04-24-2003 06:32 AM - edited 02-21-2020 12:29 PM
Hi guys, i've strange problem.This is my topology :
vpn client 1.1 ----- RAS 3Com ----- PIX 525 ------ CA win2k
Usually the client uses authentication RSA signature and come up the vpn when the client asks the home page via http.
So sometimes this system failed because the client send the messages IKE but doesn't receive nothing messages.
The phase 1 uses esp-des and hash like sha-1, but the system block in this phase.
When the vpn failed i tried change the profile of phase 1 , so for example i change the hash from sha-1 to md5 + DF group from 2 to 1 ; and then there aren't errors, the tunnel ipsec is up.
But this is a workaround no stable, because after the system failed again and i check the cpu,mem,etc... are very low and so i reboot the pix (a pair pix works in failover without statefull).
Then now the system work well and i didn't see erros,but i don't know if there is a problem of architeture network or problem hardware for the encryption, as sonn as i can i use the VAC adapter.
Can someone help me?
Tnx
Roberto Paoletti
05-02-2003 06:49 AM
From the information available it does seem that problem is one of design. I haven't come across designs where a PIX is deployed behind a RAS. That might or might not work but it certainly isn't a popular design. A VPN client to PIX tunnel is a simple setup and an example of the same is available in the document http://www.cisco.com/warp/public/110/pptpcrypto3.html. Hope that helps.
05-06-2003 08:10 AM
Thanks for your collaboration.
My clients arrives from PSTN and i make the AAA by RAS/ACS and match the certificate with CA server.
After when the client open the website, then the pix creates the tunnel ipsec with a different pool of ip address.
Do u know another network topology where i have to use the RAS for client?
i'd like to use the RSA signature and not the pre-shared......for completly now i scheduled a restart of CA server (because the vulnerability of mscep.dll)and it seems work,who do u know it???
Thanks
regards
Roberto Paoletti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide