09-10-2012 03:26 PM
hi
I'm trying to set up Site to Site VPN between ciso 3925 to PFsense firewall, phase one is up but when it tries to initiate phase 2 I get an error at the PFsense firewall that said networks in SA is not configured correctly
as far as i know on the CISCO router that configured with VTI I'm not supposed to set up a local network and remote network is simply encrypts everything that goes in tunnel
how am I supposed to configured the second FW ? I tried all the options including the establishment tunnel on the far side, without encryption everything works fine with genric tunnel.
this is my configuration on the cisco :
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key XXXXXXXXX address PEER-IP-ADDRESS
crypto ipsec transform-set YYYYY esp-aes 256 esp-sha-hmac
crypto ipsec profile ABCD
set transform-set YYYYY
interface tunnel201
description *******************
ip address 1.1.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip tcp adjust-mss 1360
load-interval 30
tunnel source MY IP ADDRESS
tunnel destination PEER IP ADDRESS
tunnel protection ipsec profile ABCD
ip route REMOTE-LAN REMOTE-SUBNET tunnel 201
Solved! Go to Solution.
09-14-2012 04:39 AM
ok
i configured the first choice , and it's seems that the IPSEC Tunnel is UP in the cisco(show crypto session - it show UP-ACTIVE)
but now i lost connectivty to the remote FW even to the public IP ,
in this mode the cisco encrypted according to routing right ?
i have one route on the cisco :
ip route REMOTE-LAN REMOTE-SUBNET tunnel201
and route to the REMOTE-WAN-IP
ip route REMOTE-WAN 255.255.255.252 gig0/1
as far as i understand when i try to get to the wan ip , it should not encrypted the packets right ?
anyway when i ping the remote lan i get - " replay from MY-TUNNEL-IP ttl expired in transit"
and when i trace to that IP i get
1. IP
2. IP
3. IP
4.REQUEST timed out
5. MY IP TUNNEL
6.REQUEST timed out
7.MY IP TUNNEL
8.REQUEST timed out
so.. there is any problem with my routing ?
09-14-2012 04:44 AM
It depends of the implementation of this 3rd party device. I had the impression where protecting a tunnel interface.
It seems your box places the crypto map on the public interface.
Possibly you can reach the management interface via the tunnel interface. If not you should revert the config.
It seems the crypto map config seems the only way.
09-14-2012 10:25 AM
but why i can't reach the REMOTE-LAN ?
what route should i add to the cisco ?
my route now is :
ip route REMOTE-LAN 255.255.255.0 tunnel201 is it ok ?
and what route should i add in the 3rd party device ?
the route that configured is - to get to CISCO_LAN go to GRE TUNNEL - is it ok ?
if i will configure the crypto map , and apply it on the egrees interface like u said,it's going to Interfere the other ipsec tunnel that use the same interface ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide