06-22-2011 08:00 AM
Spanish/Español:
Buenos Dias
Estoy teniendo problemas para crear una VPN site-to-site, estoy utilizando los siguientes equipos: PIX 535 y un router RV082.
Mi idea es hacer que el router se conecte via VPN al PIX, ya entre al router configure todo, cuando le doy en connect se queda en Waiting for connection, y nunca conecta, ni siquiera me tira un error.
Cuando configure el PIX (que lo hago por el device manager, no por consola), me tira error en access-list, en ningun momento me pidio que colocara un access-list. :S, no se si me explique bien.
Desde ya, les agradezco por intentar ayudarme!..
English:
Good Morning
I'm having trouble creating a VPN site-to-site, I am using the following equipment: PIX 535 and a RV082 router.
My idea is to make the router to connect via VPN to the PIX, and enter the router set up everything, when I give to connect remains in Waiting for connection, and never connects, even shoot me an error.
When you configure the PIX (which I do by the device manager, not console) throws me error access-list, at no time asked me to place an access-list. : S do not know if I explain well.
Of course, I thank you for trying to help me! ..
Solved! Go to Solution.
06-22-2011 11:20 AM
Hi Juan,
Can you also provide the crypto configuration output from the router, again removing any sensitive information?
Thanks,
Loren
06-22-2011 10:15 AM
Hi Juan,
If you are setting up Easy VPN the following configuration example should help:
If you are not using EasyVPN can you provide the VPN configuration from each side, please remove any sensitive information such as public ip addresses, passwords or pre-shared keys before posting in this forum.
Thanks,
Loren
06-22-2011 10:24 AM
Hi Loren,
Thank you for your prompt response.
Do not quite understand, but you're telling me the option to use Easy VPN?.
Anyway I can not access the link I append
06-22-2011 10:30 AM
Hi Juan,
I pasted the wrong link, can you try this one:
Will you be able to provide the VPN configuration, again with not passwords, keys or addressing?
Thanks,
Loren
06-22-2011 11:00 AM
I made it through vpn wizard that has the device manager and it does so:
isakmp key xxxxx address 190.x.x.x netmask 255.255.255.xxx.xxx no-xauth no-config-mode
access-list Libre_outbound_nat0_acl line 1 permit ip ost 199.42.77.34 host 16x.xxx.x.xxx
nat (Libre) 0 access-list Libre_outbound_nat0_acl
access-list outside_cryptomap_20 permit ip host 19x.xx.xx.xx host 16x.xxx.x.xxx
crypto map outside_map 20 set peer 190.x.x.x
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
sysopt connection permit-ipsec
In the IPsec traffic selector, changing the interface to one that is not used (in this case "Libre"), but really that part that I need to place the servers in use (for example: production and exchange), and there gave me error in access-list.
Thank you very much Loren
Juan.
06-22-2011 11:20 AM
Hi Juan,
Can you also provide the crypto configuration output from the router, again removing any sensitive information?
Thanks,
Loren
06-22-2011 12:21 PM
Tunnel No. | 1 |
Tunnel Name : | fccf |
Interface : | |
Enable : |
Local Group Setup
Local Security Gateway Type : | |
IP Address : | 19x.xxx.xxx.xxx |
Local Security Group Type : | |
IP Address : | 192.168.x.xx |
Remote Group Setup
| |||||||||
IPSec Setup
Keying Mode : | |
Phase 1 DH Group : | |
Phase 1 Encryption : | |
Phase 1 Authentication : | |
Phase 1 SA Life Time : | 28800 seconds |
Perfect Forward Secrecy : | |
Phase 2 DH Group : | |
Phase 2 Encryption : | |
Phase 2 Authentication : | |
Phase 2 SA Life Time : | 3600 seconds |
Preshared Key : | xxxxxx |
06-22-2011 12:32 PM
Hi Jaun,
I am not familar with this configuraiton utility, but that does look like the correct area to put the Pix IP address.
Would it be possible to get the isakmp configuraiton from the Pix, or can you check to make sure there is a isakmp policy that matches the phase 1 and phase 2 settings from the router.
phase 1
authentication pre-shared key
encryption des
hash md5
dh group 1
there does appear a phase 2 mismatch between the Pix and the router
the router has DES encryption and the pix has 3DES encryption, can you change the router phase 2 encryption type to be 3DES?
Thanks,
Loren
06-23-2011 05:49 AM
Hi Loren
DES encryption excuse the the router configuration You have the 3DES encryption and pix, can you change the router encryption type to be 3DES phase 2? Ç
This because as you say, did nothing more than to prove it just like that one.
With respect to the pix isakmp configuraiton appears this: isakmp key xxxxx netmask 190.xxx address no-xauth 255.255.255.xxx.xxx no-config-mode, key in the router where it says add it Preshared Key: xxxxx is exactly the same as it is easy and short, did everything as evidence, still not working.
Loren really thank you very much for the help you are giving.
Juan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide