On Tue, 28 May 2002, Mihai Vintiloiu wrote:
> We have encountered in last time a new problem: one of our customer
> companies has two offices and they are using a Cisco router 2621 in one
> location and one WatchGuard Firebox II in another location to connect to
> the internet. They have asked us to create a good VPN connection
> between this 2 offices.
Take the time to read the IPSec config guides for your release. A couple
notes..
* You're using a Tunnel interface, and though useful for IPSEc
connections, I doubt the WatchGuard supports GRE. Even if it does, try
avoiding features like 'tunnel checksum' until you get it working. Note
that when doing GRE-in-IPSec, you'll need to alter the crypto-maps to just
match gre traffic between the tunnel source and dest, and route your
private networks into them.. (AFAIAC, this is the cleanest way of doing
it under IOS).
* When doing IPSec on a tunnel interface, the crypto-map needs to be
applied to both the tunnel and the tunnel source interfaces.
* acl 190 looks waaay off. use:
accees-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
I can't vouch that you won't have interoperability problems (never tried
this combo), but it seems as if the main problem at this step is just some
fundamental flaws in the config.. Since it looks like you have several
routers to test with, practice getting things working between them first
so you can see what a working config looks like before having to toy with
multi-vendor issues..
..kg..
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:45 EDT