[c-nsp] IPSec VPN Scenario

Sean Mathias seanm at prosolve.com
Fri Dec 1 23:17:26 EST 2006


Why not use the PIX as the IPSEC endpoint?  Otherwise you will probably
have to do the IPSEC over a GRE tunnel.

Sean 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Desmond
Sent: Friday, December 01, 2006 3:12 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSec VPN Scenario

I'm trying to set up a ipsec tunnel from a 2811
(C2800NM-ADVIPSERVICESK9-M, Version 12.4(9)T) to a remote NetScreen
through a Pix (7.1(2)). The issue I'm having is that the Netscreen is
expecting the remote id of my router to be the NATed IP so phase 2 isn't
coming up. Phase 1 goes fine. If the remote site changes their netscreen
to expect 10.1.4.0/24 as the remote id the vpn comes up. Is there any
way to change what the router claims is its local id?  ASCII art and
configlets below:

 

10.1.4.0/24 ---- 2811 --- 10.1.1.21/29 ---- Pixen -10.1.1.21 NAT to
1.1.1.1-- Internet ---- RemoteSite (2.2.2.2)

 

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key Blah address 2.2.2.2

!

!

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 

no crypto ipsec nat-transparency udp-encaps

!

crypto map ToVendorLab 1 ipsec-isakmp 

 description Tunnel to 2.2.2.2

 set peer 2.2.2.2

 set transform-set ESP-AES128-SHA 

 set pfs group2

 match address 101

 

interface FastEthernet0/0

ip address 10.1.1.21 255.255.255.248

ip virtual-reassembly

 ip ospf cost 10

 duplex full

 speed 100

 crypto map ToVendorLab

!

interface FastEthernet0/1

ip address 10.1.4.2 255.255.255.0

ip virtual-reassembly

 duplex full

 speed 100

 

2811-00#sh cryp sess

Crypto session current status

 

Interface: FastEthernet0/0

Session status: UP-IDLE

Peer: 2.2.2.2 port 500 

  IKE SA: local 10.1.1.21/500 remote 2.2.2.2/500 Active 

  IKE SA: local 10.1.1.21/500 remote 2.2.2.2/500 Inactive 

  IPSEC FLOW: permit ip 10.1.4.0/255.255.255.0 2.2.2.2/255.255.255.224 

        Active SAs: 0, origin: crypto map

 

DENL3-2811-00#sh cryp ips sa

 

interface: FastEthernet0/0

    Crypto map tag: ToVendorLab, local addr 10.1.1.21

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.1.4.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.224/0/0)

   current_peer 2.2.2.2port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 370, #recv errors 0

 

     local crypto endpt.: 10.1.1.21, remote crypto endpt.: 2.2.2.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

 

DENL3-2811-00#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

2.2.2.2              10.1.1.21       QM_IDLE              0    0 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

 

 

Thanks,

Brian Desmond

brian at briandesmond.com

 

c - 312.731.3132

 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list