Hello!
I have a technically problem and I will appreciate any help from your side..
We have encountered in last time a new problem: one of our customer companies has two offices and they are using a Cisco router 2621 in one location and one WatchGuard Firebox II in another location to connect to the internet.
They have asked us to create a good VPN connection between this 2 offices.
Because the WatchGuard company has some "tips" to create VPN tunnels between WatchGuard Firebox II product and another products, like Nortel or Cisco Pix 520, but they don't have any documentation about how to connect to a Cisco 2621 router, I have started first to read this documentation first.
I have created the Gateway, tunnel and routing policy on the WatchGuard exactly how they have described in documentation.
But the Cisco router doesn't answer to the request from the watchGuard
05/28/02 20:10 firewalld[98]: deny out eth1 347 udp 20 128 192.168.3.10 192.168.29.1 137 137 (default)
05/28/02 20:54 kernel: ipsec: Acquiring keys for channel 1
05/28/02 20:54 iked[120]: Acquiring key for channel/policy 1/0
05/28/02 20:54 iked[120]: TO 193.225.71.14 AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID
05/28/02 20:54 iked[120]: RE-TO 193.225.71.14 AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID
My conclusion was: OK, the Phase 1 of negotiation it is working, but the phase 2 it is not working. Let's check the problem in the Phase 2.
I have tried aproximately the same configuration like in the pix (of course, with cisco 2621 comands...they are some differences), was not working in cisco 2621. I was testing also with Cisco 7513, the same problem.
Network configuration used was:
- Ip address of router: 193.225.71.14/29
- Ip address of WatchGuard: 223.140.90.15/29
-Internal network behind the router: 192.168.7.0/24, gateway 192.68.7.1 (on the router)
- Internal network behind the WatchGuard: 192.168.3.0/24, gateway 192.168.3.1 (on the watchguard)
I give you some configuration details about WatchGuard:
- negotiation type: ISAKMP
- shared key: test
- Phase 1 settings:
- Autentification: SHA1-HMAC
- Encryption: 3DES-CBC
- Negociation Timeouts: 0 kilobytes
24 hours
- enable aggesive mode
Phase 2 Settings:
- SAP (Security Association Proposal): ESP (encapsulated security payload)
- Autentification: SHA1-HMAC
- Encryption: 3DES-CBC
- Negociation Timeouts: 0 kilobytes
24 hours
- Force key expiration: every 32.000 kilobytes /every 24 hours
Here I show you my cisco configuration for VPN connection:
crypto isakmp policy 20
encr 3des
authentication pre-share
crypto isakmp key test address 223.140.90.15 255.255.255.248
!
!
crypto ipsec transform-set flope esp-3des esp-sha-hmac
!
!
crypto map testmap 10 ipsec-isakmp
set peer 223.140.90.15
set security-association lifetime seconds 360
set transform-set flope
match address 190
interface Tunnel5
description Tunnel test
bandwidth 3000
ip address 192.168.7.1 255.255.255.0
ip route-cache distributed
no ip mroute-cache
tunnel source 193.225.71.14
tunnel destination 223.140.90.15
tunnel key 24
tunnel sequence-datagrams
tunnel checksum
crypto map testmap
interface FastEthernet0/1/0.3
description Line to ISP
encapsulation isl 53
ip address 193.225.71.14 255.255.255.252
no ip redirects
access-list 190 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 190 permit ip 0.0.0.1 255.255.255.0 0.0.0.1 255.255.255.0
I have tried a lot of posibilities, but nothing was working.
Can someone help me to find the solution to this problem?? i know it is possible to create the tunnel, but maybe something it is missing on my configuration...
My best regards,
Mihai Vintiloiu
Senior Network Administrator.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:45 EDT