I am trying to get a IPSEC vpn tunnel established between a PIX and a Microsoft ISA server.
Does anybody have any good references for how to configure the PIX to get this working?
The VPN tunnel worked prior to the client replacing the PIX at the head end with an ISA server. Now I am seeing erroneous Security Associations (SAs) on both ends of the tunnel (PIX and ISA). And the tunnel appears to work, but drops off periodically throughout the day. The tunnel is reestablished if the client issues echoes from the head end to the remote location.
The three SA's that are established are:
- LAN to LAN (192.168.1.0/24 - 192.168.100.0/24)
- Remote firewall private to ISA server public interface
- LAN (subnet) to LAN (192.168.100.64/26 - 192.168.1.0/24)
The second and third SA's appear to be erroneous.
Below is the IPSEC configuration from the remote branch PIX:
sysopt connection tcpmss 1270
sysopt connection permit-ipsec
crypto ipsec transform-set remotetrans esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dynmap 10 set transform-set remotetrans
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map remote 10 ipsec-isakmp
crypto map remote 10 match address remote2WC
crypto map remote 10 set pfs group2
crypto map remote 10 set peer 151.197.74.146
crypto map remote 10 set transform-set remotetrans
crypto map remote 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map remote 20 ipsec-isakmp dynamic dynmap
crypto map remote interface outside
isakmp enable outside
isakmp key ******** address 151.197.74.146 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
dk