Mixed vendor site-to-site VPNs ... lot of fun

Discussion in 'Cisco' started by babzek, Aug 20, 2007.

  1. babzek


    Aug 10, 2007
    Likes Received:
    Hello everyone,

    I posted this in the hardware section but I then realized that all the post I was reading were from this part of the forum so, I reposted it here.

    I have been pulling the remaining of my hair out for the past couple of weeks, and this site has been a godsend for a lot of explanations.

    I'm trying to setup a VPN connection between 1 central office and 2 branches.
    The central office has a PIX 501, one branch a SonicWall TZ170, the other a Zywall 5.

    I have managed to setup the VPN between the sonicwall and the pix, but between the PIX and the Zywall, it's proving more ... challenging.

    For a while I had it setup but it would disconnect every 10-15 minutes and I had to clear the ipsec associations on the PIX, do a ping and it would come back up.

    Now I have upgraded the firmware of the Zywall, the tunnel is up, but nothing goes through appart from the keepalive packets, shown in the logs on both sides.

    I read that when there was no traffic, it was, most of the time, because the authentification was similar between phase 1 and phase 2 of the process.
    They're not in this case

    Here is the setup:

    LAN A 192.168.4.xxx
    | --------------PIX 501 inside ------------PIX 501 outside
    | ------------SpeedTouch 530 ADSL
    | |
    | | -------------------Inet
    | |
    | 88.xx.xx.xx
    | ----------Modem ADSL
    | |
    | --------Zywall 5 outside
    | ---------Zywall 5 inside
    | |
    | LAN B 192.168.2.xxx
    | -------------Modem ADSL
    | -------------SonicWall TZ170 outside ---------------Sonicwall TZ170 inside
    LAN C 192.168.1.xx

    The Zywall conf:

    firmware: V4.02(XD.1) | 06/12/2007
    IKE: DES-MD5-28800-DH1
    IPSEC: Tunnel-ESP-3DES-SHA1-28800-DH1

    The Pix conf:
    : Saved
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *************** encrypted
    passwd **************** encrypted
    hostname pixfirewall
    domain-name arcanoarando.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name Almagro
    access-list 110 permit ip Almagro
    access-list 130 permit ip
    access-list acl_out permit icmp any any
    access-list 100 permit ip Almagro
    access-list 100 permit ip
    pager lines 24
    logging on
    logging timestamp
    logging host inside 6/1470
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location inside
    pdm location Almagro outside
    pdm location outside
    pdm location outside
    pdm location inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0 0
    access-group acl_out in interface outside
    route outside 1
    route outside 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set myset esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map almagro 10 ipsec-isakmp
    crypto map almagro 10 match address 110
    crypto map almagro 10 set pfs
    crypto map almagro 10 set peer xx.xx.xx.xx
    crypto map almagro 10 set transform-set ESP-3DES-SHA
    crypto map almagro 30 ipsec-isakmp
    crypto map almagro 30 match address 130
    crypto map almagro 30 set pfs group2
    crypto map almagro 30 set peer yy.yy.yy.yy
    crypto map almagro 30 set transform-set myset
    crypto map almagro interface outside
    isakmp enable outside
    isakmp key ******** address yy.yy.yy.yy netmask no-xauth no-config-mode
    isakmp key ******** address xx.xx.xx.xx netmask no-xauth no-config-mode
    isakmp keepalive 60 60
    isakmp nat-traversal 20
    isakmp log 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 280
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username admin password *************** encrypted privilege 15
    terminal width 80
    : end

    So I'm new to this VPN stuff and all the more to Cisco so I'm sure it's something stupid but I can't figure it out.

    Anyway, thanks to those who read it all, thanks in advance for your help.
    babzek, Aug 20, 2007
    1. Advertisements

  2. babzek


    Aug 10, 2007
    Likes Received:
    I kinda knew it

    It was something dumb.
    I deleted all the access-list and the isakmp/ipsec config of the incriminated tunnel on the PIX. Did a FW upgrade on the Zywall, recreated everything on the PIX and pof .. it works like a charm.

    problem solved.

    babzek, Aug 24, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.