IPSec VPN through ZBF

tjd2112pcca · ‎08-23-2010

Hello All,

I am porting the config from a 1841 that had a L2L IPSec VPN setup with a Sonicwall peer. This 1841 had a CBAC firewall on it as well. We are retiring this router and moving the VPN over to a 1941 router with a Zone-based firewall. How do I set up the ZBF to allow this IPSec VPN tunnel? Can I use VTI when connecting to a non-Cisco host (Sonicwall)? Right now there are only two zones setup (inside/outside).

Thanks!

Jitendriya Athavale · ‎08-23-2010

well since you have only 2 zones it makes life much easier , you dont have to worry about permitting esp and isakmp traffic in zbf

now since you have 2 zone have the following configured for ipsec vpn

zone-pair out-in

match acl - remote end network to my end network

action inspect

zone-pair in-out

match acl - my end network to remote end network

action inspect

i would suggest use 15.0 code and later whenever you are implementing zbf it has better support for zbf

Diego Armando Cambronero Arias · ‎08-23-2010

And not configured a self zone. If you do u will have to permit esp and udp 500 basically. You will neet to create 2 zones from Out to Self and another one from selft to Out to PASS Esp

tjd2112pcca · ‎08-31-2010

The new router has two interfaces to the internet via two different providers. Can I run CBAC and all the VPN traffic on one public interface and zone-based on the other internal client serving interface? I have read that you can mix CBAC and ZBF together.