11-02-2007 10:00 AM - edited 03-09-2019 07:12 PM
I have a PIX firewall with various VPNs.
One of these VPNs is configured without an ISAKMP policy, as such I assume it is using the Global Default Policy.
DES
Secure Hash Standard
Rivest-Shamir-Adleman Signature
Diffie-Hellman group:#1 (768 bit)
86400 seconds
But the VPN also has a transform set of esp-aes-256 esp-sha-hmac and i'm not sure how this affects the overall configuration?
In trying to configure a site to site VPN what settings would I need to give to the other end?
Also how does the transform set relate to the ISAKMP policy, what is the distinction between the two?
Basically this VPN drops regularly and I am trying to rule out config error and confirm what settings I have and/or should have.
Help.
Mike
11-02-2007 02:00 PM
The ISAKMP policy you have listed is Phase 1. The transform set is used for Phase 2 negotiations, so they are completely unrelated. Phase 1 builds a tunnel to encrypt the Phase 2 negotiation. To configure, a site-to-site VPN. You will need to give them all of your Phase 1 (encryption, hash, dh group, timeout, key, etc) vaules and all of the Phase 2 values. If any of the values does not match, then you will not build a connection, so you must be sure that both ends are negotiating the same.
11-05-2007 07:36 AM
Thanks for the reply.
The setup is a lot clearer now.
The connection actually works 90% of the time, but drops out quite often.
Show isamkp sa will list the VPN as MM_NO_STATE?
Could you offer an insight as to what the cause may be of this? A configuration error is unlikely I presume?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide