Can a Cisco Windows VPN client be configured to connect to a ZyWALL?

Chris Swinney · ‎07-25-2006

Hi,

We are going through a network transition and have several VPN software clients that used to connect to a Cisco PIX firewall. We are replacing these with multiple ZyXEL ZyWALL?s which will now handle the IPSEC VPN termination for gateway-to-gateway VPN?s, however some Cisco software clients are still in operation.

Is it possible to configure the Cisco VPN client to connect with the ZyWALL? I personally am not familiar with the Cisco client although I have dealt with other IPSEC VPN clients. The ZyWALL obviously has as part of its simple stage 1 IKE setup: -

a pre-shared key

Local ID type (email, IP or DNS)

Remote ID type (email, IP or DNS)

Along with remote and local gateway IP address.

The information I have form the people that have setup the Cisco VPN client doesn?t seem to tally with this. If any one can provide screen shots of the Cisco config pages I would appreciate it.

Chris

aghaznavi · ‎07-31-2006

Yes, It's possible to connect .while doing the configuration kindly make sure that you give isakmp nat-traversal 120

as Generally,Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices

Chris Swinney · ‎08-06-2006

The only NAT performed locally will be by the ZyWALL from WAN to local LAN that will also be handling IPSEC VPN termination, not sure about the remote end.

We have set the IPSEC dynamic tunnel to use tunnelling and ESP to work around any NAT issues that may arise outside of our network control.

However, the Cisco bods at the other end seem to be having difficulties connecting although we can connect with a standard IPSEC client such as Greenbow or the Safenet client, this is why I wanted some example screen shots of the configuration pages.

Chris Swinney · ‎08-09-2006

The guys that are trying to connect using the Cisco client are using version 4.0.2 (A) as can be seen by the attachemnt. This still means nothing to me and I can't help them configure the client although they are saying thet there are minimal configureation options.

I have provided infomation similar to the following that I had hoped they would be able to use to program phase I and 2 of the IKE trasmital.

Gateway Policy:-

Property

Name - Dynamic Tunnel

NAT Traversal - Yes

Gateway Policy Information

Local Address - 88.xxx.xxx.xxx

Remote Gateway Address - 0.0.0.0

Authentication Key

Pre-Shared Key - somePassword

Local ID Type - E-mail

Content - email@somewhere.com

Peer ID Type - E-mail

Content - email@somewhere.com

Extended Authentication

Extended Authentication - NOT ENABLED

Server Mode (Search Local User first then RADIUS)

Client Mode

User Name

Password

IKE Proposal

Negotiation Mode - Main

Encryption Algorithm - DES

Authentication Algorithm - MD5

SA Life Time (Seconds) - 28000

Key Group - DH1

Enable Multiple Proposals - No

Network Policy:-

Property

Active - Yes

Name - Dynamic Tunnel

Protocol - All

Nailed-Up - No

Allow NetBIOS Traffic Through IPSEC Tunnel - Yes

Local Network

Address Type - Subnet Address

Starting IP Address - 10.10.10.0

Ending IP Address / Subnet Mask - 255.255.255.0

Local Port - All

Remote Network

Address Type - Single Address

Starting IP Address - 0.0.0.0

Ending IP Address / Subnet Mask - 0.0.0.0

Remote Port - All

IPSEC Proposal

Encapsulation Mode - Tunnel

Active Protocol - ESP

Encryption Algorithm - DES

Authentication Algorithm - SHA1

SA Life Time (Seconds) - 28000

Perfect Forward Secrecy (PFS) - NONE

Enable Replay Detection - No

Enable Multiple Proposals - No

Chris Swinney · ‎08-06-2006

Deleted