    crypto map DI-VPN 90 ipsec-isakmp dynamic dynmap
    crypto map DI-VPN client configuration address initiate
    crypto map DI-VPN client configuration address respond
    crypto map DI-VPN interface outside
    isakmp enable outside
    isakmp key ******** address <*** DL's IP ***>netmask 255.255.255.255
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp keepalive 10 3
    isakmp nat-traversal 20
    isakmp policy 5 authentication pre-share
    isakmp policy 5 encryption aes-256
    isakmp policy 5 hash sha
    isakmp policy 5 group 5
    isakmp policy 5 lifetime 28800
    isakmp policy 7 authentication pre-share
    isakmp policy 7 encryption aes-256
    isakmp policy 7 hash sha
    isakmp policy 7 group 2
    isakmp policy 7 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup secGroup address-pool vpnpool
    vpngroup secGroup dns-server 10.20.30.246
    vpngroup secGroup default-domain secure.local
    vpngroup secGroup split-tunnel SPLIT
    vpngroup secGroup split-dns <***>
    vpngroup secGroup idle-time 1800
    vpngroup secGroup password ********
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    username <***>encrypted privilege 15
    username <***>encrypted privilege 15
    terminal width 80
    Cryptochecksum:e3d5c96f573c0693ea72f426bf22171a
    : end
    di-pix#
    Aaron Gitlin, Jul 22, 2006
    #1
    1. Advertising

  2. In article <44c1629c$>,
    Aaron Gitlin <> wrote:
    >We have recently inherited a network that has multiple locations with
    >multiple tunnels over a few PIX units. The existing tunnels work perfectly.
    >There are three offices: DI, DL and the owner, Dale's, house. There is a
    >working tunnel between DI and DL, one between DL and Dale and a few from DL
    >to other offices. We need to configure a tunnel between DI and Dale, but
    >have had no luck.


    >DL PIX Config


    >access-list split permit ip 192.168.7.0 255.255.255.0 19
    >0


    Unfortunately that line (or those lines) were munged and I can't
    reasonably interpolate what they are in the configuration. If that
    line was overly general, it could cause the problem you are seeing.
    Walter Roberson, Jul 24, 2006
    #2
    1. Advertising

  3. In article <44c1629c$>,
    Aaron Gitlin <> wrote:

    >DL PIX Config


    >PIX Version 6.3(5)


    >sysopt ipsec pl-compatibl


    You never need that anymore. It's a rare PIX that is still running
    the Private Link encryption cards.

    >crypto ipsec transform-set ENCRYPT1 esp-3des esp-md5-hmac
    >crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
    >crypto dynamic-map dynmap 90 set transform-set AES-256 ENCRYPT1


    >isakmp policy 10 encryption 3des
    >isakmp policy 10 hash md5
    >isakmp policy 10 group 1
    >isakmp policy 10 lifetime 28800


    PIX 6.3 limitation: 3DES MD5 is not supported. For 3DES you
    should use 3DES SHA Group 2 (Group 1 if you -really- need to.)
    DES MD5 Group 1 -is- supported.

    >isakmp policy 20 authentication pre-share
    >isakmp policy 20 encryption 3des
    >isakmp policy 20


    Missing end of line there?

    >isakmp policy 20 group 2


    The default hash is MD5, so unless the missing end of line was
    for an SHA hash, the only difference between this and the previous
    is that this one is group 2 instead of group 1. But why put the
    stronger encryption as lower priority? And if the missing end of
    line is SHA, then you do not have a corresponding phase 2 encryption
    setup; differences in encryption between the two phases don't cause
    problems in theory, but can in practice.


    >Dale's PIX Config:


    >PIX Version 6.3(3)


    There is a PIX security advisory that you can use to take that
    to 6.3(5)rebuild even if you do not have a support contract.

    >crypto ipsec transform-set strong esp-3des esp-md5-hmac
    >crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
    >crypto ipsec transform-set DE-DI esp-des esp-md5-hmac


    >crypto map PIXRemote 20 set peer <*** DL's IP ***>
    >crypto map PIXRemote 20 set transform-set strong


    Why not use AES-128? It's actually faster than 3DES on a PIX 501.
    AES-256 might only be able the same speed as 3DES, but somehow
    I doubt you are maxing out the crypto tranform rate on this link...

    >crypto map PIXRemote 25 set peer <*** DI's IP ***>
    >crypto map PIXRemote 25 set transform-set DE-DI


    Again, why not AES, considering you are talking to a PIX 6.3 ?
    Or at least 3DES?

    >isakmp policy 10 encryption 3des
    >isakmp policy 10 hash md5
    >isakmp policy 10 group 1


    >isakmp policy 20 encryption 3des
    >isakmp policy 20 hash md5
    >isakmp policy 20 group 2


    As per above: why put the strong encryption as lower priority?


    >DI PIX Config:


    >PIX Version 6.3(4)


    You can get that up to 6.3(5)rebuild via the security advisory.

    >crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac


    You wouldn't even be able to enter that command if you didn't
    have a 3DES/AES license, so you might as well take advantage of the
    security when communicating with Dale's PIX.

    >crypto map DI-VPN client configuration address initiate
    >crypto map DI-VPN client configuration address respond


    I'd recommend turning those off if Dale is the only client.
    Alternately, in the isakmp key that matches Dale's potential range
    of IPs, add no-xauth no-config-mode to the line. You don't appear
    to have a shared key specific to Dale, but I would suggest that you
    should: although he has a dynamic IP, his ISP is only going to give
    him an IP from a limited pool, and things get easier for you if you
    can allow him to use his internal IP range instead of having him
    allocated an link IP by the PIXen.
    Walter Roberson, Jul 24, 2006
    #3
  4. Aaron Gitlin

    Aaron Gitlin Guest

    Wow...Thank you Walter! I will take a look at your suggestions and work
    from there - these pointers are exactly what I needed.

    Thanks again, I'll post and let you know how this turns out,


    "Walter Roberson" <> wrote in message
    news:pUWwg.223215$Mn5.104485@pd7tw3no...
    > In article <44c1629c$>,
    > Aaron Gitlin <> wrote:
    >
    >>DL PIX Config

    >
    >>PIX Version 6.3(5)

    >
    >>sysopt ipsec pl-compatibl

    >
    > You never need that anymore. It's a rare PIX that is still running
    > the Private Link encryption cards.
    >
    >>crypto ipsec transform-set ENCRYPT1 esp-3des esp-md5-hmac
    >>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
    >>crypto dynamic-map dynmap 90 set transform-set AES-256 ENCRYPT1

    >
    >>isakmp policy 10 encryption 3des
    >>isakmp policy 10 hash md5
    >>isakmp policy 10 group 1
    >>isakmp policy 10 lifetime 28800

    >
    > PIX 6.3 limitation: 3DES MD5 is not supported. For 3DES you
    > should use 3DES SHA Group 2 (Group 1 if you -really- need to.)
    > DES MD5 Group 1 -is- supported.
    >
    >>isakmp policy 20 authentication pre-share
    >>isakmp policy 20 encryption 3des
    >>isakmp policy 20

    >
    > Missing end of line there?
    >
    >>isakmp policy 20 group 2

    >
    > The default hash is MD5, so unless the missing end of line was
    > for an SHA hash, the only difference between this and the previous
    > is that this one is group 2 instead of group 1. But why put the
    > stronger encryption as lower priority? And if the missing end of
    > line is SHA, then you do not have a corresponding phase 2 encryption
    > setup; differences in encryption between the two phases don't cause
    > problems in theory, but can in practice.
    >
    >
    >>Dale's PIX Config:

    >
    >>PIX Version 6.3(3)

    >
    > There is a PIX security advisory that you can use to take that
    > to 6.3(5)rebuild even if you do not have a support contract.
    >
    >>crypto ipsec transform-set strong esp-3des esp-md5-hmac
    >>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
    >>crypto ipsec transform-set DE-DI esp-des esp-md5-hmac

    >
    >>crypto map PIXRemote 20 set peer <*** DL's IP ***>
    >>crypto map PIXRemote 20 set transform-set strong

    >
    > Why not use AES-128? It's actually faster than 3DES on a PIX 501.
    > AES-256 might only be able the same speed as 3DES, but somehow
    > I doubt you are maxing out the crypto tranform rate on this link...
    >
    >>crypto map PIXRemote 25 set peer <*** DI's IP ***>
    >>crypto map PIXRemote 25 set transform-set DE-DI

    >
    > Again, why not AES, considering you are talking to a PIX 6.3 ?
    > Or at least 3DES?
    >
    >>isakmp policy 10 encryption 3des
    >>isakmp policy 10 hash md5
    >>isakmp policy 10 group 1

    >
    >>isakmp policy 20 encryption 3des
    >>isakmp policy 20 hash md5
    >>isakmp policy 20 group 2

    >
    > As per above: why put the strong encryption as lower priority?
    >
    >
    >>DI PIX Config:

    >
    >>PIX Version 6.3(4)

    >
    > You can get that up to 6.3(5)rebuild via the security advisory.
    >
    >>crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac

    >
    > You wouldn't even be able to enter that command if you didn't
    > have a 3DES/AES license, so you might as well take advantage of the
    > security when communicating with Dale's PIX.
    >
    >>crypto map DI-VPN client configuration address initiate
    >>crypto map DI-VPN client configuration address respond

    >
    > I'd recommend turning those off if Dale is the only client.
    > Alternately, in the isakmp key that matches Dale's potential range
    > of IPs, add no-xauth no-config-mode to the line. You don't appear
    > to have a shared key specific to Dale, but I would suggest that you
    > should: although he has a dynamic IP, his ISP is only going to give
    > him an IP from a limited pool, and things get easier for you if you
    > can allow him to use his internal IP range instead of having him
    > allocated an link IP by the PIXen.
    >
    Aaron Gitlin, Jul 24, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,077
    Claude LeFort
    Nov 11, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,097
  3. Trouble
    Replies:
    0
    Views:
    628
    Trouble
    Aug 4, 2006
  4. Trouble
    Replies:
    1
    Views:
    542
  5. John Strow
    Replies:
    1
    Views:
    349
Loading...

Share This Page