05-02-2013 09:12 AM - edited 02-21-2020 06:52 PM
hi i have a virtual ip sec tunnel setup to a sonicwall that appears to have a working active phase1/2 but the tunnel interfaces protocol is down and thus i can route traffic. I know this virtual ipsec tunnel works 100% to another cisco router but its not working to a sonicwall.
thanks paul
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXX address 70.xx.xx.xx
!
crypto ipsec transform-set POSTRANS esp-3des esp-sha-hmac
!
crypto ipsec profile POS_ipsec_profile1
description to Centrix POS VENDOR
set security-association lifetime seconds 28800
set transform-set POSTRANS
!
interface Tunnel1
description to Main location
ip unnumbered Serial0/0/0
tunnel source Serial0/0/0
tunnel destination 209.213.xx.xx
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_profile1
Tunnel2 is up, line protocol is down
Hardware is Tunnel
Description: to POS KeyCentrix VPN
Interface is unnumbered. Using address of Serial0/0/0 (209.xx.xx.xx)
MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (30 sec), retries 3
Tunnel source 209.213.91.42 (Serial0/0/0), destination 70.xx.xx.xx
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Path MTU Discovery, ager 10 mins, min MTU 92
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "POS_ipsec_profile1")
Interface: Tunnel2
Session status: UP-ACTIVE
Peer: 70.168.141.54 port 500
IKE SA: local 209.xx.xx.xx/500 remote 70.xx.xx.xx/500 Active
IPSEC FLOW: permit ip 10.20.55.0/255.255.255.0 172.16.245.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
05-02-2013 12:16 PM
i finally got this to work, turns out ipsec VTI only works with cisco as it expects another tunnel interface on the other end for protocol and the 3rd party vpn boxes don't have that. I ended up using a crypto map with no actual tunnel interface and its working.
05-02-2013 02:25 PM
Hello Paul ,
Just to add:
DVTIs are standards based, so interoperability in a multiple-vendor environment is supported
Regards,
Note: I have seen scenarios workign for this
As an example this between a Cisco router and a Netscreen router
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide