Re: Dynamic VPN PIX-501(6.3(4)) -> PIX-515R(7.01)

maik.behley · ‎04-07-2005

I have many problems with this two pix's to realize a vpn between the firewalls. The PIX 515 is running with a static ip address and the PIX 501 is connected over PPPoE (DSL).

In a private lab i want test a L2L vpn connection, this fails likewise. Exists fundamental changes in the vpn configuration of pix version 7.01??? Does anybody has an example configuration for this solution?

Thanks!

mostiguy · ‎04-07-2005

There are some changes in 7.0, but many commands are supported in backwards configuration mode. If the 501 has a dynamically assigned IP address, you need to configure the 515 to accept dynamic IPSec tunnels. This configuration is similar to supporting software vpn clients, and is different from a normal L2L tunnel where both sides are statically addressed, and thus either side can initiate tunnel negotiation (in a dynamic tunnel, it is the dynamically assigned side that initiates tunnel creation)

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

this config should help you with a dynamic pix to a static pix vpn configuration

maik.behley · ‎04-08-2005

Hi thanks for your message. But i have this configured. On the remote pix 501 the follwing debug message:

dropping DELETE on unauthenticated SA

return status IKMP_NO_ERR_NO_TRANS

The translation groups seems to be ok! I have many vpn connection configured, all with pix os 6.x, there running wonderful. But this connection fails, PIX OS 6.3(4) -> PIX OS 7.0(1).

Any ideas?

nchicoria · ‎04-26-2005

I am having the same issues trying to do dynamic tunnels from pix 501's to my 515E running 7.01. I am trying to get an answer from TAC now. I will post this when I get it figured out.

maik.behley · ‎04-26-2005

That's nice. Thanks!!!