Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
168
Views
0
Helpful
1
Replies

ipsec site-to-site between cisco 881w & tmg 2010

tarasvadim
Level 1
Level 1

‎01-06-2017 01:43 AM - edited ‎03-08-2019 08:49 AM

Good afternoon! does not work ipsec site-to-site and between cisco 881w & tmg 2010.
Cisco 881W config:

ip name-server 8.8.8.8
ip cef
no ipv6 cef
crypto isakmp policy 1
encr 3des
hash sha256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cisco address 2.2.2.2(dest ip)
crypto ipsec transform-set Myset esp-3des esp-sha256-hmac
mode tunnel
crypto map Mymap 1 ipsec-isakmp
set peer 2.2.2.2(dest ip)
set transform-set Myset
match address 100
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description end_user connect
no ip address
!
interface FastEthernet4
ip address 1.1.1.1 255.255.255.248
ip virtual-reassembly in
duplex auto
speed auto
crypto map Mymap
!
interface Wlan-GigabitEthernet0
no ip address
!
interface wlan-ap0
no ip address
!
interface Vlan1
ip address x.x.x.x (local lan ip) 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static x.x.x.x interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 3.3.3.3(defaul gateway ip)
ip ssh version 2
!
!
access-list 100 permit ip x.x.x.x 0.0.0.255 y.0.0.0(remote(tmg) lan ip) 0.255.255.255
end

TMG 2010 Config

Local Tunnel Endpoint: 2.2.2.2
Remote Tunnel Endpoint: 1.1.1.1


IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA256
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (cisco)
Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA256
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 3600 seconds

Kbyte Rekeying: ON
Rekey After Sending: 4608000 Kbytes

Remote Network target IP Subnets:
Subnet: 1.1.1.1/255.255.255.255
Subnet: x.x.x.x/255.255.255.0

Local Network 'Internal' IP Subnets:
Subnet: y.0.0.0/255.255.252.0

Labels:
0 Helpful
1 Reply 1

Mark Malone
VIP Alumni
VIP Alumni

‎01-06-2017 04:29 AM

Hi

i don't use TMG but looking at your acl its doesn't look to match what the local side is in TMG side ?

access-list 100 permit ip x.x.x.x 0.0.0.255 y.0.0.0(remote(tmg) lan ip) 0.255.255.255       /8

This is /22 but you have /8 as the remote subnet on cisco side

Local Network 'Internal' IP Subnets:
Subnet: y.0.0.0/255.255.252.0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card