Re: [nsp] Cisco VPN 3000 to Redcreek VPN Boxes working config ? (fwd)

From: Kevin Gannon (kevin@gannons.net)
Date: Thu Mar 22 2001 - 15:28:54 EST


>We have repeatedly tested IOS and have worked with 3000 too. In the
>scenario which you describe (2 subnets on one side), the router or 3000
>(both) will create two different security associations SAs and hence
>different connection IDs. So for each line (not the complete access-list)
>in ACL, we would have different IDs. Thats the way both these devices
>work. I am not sure why red-creek would except same session-id... maybe
>its some proprietary thing with red-creek. I myself have configured
>network list on 3000 and access-list on router and they work fine
>together. As I said, if there is something proprietary about red-creek
>VPN, then we would have some issues.

I made the comment in relation to Router -> Router VPN's where you get
only one connection ID. At least this is my understanding in that from the
output:

BureauASP-RTR001#sh cry is sa
     dst src state conn-id slot
212.17.36.12 212.17.41.1 QM_IDLE 1 0

Where the accesslist covers multiple lines

access-list 115 permit ip 212.17.41.0 0.0.0.31 192.168.220.0 0.0.0.255
access-list 115 permit ip 10.10.10.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 115 deny ip 212.17.41.0 0.0.0.31 any

I am new to all this so I am not making a statement just my understanding
of things. Also my customer is being told by redcreek/nortel/intel that
they would use one session id in the situation I described.

Regards,
Kevin

>Haseeb
>
>
>>---------- Forwarded message ----------
>>Date: Thu, 22 Mar 2001 19:25:06 +0000
>>From: Kevin Gannon <kevin@gannons.net>
>>To: cisco-nsp@puck.nether.net
>>Subject: [nsp] Cisco VPN 3000 to Redcreek VPN Boxes working config ?
>>Resent-Date: Thu, 22 Mar 2001 14:33:53 -0500
>>Resent-From: cisco-nsp@puck.nether.net
>>
>>I have a customer who wants to create a VPN tunnel into one of
>>our Altiga (Cisco) VPN Concentrator. The problem seems to be
>>that for each private side IP subnet on the customers side creates
>>a separate session ID on the 3000, the redcreeks do not support
>>this.
>>
>>
>>10.x.x.x--------+ = = = = = = = SID 1 = = = =
>>+----[3000]--------------------------[Redcreek]--------
>> +
>>20.x.x.x--------+= = = = = = = =SID 2 = = = =
>>
>>Do any of you have this type of config working or have any ideas/pointers.
>>I am fairly certain on the IOS VPN code you get only one session id for the
>>whole match access list.
>>
>>Thanks & Regards,
>>Kevin
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:33 EDT