Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnel IPSec on PIX 525

Hi guys, i've strange problem.This is my topology :

vpn client 1.1 ----- RAS 3Com ----- PIX 525 ------ CA win2k

Usually the client uses authentication RSA signature and come up the vpn when the client asks the home page via http.

So sometimes this system failed because the client send the messages IKE but doesn't receive nothing messages.

The phase 1 uses esp-des and hash like sha-1, but the system block in this phase.

When the vpn failed i tried change the profile of phase 1 , so for example i change the hash from sha-1 to md5 + DF group from 2 to 1 ; and then there aren't errors, the tunnel ipsec is up.

But this is a workaround no stable, because after the system failed again and i check the cpu,mem,etc... are very low and so i reboot the pix (a pair pix works in failover without statefull).

Then now the system work well and i didn't see erros,but i don't know if there is a problem of architeture network or problem hardware for the encryption, as sonn as i can i use the VAC adapter.

Can someone help me?

Tnx

Roberto Paoletti

2 REPLIES
Silver

Re: Tunnel IPSec on PIX 525

From the information available it does seem that problem is one of design. I haven't come across designs where a PIX is deployed behind a RAS. That might or might not work but it certainly isn't a popular design. A VPN client to PIX tunnel is a simple setup and an example of the same is available in the document http://www.cisco.com/warp/public/110/pptpcrypto3.html. Hope that helps.

New Member

Re: Tunnel IPSec on PIX 525

Thanks for your collaboration.

My clients arrives from PSTN and i make the AAA by RAS/ACS and match the certificate with CA server.

After when the client open the website, then the pix creates the tunnel ipsec with a different pool of ip address.

Do u know another network topology where i have to use the RAS for client?

i'd like to use the RSA signature and not the pre-shared......for completly now i scheduled a restart of CA server (because the vulnerability of mscep.dll)and it seems work,who do u know it???

Thanks

regards

Roberto Paoletti

100
Views
0
Helpful
2
Replies
CreatePlease login to create content