Need help. site-to-site VPN

SV

Hi,

We are planning to establish a site-to-site VPN connection using our PIX 515 (OS version 6.3) to a remote site that uses PIX 506e. I am sure that our's support 3DES encryption and their's only DES. Most propably they are still using an older version of OS. Does any one know what should be the minimum OS that is required at the PIX 506 end?

Is there any website that talks about it?

I have posted about the same in the CCSP site too.

Thanks

wildfire

3DES was included as far back as IOS 5.0 so that wont be your problem. The problem with the PIX IOS is that the license is different, when you buy a pix from new you either buy an unrestricted license $$$$$ or a restricted license, the Restricted license has a limit on what features are available, heres an example

Cisco PIX Firewall Version 6.3(1)
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has a Restricted (R) license.

yours obviously has 3DES disabled, so you need to upgrade, if you have a cco account you can get on and get a new activation key for more features.

forbesl

By the way, SV.....you can see the output of what wildfire showed you above by typing in "sh ver" on your firewall. That way you'll know for sure what your firewalls are licensed for.

SV

forbesl , wildfire,

I am extremely sorry for the delay in response. Just caught up in few things. I am really sorry.

Yah.... both DES and 3DES is enabled when I use "sh ver".

Will you be able to tell me what will be the command I should be using if I used the following?

My private IP range 192.168.10.0/24
Public IP of my PIX 20.20.20.20

Other PIX's outside IP 30.30.30.30
Their internal IP range 192.168.11.0/24

We will be using a pre-shared key , esp-md5-hmac

forbesl

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html

SV

I have seen this site before and have configured my PIX accordingly. But when I try to ping 192.168.11.5, I don't think even any try to establish a tunnel is happening.

I tried show crypto ipsec sa

============
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
=============

We allready have a site-to-site VPN connection with another site that was configured and used for a while ( I was not the one who configured it). Are two VPN connections possible?

Thanks,

Shiju

forbesl

SV wrote:

We allready have a site-to-site VPN connection with another site that was configured and used for a while ( I was not the one who configured it). Are two VPN connections possible?

Yes, but you need will need two crypto maps (with separate access lists applied to each map). Check this out:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

forbesl

Webmaster, any way you can move this thread to the CCSP forum?

SV

Hi forbesl , wildfire,

Thanks a lot for all your help. Initially I did post it in the CSSP site. But there was not response.
http://www.techexams.net/forums/viewtopic.php?t=11868

Finally, I was able to get it working. The doc I used is:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config/sit2site.htm#10223

There was some issues from the other site when they tried to configure it. But its done now.


I really thank you both for all your help.

SV