I need to setup a VPN tunnel with a Cisco device which we don't control or have any access to.
The intention is that I can allow a group of IP addresses on our LAN to have access to resources on the other side of the tunnel.
These are the settings that I've been given by the people who own/control the other side of the tunnel:
ISAKMP Identification: IP Address
ISKAMP Pre Share Key: <TBC via Phone or Secure Email do not include on this form>
ISKAMP Lifetime: 86400 seconds
ISKAMP Encryption: AES256
ISKAMP Authentication: Pre share key
ISKAMP Hash: SHA
DH Group: 2
IKE Negotiation Mode: Main
IPSEC ESP Authentication: SHA
IPSEC ESP Encryption: AES256
IPSEC SA Lifetime Kbytes: 4608000
IPSEC SA Lifetime Hrs: 8
Perfect Forward Secrecy: Yes
Connection Type: Bidirectional
I'm pretty new to VPN tunnels. Is there anything I need to know when trying to set this up on the PAN?
My understanding is that ideally I would create a new zone called "CustomerX" and put the tunnel.x interface that I create into that zone so that I have to have a rule to allow any traffic to flow between our "trust" zone and the far side?
Any info would be really appreciated and any questions or things I haven't mentioned, just ask.
The trick to getting this to work with Cisco is that access list on Cisco would equate to proxy-id settings on PAN device. Basically for each local and remote side subnets that are configured on Cisco, you would need to have an associated proxy-id on PAN in order to complete phase2 negotiation. Below article is an example.
Otherwise, remember that PAN uses route-based VPNs. So you would also need to set up route to Cisco side subnets with next hop as your associated tunnel interface.
Route would basically be same as regular static route, but you only need to specify the interface. No nexthop is needed since tunnel interface is essentially a point-to-point link.
set network virtual-router default routing-table ip static-route vpn1 destination 10.1.1.0/24 interface tunnel.1
Here is what is listed as the route. If I drop this the pings break from the remote > to local network. Remote network is 192.168.254.0/24 and the local is 10.0.0.0/8. I still can't ping from local > remote network. Below is the Proxy Ids that I think are correct. Any ideas? I added several routes to the pix and none helped.
That part's good, and equates to Cisco's "interesting traffic" crypto-map brain-deadness.
Now you need to do the same in your Virtual Router config. Set up a static route to 192.168 land via interface tunnel.1 (or whatever). Don't put a next hop IP in, just the interface. Then you should be all set.
I have that route in and that is were we are getting the route. I think the problem is the pix 501 version of code. I was testing our other 501 on our Cisco concentrator andit has the same ping issue. The ASA on the concentrator does not so I am going to be up a pix with a later version of code like the ASA and see how it behaves.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!