Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC VPN

I am setting up a newly acquired PIX 506E.

I am tring to create a VPN link to a Netscreen 50 box. The problem I am having is that Phase 2 keeps being retransmitted. I don't have any control over the Netscreen, so I just want to make sure that everything is ok on the PIX

Does anyone know if there are some incompatability issues between PIX506E and a Netscreen 50?

The config..

access-list inside_outbound_nat0_acl permit ip 10.20.12.0 255.255.255.0 10.120.1.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 10.20.12.0 255.255.255.0 10.120.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec

crypto ipsec transform-set mytrans esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer *.*.*.*

crypto map outside_map 20 set transform-set mytrans

crypto map outside_map 20 set security-association lifetime seconds 28800 kilobytes 28800

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address *.*.*.* netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Regards,

Dean

1 REPLY
Gold

Re: IPSEC VPN

try applying command "isakmp identity address".

the acl looks fine assuming 10.20.12.0 is the pix inside net; whereas 10.120.1.0 is the netscreen trusted net.

also both devices policy must match each other, including the pre-shared key, encryption level, dh group etc.

there shouldn't be any drama to create a lan-lan vpn between the two. have a look at this doc from cisco:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml

91
Views
0
Helpful
1
Replies