09-12-2003 06:20 PM - edited 02-21-2020 12:46 PM
I am trying to establish site to site vpn between cisco pix and cayman dsl router in our branch office.I am able to succesfully establish site to site vpn between cisco pix and sonicwall,linksys routers but when i am trying with cayman i could not. When i try to ping a system behind a system in cayman from a system behind a system in cisco and debug in the cisco pix iam getting an error message
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x1
IPSEC(sa_initiate): ACL = deny; no sa created.
The Spoke to netopia support and they told that there is some issues with cisco pix(though i have configured for linksys and sonicwall).
Has any one done a site to site vpn with cayman series?
Thanks in Advance
09-14-2003 03:30 PM
Haven't done one with a Cayman Series device specifically, but I have built tunnels to just about everything else you can think of. The config on the PIX is no different to any other standard device, there's no magical command like:
> crypto allow-tunnel from-cayman
or anything like that. As you've seen, the PIX can happily build a tunnel to a LinkSys and Sonicwall and if the Netopia conforms to the IPSec standard then there should be no reason why we can't build a tunnel to it either.
This message:
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
means the Netopia sent us a delete message, so it didn't like something. Can you run the debugs on the PIX again please, but this time ping from behind the Cayman to behind the PIX, that way we'll get more debug output? What do the debugs on the Cayman say, anything obvious?
09-14-2003 09:37 PM
Thanks for your mail. I could not get any debug statement from netopia. But i spoke to netopia support they told there is no problem in their side. Apart from that there is new configuration on this cayman router under ipsec which is called as mbyes which means that the amount of data that can be transformed through the tunnel, but in the cisco pix or any other firewall appliance there is no such configuration of mbytes data transfer.
When i checked up a sample configuration that is put in netoipa web site about configuration of site to site vpn between netpia router and cayman router. The documents insists on putting hmac-md5-96 in the ESP Transform set in the netopia router. But the general transform set in cisco and other firewall is hmac-esp-md5. Should this be an issue? If so, is there any way of changing on the cisco pix to above Transform set?
Thanks a lot for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide