Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
5
Replies

PIX 501 IPSec Site to Site Connection with Shiva Lanrover VPN Gateway 7.0

uwe.schmidt
Level 1
Level 1

‎10-05-2002 01:07 PM - edited ‎02-21-2020 12:06 PM

Has anyone configured a IPSec tunnel from a PIX 501 into a Shiva Lanrover Gateway (now called HP SA 3110 etc. as products are continued by HP)?

All my attempts seem to fail.

Thanks

Labels:
0 Helpful
5 Replies 5

gfullage
Cisco Employee
Cisco Employee

‎10-07-2002 10:45 PM

Haven'tdone it personally, ut have set up just about everything else. As long as the Shiva confiorms to the IPSec RFC then there should be no problem. Can you post "debug cry isa" and "debug cry sa" output to this so we cna see what's going on.

When running the debug, try and set up the tunnel from behind the Shiva rather than behind the PIX, we get more info in the debug that way.

0 Helpful

uwe.schmidt
Level 1
Level 1
In response to gfullage

‎10-07-2002 11:24 PM

Mean while (since yesterday evening) the IPsec tunnel is working in both ways.

The trouble seemed to be with the sa on the Shiva site. I renamed profile, sa, etc. on the PIX then on the Shiva. Bingo.

Later I incrfeased security by moving on to 3DES which also took place with no

significant delay.

One problem remains. I am able to access the remote office now from a workstation behind the Shiva but when I login from home via a Shiva SST

I can control all maschines except the remote office. Some how I must

overlook something within the routing rules.

Have you got an idea where I should start to look at.

Thanks in advance.

Uwe

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to uwe.schmidt

‎10-08-2002 10:40 PM

Do you mean you VPN into the Shiva box from your home PC, and you want to be able to then go over the L2L tunnel to devices behind the PIX?

If so, then I presume the Shiva hands out IP addresses from a pool to the VPN clients that come in. If so, all you need to do is include traffic from the pool going to the PIX subnet in your crypto configuration. Then on the PIX you have to add another crypto ACL for traffic from the subnet behind the PIX going TO the Shiva pool of addresses.

Keep in mind that you can't VPN into the PIX from a client and then re-route back over the L2L tunnel. The PIX won't route a packet back out the same interface it came in on. I'm assuming that the Shiva does not have this restriction though, but if it does you won't be able to accomplish what you want.

0 Helpful

uwe.schmidt
Level 1
Level 1
In response to gfullage

‎10-08-2002 11:07 PM

This is in fact a very good idea, I haven't thought about it. In deed the Shiva box

hasn't got this restriction there4 I did not considered it. I will work on it and post the result.

Thanks again

Uwe

0 Helpful

uwe.schmidt
Level 1
Level 1
In response to gfullage

‎10-21-2002 07:56 AM

It finally worked thanks to your kind assistance.

Know I have another issue. One of our senior staff has got a home office with

an adsl line but no public ip address hence he was issued 192.168.0.20

but I have got the ip of the final gateway.

This fact makes it impossible to trigger a ipsec tunnel from the head office

so I thought to initiate the tunnel from the pix to find its counter part.

Unfurtunately nothing happens. I have used almsot the same setting as last time with the exception that the tunnel was renamed and also a new SA

was setup.

Any idea?

Kind regards

Uwe

0 Helpful
Customers Also Viewed These Support Documents