cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
531
Views
0
Helpful
2
Replies

Site to Site vpn between cisco pix and netopia cayman 3500 series ADSL rout

kjanakiraman
Level 1
Level 1

I am trying to establish site to site vpn between cisco pix and cayman dsl router in our branch office.I am able to succesfully establish site to site vpn between cisco pix and sonicwall,linksys routers but when i am trying with cayman i could not. When i try to ping a system behind a system in cayman from a system behind a system in cisco and debug in the cisco pix iam getting an error message

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x1

IPSEC(sa_initiate): ACL = deny; no sa created.

The Spoke to netopia support and they told that there is some issues with cisco pix(though i have configured for linksys and sonicwall).

Has any one done a site to site vpn with cayman series?

Thanks in Advance

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Haven't done one with a Cayman Series device specifically, but I have built tunnels to just about everything else you can think of. The config on the PIX is no different to any other standard device, there's no magical command like:

> crypto allow-tunnel from-cayman

or anything like that. As you've seen, the PIX can happily build a tunnel to a LinkSys and Sonicwall and if the Netopia conforms to the IPSec standard then there should be no reason why we can't build a tunnel to it either.

This message:

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

means the Netopia sent us a delete message, so it didn't like something. Can you run the debugs on the PIX again please, but this time ping from behind the Cayman to behind the PIX, that way we'll get more debug output? What do the debugs on the Cayman say, anything obvious?

Thanks for your mail. I could not get any debug statement from netopia. But i spoke to netopia support they told there is no problem in their side. Apart from that there is new configuration on this cayman router under ipsec which is called as mbyes which means that the amount of data that can be transformed through the tunnel, but in the cisco pix or any other firewall appliance there is no such configuration of mbytes data transfer.

When i checked up a sample configuration that is put in netoipa web site about configuration of site to site vpn between netpia router and cayman router. The documents insists on putting hmac-md5-96 in the ESP Transform set in the netopia router. But the general transform set in cisco and other firewall is hmac-esp-md5. Should this be an issue? If so, is there any way of changing on the cisco pix to above Transform set?

Thanks a lot for your help.