Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
0
Helpful
2
Replies

Tunnel IPSec on PIX 525

rpaolet
Level 1
Level 1

‎04-24-2003 06:32 AM - edited ‎02-21-2020 12:29 PM

Hi guys, i've strange problem.This is my topology :

vpn client 1.1 ----- RAS 3Com ----- PIX 525 ------ CA win2k

Usually the client uses authentication RSA signature and come up the vpn when the client asks the home page via http.

So sometimes this system failed because the client send the messages IKE but doesn't receive nothing messages.

The phase 1 uses esp-des and hash like sha-1, but the system block in this phase.

When the vpn failed i tried change the profile of phase 1 , so for example i change the hash from sha-1 to md5 + DF group from 2 to 1 ; and then there aren't errors, the tunnel ipsec is up.

But this is a workaround no stable, because after the system failed again and i check the cpu,mem,etc... are very low and so i reboot the pix (a pair pix works in failover without statefull).

Then now the system work well and i didn't see erros,but i don't know if there is a problem of architeture network or problem hardware for the encryption, as sonn as i can i use the VAC adapter.

Can someone help me?

Tnx

Roberto Paoletti

Labels:
0 Helpful
2 Replies 2

drolemc
Level 6
Level 6

‎05-02-2003 06:49 AM

From the information available it does seem that problem is one of design. I haven't come across designs where a PIX is deployed behind a RAS. That might or might not work but it certainly isn't a popular design. A VPN client to PIX tunnel is a simple setup and an example of the same is available in the document http://www.cisco.com/warp/public/110/pptpcrypto3.html. Hope that helps.

0 Helpful

rpaolet
Level 1
Level 1
In response to drolemc

‎05-06-2003 08:10 AM

Thanks for your collaboration.

My clients arrives from PSTN and i make the AAA by RAS/ACS and match the certificate with CA server.

After when the client open the website, then the pix creates the tunnel ipsec with a different pool of ip address.

Do u know another network topology where i have to use the RAS for client?

i'd like to use the RSA signature and not the pre-shared......for completly now i scheduled a restart of CA server (because the vulnerability of mscep.dll)and it seems work,who do u know it???

Thanks

regards

Roberto Paoletti

0 Helpful
Customers Also Viewed These Support Documents