I have pix 515e.I used CA GEN RSA KEY 1024 command to generate key. After enter this command, a message asks me to delete all the keys. In this case, does it affect to my vpn link, coz after use this command my vpn was disconnected.
providing the vpn is authenticated by using digital certificate, then regenerating the rsa key will kill the vpn. the reason being the digital certificate is no longer valid, so the authentication at the vpn peer will be failed.
Do you really use a Certificate Authority or do you just use a Pre Shared key (PSK) for the VPN.
If you have preshared keys and you just want to assign a ssh key, because you have changed the hostname or domainname, then this will not affect your VPN !
I am using a Pre Shared Key for my VPN, and I just assign ssh key for remote access. Now i can access to my firewall through the ssh , but the vpn dosen't link. Anyway, as Jackko above mentioned i need to restore or copy the keys back. Beside this way, do you think should i upload the new flash image to the pix to solve this problem? If can, please help me to way to upload.
Thanks in advances.
as patrick suggested, providing the vpn authentication doesn't rely on ca digital certificate, then re-generating the rsa key for ssh will not crash the existing vpn. it's got to do with something else.
just wondering whether you are referring to lan-lan vpn or remote vpn access. either case, would you please post the config?
Your Access-lists seems to be wrong ! The Remote Network and Local Network in the access-list does not correspond with the interface IP and Subnet mask.
PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet
PIX(config)# nat (inside) 0 access-list NONAT
PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet
PIX(config)# crypto map REMOTE 10 match address VPN
You just can add another line to the access-list that matches the right subnet maks and IP Network on both sides and it should rock.
Reset the Security Assoiciation:
clear ipsec sa
clear isakmp sa
See VPN guide:
Site-to-Site VPN Configuration Examples
192.168.0.0/24 <--> rt <--> 192.168.250.4/30 <--> headoffice pix <--> www/vpn <--> ...
... <--> www/vpn <--> branchoffice pix <--> 192.168.110.0/30 <--> rt <--> 192.168.9.0/24
assuming the above topology is accurate, then a static route is missing on the headoffice pix for destination 192.168.0.0/24
on branchoffic pix existing config:
route outside 0.0.0.0 0.0.0.0 10.105.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.110.2 1
on headoffice pix existing config:
route outside 0.0.0.0 0.0.0.0 10.200.5.33 1
so you need to add back the route on headoffice pix e.g.
route inside 192.168.0.0 255.255.255.0 192.168.250.5
Sorry for late reply. I have applied access-list and routing as you above suggested. But the main issue is that why the vpn still cannot link, eventhough the access-list was incorrect, the two peers still cannot establish the link. I mean that when i use the debug command and clear ipsec/isakmp sa to reset the security association, but nothing happen.
I have done the config ,and now it works. The problem coused from Access-list.
It seems i am not good at access-list, and now i have a few networks in my network system. Through this VPN, can you plz advise me on access-list how to allow LAN1,LAN2 access to LAN3 and LAN3 access to LAN1,LAN2 as shown in the attached file.
Thank you in advances
on h.o. pix
access-list no_nat 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no_nat 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list crypto_traffic 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list crypto_traffic 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
on branch pix
access-list no_nat 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list crypto_traffic 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list crypto_traffic 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
another point needs to be noticed is the routing.
on h.o. pix
route inside 192.168.0.0 255.255.255.0 192.168.3.1; and
route inside 172.16.1.0 255.255.255.0 192.168.3.1
on branch pix
route inside 192.168.1.0 255.255.255.0 192.168.2.1
on the lan1 router
ip route 0.0.0.0 0.0.0.0 192.168.3.2; or
ip route 192.168.1.0 255.255.255.0 192.168.3.2; and
ip route 172.16.1.0 255.255.255.0 192.168.4.2
on the lan2 router
ip route 0.0.0.0 0.0.0.0 192.168.4.1; or
ip route 192.168.1.0 255.255.255.0 192.168.4.1;
on the lan3 router
ip route 0.0.0.0 0.0.0.0 192.168.2.2; or
ip route 192.168.0.0 255.255.255.0 192.168.2.2; and
ip route 172.16.1.0 255.255.255.0 192.168.2.2
Thank you Jackko, now I got my vpn works. but my branch office can't access Internet. Do you think what command should i add in the pix?
just wondering if the branch office accesses internet directly or via the head office.
assuming the branch office has direct internet access, then i suspect that the nat/global statement maybe inaccurate.
The branch office access internet via the head office. The vpn link is for backup purpose. In fact, we have the existing connection from the branch office router to head office router by lease line. and normally brach office access to data center and internet at head office by lease line, but if the lease line is diconnected, we will go back to vpn link backup. And now the problem is that we branch office go though vpn link, they can't access internet.
Note: Head office router connects to another ISP (ISP2), and branch office also go to the internet via ISP2.
it may not be feasible to allow internet browsing for the branch office via the vpn backup link, assuming that the head office pix has the internet as the default gateway.
e.g. providing we "tunnel everything" from branch office via the vpn. head office pix receives the internet traffic, decrypts the packets and tries to determine the next hop. since the packets are destined for the internet, the head office pix will try to forward the packet back to the outside interface. unfortunately, the operation is not allowed on pix v6.x.
alternatively, if the pix default gateway is not the internet link. then "tunnel everything" originated from the branch office should work.
i guess you've got 2 options.
when leased line fails and the vpn backup kicks off, branch office browse the internet directly via isp1; or
when leased line fails and the vpn backup kicks off, branch office browse the internet via the head office.
regardless which option you choose, you'll need to configure 2 routes on the branch office router. one is the primary (i.e. the leased line); another one is a backup (i.e. the vpn link). to configure these 2 routes, you can manipulate the metrics.
now, if you prefer to let the branch office has direct internet access while the leased line fails. you can just configure nat/global.
alternatively, if you prefer to let the branch office to browse via the head office over the vpn. then you'll need to:
1. head office pix point to the internal router as default gateway; configure static route point to branch office via the isp1 link.
2. create an acl "tunnel everything" for traffic originated from and destined for branch office.