cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2233
Views
0
Helpful
8
Replies

Crear VPN Sitio-to-Sitio (site-to-site)

jmsanz2011
Level 1
Level 1

Spanish/Español:

Buenos Dias

Estoy teniendo problemas para crear una VPN site-to-site, estoy utilizando los siguientes equipos: PIX 535 y un router RV082.

Mi idea es hacer que el router se conecte via VPN al PIX, ya entre al router configure todo, cuando le doy en connect se queda en Waiting for connection, y nunca conecta, ni siquiera me tira un error.

Cuando configure el PIX (que lo hago por el device manager, no por consola), me tira error en access-list, en ningun momento me pidio que colocara un access-list. :S, no se si me explique bien.

Desde ya, les agradezco por intentar ayudarme!..

English:

Good Morning

I'm having trouble creating a VPN site-to-site, I am using the following equipment: PIX 535 and a RV082 router.

My idea is to make the router to connect via VPN to the PIX, and enter the router set up everything, when I give to connect remains in Waiting for connection, and never connects, even shoot me an error.

When you configure the PIX (which I do by the device manager, not console) throws me error access-list, at no time asked me to place an access-list. : S do not know if I explain well.

Of course, I thank you for trying to help me! ..

1 Accepted Solution

Accepted Solutions

Hi Juan,

Can you also provide the crypto configuration output from the router, again removing any sensitive information?

Thanks,

Loren

View solution in original post

8 Replies 8

Loren Kolnes
Cisco Employee
Cisco Employee

Hi Juan,

If you are setting up Easy VPN the following configuration example should help:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml

If you are not using EasyVPN can you provide the VPN configuration from each side, please remove any sensitive information such as public ip addresses, passwords or pre-shared keys before posting in this forum.

Thanks,

Loren

Hi Loren,

Thank you for your prompt response.

Do not quite understand, but you're telling me the option to use Easy VPN?.

Anyway I can not access the link I append

Hi Juan,

I pasted the wrong link, can you try this one:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml

Will you be able to provide the VPN configuration, again with not passwords, keys or addressing?

Thanks,

Loren

I made it through vpn wizard that has the device manager and it does so:

isakmp key xxxxx address 190.x.x.x netmask 255.255.255.xxx.xxx no-xauth no-config-mode

access-list Libre_outbound_nat0_acl line 1 permit ip ost 199.42.77.34 host 16x.xxx.x.xxx

nat (Libre) 0 access-list Libre_outbound_nat0_acl

access-list outside_cryptomap_20 permit ip host 19x.xx.xx.xx host 16x.xxx.x.xxx

crypto map outside_map 20 set peer 190.x.x.x

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

sysopt connection permit-ipsec

In the IPsec traffic selector, changing the interface to one that is not used (in this case "Libre"), but really that part that I need to place the servers in use (for example: production and exchange), and there gave me error in access-list.

Thank you very much Loren

Juan.

Hi Juan,

Can you also provide the crypto configuration output from the router, again removing any sensitive information?

Thanks,

Loren

Tunnel No. 1
Tunnel Name : fccf
Interface :
Enable :

Local Group Setup

Local Security Gateway Type :
IP Address : 19x.xxx.xxx.xxx
Local Security Group Type :
IP Address : 192.168.x.xx

Remote Group Setup

Remote Security Gateway Type :
:

Here go the ip of the pix right?

Remote Security Group Type :
IP Address :

Here go the ip of the pix right?








IPSec Setup

Keying Mode :
Phase 1 DH Group :
Phase 1 Encryption :
Phase 1 Authentication :
Phase 1 SA Life Time :

28800

seconds
Perfect Forward Secrecy :
Phase 2 DH Group :
Phase 2 Encryption :
Phase 2 Authentication :
Phase 2 SA Life Time :

3600

seconds
Preshared Key :xxxxxx

Hi Jaun,

I am not familar with this configuraiton utility, but that does look like the correct area to put the Pix IP address.

Would it be possible to get the isakmp configuraiton from the Pix, or can you check to make sure there is a isakmp policy that matches the phase 1 and phase 2 settings from the router.

phase 1

authentication pre-shared key

encryption des

hash md5

dh group 1

there does appear a phase 2 mismatch between the Pix and the router

the router has DES encryption and the pix has 3DES encryption, can you change the router phase 2 encryption type to be 3DES?

Thanks,

Loren

Hi Loren

DES encryption excuse the the router configuration You have the 3DES encryption and pix, can you change the router encryption type to be 3DES phase 2? Ç

This because as you say, did nothing more than to prove it just like that one.

With respect to the pix isakmp configuraiton appears this: isakmp key xxxxx netmask 190.xxx address no-xauth 255.255.255.xxx.xxx no-config-mode, key in the router where it says add it Preshared Key: xxxxx is exactly the same as it is easy and short, did everything as evidence, still not working.

Loren really thank you very much for the help you are giving.

Juan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: