RE: Problems with VPN connection between WatchGuard Firebox II si Cis co Router 2621.

• Next message: Rolands Truls: "RE: NAT for MPLS VPN"
• Previous message: TMS: "[nsp] "ip nat inside" question"
• Maybe in reply to: Mihai Vintiloiu: "Problems with VPN connection between WatchGuard Firebox II si Cis co Router 2621."
• Next in thread: kevin graham: "Re: Problems with VPN connection between WatchGuard Firebox II si Cis co Router 2621."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Dear Mr. Graham,

thank you very much for your help and time dedicated for my problem.
I have changed the acl as you suggested. Also the WatchGuard support only ipsec (I should tell to you this from the beggining, my mistake), so I have used from the beggining ipip on the cisco.

I will like to help me to clarify this:

* When doing IPSec on a tunnel interface, the crypto-map needs to be
applied to both the tunnel and the tunnel source interfaces.

What means to apply the crypto-maps to tunnel and tunnel source? Because in my case the source of the cisco tunnel it is on the fast-ethernet interface.

My best regards,

Mihai Vintiloiu

-----Original Message-----
From: kevin graham [mailto:kgraham@dotnetdotcom.org]
Sent: Tuesday, May 28, 2002 8:56 PM
To: Mihai Vintiloiu
Cc: 'cisco-nsp@puck.nether.net'
Subject: Re: Problems with VPN connection between WatchGuard Firebox II
si Cis co Router 2621.

On Tue, 28 May 2002, Mihai Vintiloiu wrote:

> We have encountered in last time a new problem: one of our customer
> companies has two offices and they are using a Cisco router 2621 in one
> location and one WatchGuard Firebox II in another location to connect to
> the internet. They have asked us to create a good VPN connection
> between this 2 offices.

Take the time to read the IPSec config guides for your release. A couple
notes..

* You're using a Tunnel interface, and though useful for IPSEc
connections, I doubt the WatchGuard supports GRE. Even if it does, try
avoiding features like 'tunnel checksum' until you get it working. Note
that when doing GRE-in-IPSec, you'll need to alter the crypto-maps to just
match gre traffic between the tunnel source and dest, and route your
private networks into them.. (AFAIAC, this is the cleanest way of doing
it under IOS).

* When doing IPSec on a tunnel interface, the crypto-map needs to be
applied to both the tunnel and the tunnel source interfaces.

* acl 190 looks waaay off. use:
    accees-list 190 permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255

I can't vouch that you won't have interoperability problems (never tried
this combo), but it seems as if the main problem at this step is just some
fundamental flaws in the config.. Since it looks like you have several
routers to test with, practice getting things working between them first
so you can see what a working config looks like before having to toy with
multi-vendor issues..

..kg..

• Next message: Rolands Truls: "RE: NAT for MPLS VPN"
• Previous message: TMS: "[nsp] "ip nat inside" question"
• Maybe in reply to: Mihai Vintiloiu: "Problems with VPN connection between WatchGuard Firebox II si Cis co Router 2621."
• Next in thread: kevin graham: "Re: Problems with VPN connection between WatchGuard Firebox II si Cis co Router 2621."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:45 EDT