Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
3
Helpful
2
Replies

LAN-to-LAN VPN using PIX OS 7.0

scheikhnajib
Level 1
Level 1

‎05-24-2005 12:08 PM - edited ‎02-21-2020 01:47 PM

Hi There,

I was testing the new PIX OS 7.0 before moving it to my life environment and I faced this :

When configuring Tunnel-Groups for LAN-to-LAN IPSec tunnel type, I saw that the Pre-Shared key is specified under the IPSec-Parameters of this Tunnel-Group. What is confusing me is ... if I had multiple sites using PIXs connecting to a Hub PIX, and I have configured more than 1 tunnel-group, each with different Name and Pre-Shared key, how will the OS be able to use this specific key for this specific peer. I tried to find a commad to link the peer to the tunnel-group, but I didnt find. In Cisco config examples, they use the IP address of the peer as the "Name" of the Tunnel-Group and I thought it was irrelevant.

In Remote Access mode, it is more obvious since we will use this Tunnel-group name in the VPN client config, and in the old OS 6.x we used a single command to specify both the peer IP and the Pre-Shared key ...

Am I missing something here ... how will the OS link multiple pre-shared keys in multiple Tunnel-groups to their appropriate peer specified with the "Crypto Map" command ???!?!?!?

Cheers,

Salem.

Labels:
0 Helpful
2 Replies 2

tbissett
Level 1
Level 1

‎05-27-2005 12:53 PM

I had the same question, and I found out the answer the hard way. It appears the tunnel-group name is absolutely relevant to the crypto maps. Let me explain:

I had a PIX 6.3(3) firewall with the following commands (IP substituted for obvious reasons):

name peer-pix 192.168.1.5

isakmp key thisisakey address peer-pix netmask 255.255.255.255

The name command came into play when I upgraded this firewall to ver. 7.01. The Cisco migration changed the isakmp statement to:

tunnel-group peer-pix type ipsec-l2l

tunnel-group peer-pix ipsec-attributes

pre-shared-key thisisakey

Guess what? After the upgrade, the tunnel stopped working. I did some research and discovered that the name defined in the tunnel-group is NOT linked to the names command. so, even if I did a "no names" command, the tunnel-group command would still show "peer-pix" as the tunnel-group name.

Only after I changed the tunnel-group commands to the following did the tunnel start working again:

tunnel-group 192.168.1.5 type ipsec-l2l

tunnel-group 192.168.1.5 ipsec-attributes

pre-shared-key thisisakey

So, I think it is safe to say that the tunnel-group name must match the IP of the VPN peer endpoint

...And don't use the names command when upgrading to 7.0 :-)

scheikhnajib
Level 1
Level 1
In response to tbissett

‎05-27-2005 02:35 PM

Brilliant, Thnx alot ...

Actually I did a simulation by making 2 PIXs (Spokes) connect to a 3rd PIX (Hub) and I configured 2 Tunnel-Groups on the Hub PIX and used the IP address of the peer as the name of the tunnel and it worked.

So, as you said, the NAME of the Tunnel-group should match the IP Peer, although it is not mentioned clearly in the config guides.

Anyway, have you faced any other problems with the names on PIX 7.0.1 or just the one that you mentioned with ISAKMP, since I use names alot along with ACLs due to the enormous numbers of ACEs in each ACL on my PIXs. If you have any other problems I would be thankful if you update me.

Thnx alot for your reply,

Salem.

0 Helpful
Customers Also Viewed These Support Documents