01-06-2017 01:43 AM - edited 03-08-2019 08:49 AM
Good afternoon! does not work ipsec site-to-site and between cisco 881w & tmg 2010.
Cisco 881W config:
ip name-server 8.8.8.8
ip cef
no ipv6 cef
crypto isakmp policy 1
encr 3des
hash sha256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cisco address 2.2.2.2(dest ip)
crypto ipsec transform-set Myset esp-3des esp-sha256-hmac
mode tunnel
crypto map Mymap 1 ipsec-isakmp
set peer 2.2.2.2(dest ip)
set transform-set Myset
match address 100
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description end_user connect
no ip address
!
interface FastEthernet4
ip address 1.1.1.1 255.255.255.248
ip virtual-reassembly in
duplex auto
speed auto
crypto map Mymap
!
interface Wlan-GigabitEthernet0
no ip address
!
interface wlan-ap0
no ip address
!
interface Vlan1
ip address x.x.x.x (local lan ip) 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static x.x.x.x interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 3.3.3.3(defaul gateway ip)
ip ssh version 2
!
!
access-list 100 permit ip x.x.x.x 0.0.0.255 y.0.0.0(remote(tmg) lan ip) 0.255.255.255
end
TMG 2010 Config
Local Tunnel Endpoint: 2.2.2.2
Remote Tunnel Endpoint: 1.1.1.1
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA256
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (cisco)
Security Association Lifetime: 28800 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA256
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 3600 seconds
Kbyte Rekeying: ON
Rekey After Sending: 4608000 Kbytes
Remote Network target IP Subnets:
Subnet: 1.1.1.1/255.255.255.255
Subnet: x.x.x.x/255.255.255.0
Local Network 'Internal' IP Subnets:
Subnet: y.0.0.0/255.255.252.0
01-06-2017 04:29 AM
Hi
i don't use TMG but looking at your acl its doesn't look to match what the local side is in TMG side ?
access-list 100 permit ip x.x.x.x 0.0.0.255 y.0.0.0(remote(tmg) lan ip) 0.255.255.255 /8
This is /22 but you have /8 as the remote subnet on cisco side
Local Network 'Internal' IP Subnets:
Subnet: y.0.0.0/255.255.252.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide