Options

PIX to Edgewater SitetoSite VPN

aragoen_celtdraaragoen_celtdra Member Posts: 246
in CCNP Security
I was hoping someone might have experienced configuring an Edgewater device (EdgeMarc 4300T) to establish an IPsec VPN tunnel to a Cisco PIX (515E).

Let me give a litte background on our setup. We have 5 remote sites. Three sites have Cisco 1700 routers, one with a 515 PIX, and one has an EdgeMarc 4300 (installed by that site's provider). I work at the corporate site with a Cisco 1700 where all the 5 remote sites have site-to-site VPN connection.

These last few days, I had been learning and successfully re-configured 3 of our Cisco 1700 routers and one PIX located on remote sites to connect to a PIX on our corporate, using IPsec VPN - we are removing the 1700 in our corporate. However, I'm having trouble with this non-Cisco device.

The Edgewater device in question worked seamlessly when it was connected to a Cisco router, but I can't get it to work when connecting to a Cisco PIX. Anybody has any idea? I appreciate the help in advace.
CCIE Wr: In Progress...
Hours CCIE Wr Prep: 309:03:52
Follow my study progress at Route My World!
My CCIE Thread
· Share on FacebookShare on Twitter

Comments

  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    What ipsec transforms and ISAKMP proposals are you using? could it be an order of operations issue?
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    aragoen_celtdraaragoen_celtdra Member Posts: 246
    dtlokee wrote:
    What ipsec transforms and ISAKMP proposals are you using? could it be an order of operations issue?

    Here's the configuration on the EdgeMarc (the only configurable section pertaining to VPNs):
    Local VPN Gateway: 8.x.x.x
    Protected Local network: 10.100.226.0/24
    Remote VPN Gateway: 72.x.x.x
    Protected Remote Network: 10.100.194.0/24
    Tunnel Cipher: 3DES-MD5
    Key Management: IKE Main Mode
    Authentication: Preshared Secret
    Shared Secret: Share
    IKE SA Lifetime: 28800
    IPsec SA Lifetime: 28800

    Here's what I configured on the PIX:
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800

    crypto map TUNNEL 1 match address ACL
    crypto map TUNNEL 1 set peer 8.x.x.x
    crypto map TUNNEL 1 set transform-set DES-MD5

    tunnel-group 8.x.x.x type ipsec-l2l
    tunnel-gruop 8.x.x.x type ipsec-attributes
    pre-shared-key Share

    Here's what was configured on the old router that the EdgeMarc used to connect to (I used this to base my configuration on the PIX):
    crypto isakmp policy 20
    encr 3des
    auth pre-share
    group 2
    lifetime 28800

    crypto isakmp key Share address 8.x.x.x no-xauth

    crypto map TUNNEL 1 ipsec-isakmp
    set peer 8.x.x.x
    set transform-set 3DES-MD5
    match address ACL

    The PIX works with the other Cisco routers that I configured using the same type of configuration above. It's just that with the EdgeMarc firewall, it's a little hard to see where each IKE phases corresponds on the Cisco device. For example, the "Tunnel Cipher" box on the EdgeMarc setting is the transform set on the Cisco. But I'm not sure how the Isakmp policies on the EdgeMarc are configured to match the Isakmp policy on the Cisco device. But i know it is used.

    Lastly, what do you mean by "order of operations"? Are you referring to the sequence numbers that you configure for each crypto map and isakmp statements?

    Thanks DT for taking the time to look at it.
    CCIE Wr: In Progress...
    Hours CCIE Wr Prep: 309:03:52
    Follow my study progress at Route My World!
    My CCIE Thread
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You don't have the IPSec transforms listed, on the pix it is called "DES-MD5" and on the router it is called "3DES-MD5", are they both the same? And what does the proxy ACL look like?
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    aragoen_celtdraaragoen_celtdra Member Posts: 246
    dtlokee wrote:
    You don't have the IPSec transforms listed, on the pix it is called "DES-MD5" and on the router it is called "3DES-MD5", are they both the same? And what does the proxy ACL look like?
    Ooops! Good catch on the DES-MD5. I did mean to write 3DES-MD5. The transform set is crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac for anyone trying to follow along. And yes they were the same on the pix and the router.

    Anyway, it finally worked. Thanks for your interest in helping me. Been working on it non-stop since yesterday. Here's a summary of what I discovered:
    • The "Tunnel Cipher" setting on the Edgewater device is the Transform Set on the PIX and routers (IKE Phase II, as I've seen it described in some documentations).
    • The ISAKMP policies (IKE Phase I, as I've seen it called) doesn't seem to be configurable on the Edgewater. Maybe there is a way to configure it but it's certainly not on the configuration page I was on.
    • I did find an "Advanced" button that showed me the default "IKE Proposal" settings which read "3DES-SHA1-MODP1024". I took it to mean encr=3DES; hash=SHA1; DH=group2 (I'm guessing on this last one). I didn't find a way to modify it on the Edgewater device so I changed the config on the PIX instead to match those settings.
    • Lastly recreating a new tunnel with all these parameters won't seem to work correctly. So I "re-used" the old tunnel simply by changing the peer router from the old one to the new one and that started the negotiations.
    Hope this would be some help to anyone else that come across this problem in the future. Thanks again DTLOOKEE for helping.
    CCIE Wr: In Progress...
    Hours CCIE Wr Prep: 309:03:52
    Follow my study progress at Route My World!
    My CCIE Thread
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    perhaps there was a way on the Edgewater device to bounce the tunnel and that would have caused it to renegoitiate the tunnel.

    Glad to hear it's working.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    aragoen_celtdraaragoen_celtdra Member Posts: 246
    I wanted to find a way to bounce the tunnel but I didn't know the EdgeMarc well enough to mess around with it too much. Since we don't own the device, I was only given limited access by the sites admin to configure the tunnel. So I couldn't even reboot the device until monday when their admin returns.

    I appreciate all your help.

    For others who might come across the same problems, below is some configs that got it to work:

    Again, here's the configuration on the EdgeMarc:
    Local VPN Gateway: 8.x.x.x
    Protected Local network: 10.100.226.0/24
    Remote VPN Gateway: 72.x.x.x
    Protected Remote Network: 10.100.194.0/24
    Tunnel Cipher: 3DES-MD5
    Key Management: IKE Main Mode
    Authentication: Preshared Secret
    Shared Secret: Share
    IKE SA Lifetime: 28800
    IPsec SA Lifetime: 28800

    Here's the configuration on the PIX that got them to talk:
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha     (this was the default on the EdgeMarc, but I orginally had it as MD5 here)
    group 2
    lifetime 86400     (although the timer here didn't match the timer of 28800 on the Edgewater, it seems to still work.)

    crypto map TUNNEL 1 match address ACL
    crypto map TUNNEL 1 set peer 8.x.x.x
    crypto map TUNNEL 1 set transform-set 3DES-MD5

    tunnel-group 8.x.x.x type ipsec-l2l
    tunnel-gruop 8.x.x.x type ipsec-attributes
    pre-shared-key Share
    CCIE Wr: In Progress...
    Hours CCIE Wr Prep: 309:03:52
    Follow my study progress at Route My World!
    My CCIE Thread
    · Share on FacebookShare on Twitter
Sign In or Register to comment.