Crear VPN Sitio-to-Sitio (site-to-site)

Answered Question
Jun 22nd, 2011

Spanish/Español:

Buenos Dias

Estoy teniendo problemas para crear una VPN site-to-site, estoy utilizando los siguientes equipos: PIX 535 y un router RV082.

Mi idea es hacer que el router se conecte via VPN al PIX, ya entre al router configure todo, cuando le doy en connect se queda en Waiting for connection, y nunca conecta, ni siquiera me tira un error.

Cuando configure el PIX (que lo hago por el device manager, no por consola), me tira error en access-list, en ningun momento me pidio que colocara un access-list. :S, no se si me explique bien.

Desde ya, les agradezco por intentar ayudarme!..

English:

Good Morning

I'm having trouble creating a VPN site-to-site, I am using the following equipment: PIX 535 and a RV082 router.

My idea is to make the router to connect via VPN to the PIX, and enter the router set up everything, when I give to connect remains in Waiting for connection, and never connects, even shoot me an error.

When you configure the PIX (which I do by the device manager, not console) throws me error access-list, at no time asked me to place an access-list. : S do not know if I explain well.

Of course, I thank you for trying to help me! ..

I have this problem too.
0 votes
Correct Answer by Loren Kolnes about 4 years 2 months ago

Hi Juan,

Can you also provide the crypto configuration output from the router, again removing any sensitive information?

Thanks,

Loren

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loren Kolnes Wed, 06/22/2011 - 10:15

Hi Juan,

If you are setting up Easy VPN the following configuration example should help:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml

If you are not using EasyVPN can you provide the VPN configuration from each side, please remove any sensitive information such as public ip addresses, passwords or pre-shared keys before posting in this forum.

Thanks,

Loren

jmsanz2011 Wed, 06/22/2011 - 10:24

Hi Loren,

Thank you for your prompt response.

Do not quite understand, but you're telling me the option to use Easy VPN?.

Anyway I can not access the link I append

jmsanz2011 Wed, 06/22/2011 - 11:00

I made it through vpn wizard that has the device manager and it does so:

isakmp key xxxxx address 190.x.x.x netmask 255.255.255.xxx.xxx no-xauth no-config-mode

access-list Libre_outbound_nat0_acl line 1 permit ip ost 199.42.77.34 host 16x.xxx.x.xxx

nat (Libre) 0 access-list Libre_outbound_nat0_acl

access-list outside_cryptomap_20 permit ip host 19x.xx.xx.xx host 16x.xxx.x.xxx

crypto map outside_map 20 set peer 190.x.x.x

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

sysopt connection permit-ipsec

In the IPsec traffic selector, changing the interface to one that is not used (in this case "Libre"), but really that part that I need to place the servers in use (for example: production and exchange), and there gave me error in access-list.

Thank you very much Loren

Juan.

Correct Answer
Loren Kolnes Wed, 06/22/2011 - 11:20

Hi Juan,

Can you also provide the crypto configuration output from the router, again removing any sensitive information?

Thanks,

Loren

jmsanz2011 Wed, 06/22/2011 - 12:21
Tunnel No. 1
Tunnel Name : fccf
Interface : WAN1WAN2
Enable :

Local Group Setup

Local Security Gateway Type : IP OnlyIP +  Domain Name(FQDN) AuthenticationIP + Email Address(USER  FQDN) AuthenticationDynamic IP + Domain Name(FQDN)  AuthenticationDynamic IP + Email Address(USER FQDN)  Authentication
IP Address : 19x.xxx.xxx.xxx
Local Security Group Type : IPSubnetIP  Range
IP Address : 192.168.x.xx

Remote Group Setup

Remote Security Gateway Type : IP OnlyIP +  Domain Name(FQDN) AuthenticationIP + Email Address(USER  FQDN) AuthenticationDynamic IP + Domain Name(FQDN)  AuthenticationDynamic IP + Email Address(USER FQDN)  Authentication
IP AddressIP by DNS Resolved :

Here go the ip of the pix right?

Remote Security Group Type : IPSubnetIP  Range
IP Address :

Here go the ip of the pix right?








IPSec Setup

Keying Mode : ManualIKE with Preshared  key
Phase 1 DH Group : Group 1 - 768 bitGroup 2 - 1024  bitGroup 5 - 1536 bit
Phase 1 Encryption : DES 3DES AES-128AES-192AES-256
Phase 1 Authentication : MD5SHA1
Phase 1 SA Life Time :

28800

seconds
Perfect Forward Secrecy :
Phase 2 DH Group : Group 1 - 768 bitGroup 2 - 1024  bitGroup 5 - 1536 bit
Phase 2 Encryption : NULLDES3DES AES-128AES-192AES-256
Phase 2 Authentication : NULLMD5SHA1
Phase 2 SA Life Time :

3600

seconds
Preshared Key :xxxxxx
Loren Kolnes Wed, 06/22/2011 - 12:32

Hi Jaun,

I am not familar with this configuraiton utility, but that does look like the correct area to put the Pix IP address.

Would it be possible to get the isakmp configuraiton from the Pix, or can you check to make sure there is a isakmp policy that matches the phase 1 and phase 2 settings from the router.

phase 1

authentication pre-shared key

encryption des

hash md5

dh group 1

there does appear a phase 2 mismatch between the Pix and the router

the router has DES encryption and the pix has 3DES encryption, can you change the router phase 2 encryption type to be 3DES?

Thanks,

Loren

jmsanz2011 Thu, 06/23/2011 - 05:49

Hi Loren

DES encryption excuse the the router configuration You have the 3DES encryption and pix, can you change the router encryption type to be 3DES phase 2? Ç

This because as you say, did nothing more than to prove it just like that one.

With respect to the pix isakmp configuraiton appears this: isakmp key xxxxx netmask 190.xxx address no-xauth 255.255.255.xxx.xxx no-config-mode, key in the router where it says add it Preshared Key: xxxxx is exactly the same as it is easy and short, did everything as evidence, still not working.

Loren really thank you very much for the help you are giving.

Juan

Actions

This Discussion

Related Content