[c-nsp] IPSec VPN Scenario
Brian Desmond
brian at briandesmond.com
Fri Dec 1 23:44:12 EST 2006
Well the idea was that this pair of 2811s comprise the existing
connections to the vendor so might as well consolidate all the
connections onto there, but, yeah the pix is an option.
Thanks,
Brian Desmond
brian at briandesmond.com
c - 312.731.3132
-----Original Message-----
From: Sean Mathias [mailto:seanm at prosolve.com]
Sent: Friday, December 01, 2006 10:17 PM
To: Brian Desmond; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] IPSec VPN Scenario
Why not use the PIX as the IPSEC endpoint? Otherwise you will probably
have to do the IPSEC over a GRE tunnel.
Sean
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Desmond
Sent: Friday, December 01, 2006 3:12 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSec VPN Scenario
I'm trying to set up a ipsec tunnel from a 2811
(C2800NM-ADVIPSERVICESK9-M, Version 12.4(9)T) to a remote NetScreen
through a Pix (7.1(2)). The issue I'm having is that the Netscreen is
expecting the remote id of my router to be the NATed IP so phase 2 isn't
coming up. Phase 1 goes fine. If the remote site changes their netscreen
to expect 10.1.4.0/24 as the remote id the vpn comes up. Is there any
way to change what the router claims is its local id? ASCII art and
configlets below:
10.1.4.0/24 ---- 2811 --- 10.1.1.21/29 ---- Pixen -10.1.1.21 NAT to
1.1.1.1-- Internet ---- RemoteSite (2.2.2.2)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Blah address 2.2.2.2
!
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map ToVendorLab 1 ipsec-isakmp
description Tunnel to 2.2.2.2
set peer 2.2.2.2
set transform-set ESP-AES128-SHA
set pfs group2
match address 101
interface FastEthernet0/0
ip address 10.1.1.21 255.255.255.248
ip virtual-reassembly
ip ospf cost 10
duplex full
speed 100
crypto map ToVendorLab
!
interface FastEthernet0/1
ip address 10.1.4.2 255.255.255.0
ip virtual-reassembly
duplex full
speed 100
2811-00#sh cryp sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 2.2.2.2 port 500
IKE SA: local 10.1.1.21/500 remote 2.2.2.2/500 Active
IKE SA: local 10.1.1.21/500 remote 2.2.2.2/500 Inactive
IPSEC FLOW: permit ip 10.1.4.0/255.255.255.0 2.2.2.2/255.255.255.224
Active SAs: 0, origin: crypto map
DENL3-2811-00#sh cryp ips sa
interface: FastEthernet0/0
Crypto map tag: ToVendorLab, local addr 10.1.1.21
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.224/0/0)
current_peer 2.2.2.2port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 370, #recv errors 0
local crypto endpt.: 10.1.1.21, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
DENL3-2811-00#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2.2.2.2 10.1.1.21 QM_IDLE 0 0 ACTIVE
IPv6 Crypto ISAKMP SA
Thanks,
Brian Desmond
brian at briandesmond.com
c - 312.731.3132
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list