PIX to Edgewater SitetoSite VPN

I was hoping someone might have experienced configuring an Edgewater device (EdgeMarc 4300T) to establish an IPsec VPN tunnel to a Cisco PIX (515E).

Let me give a litte background on our setup. We have 5 remote sites. Three sites have Cisco 1700 routers, one with a 515 PIX, and one has an EdgeMarc 4300 (installed by that site's provider). I work at the corporate site with a Cisco 1700 where all the 5 remote sites have site-to-site VPN connection.

These last few days, I had been learning and successfully re-configured 3 of our Cisco 1700 routers and one PIX located on remote sites to connect to a PIX on our corporate, using IPsec VPN - we are removing the 1700 in our corporate. However, I'm having trouble with this non-Cisco device.

The Edgewater device in question worked seamlessly when it was connected to a Cisco router, but I can't get it to work when connecting to a Cisco PIX. Anybody has any idea? I appreciate the help in advace.

Find more posts tagged with

Comments

dtlokee

What ipsec transforms and ISAKMP proposals are you using? could it be an order of operations issue?

aragoen_celtdra

dtlokee wrote:

What ipsec transforms and ISAKMP proposals are you using? could it be an order of operations issue?

Here's the configuration on the EdgeMarc (the only configurable section pertaining to VPNs):
Local VPN Gateway: 8.x.x.x
Protected Local network: 10.100.226.0/24
Remote VPN Gateway: 72.x.x.x
Protected Remote Network: 10.100.194.0/24
Tunnel Cipher: 3DES-MD5
Key Management: IKE Main Mode
Authentication: Preshared Secret
Shared Secret: Share
IKE SA Lifetime: 28800
IPsec SA Lifetime: 28800

Here's what I configured on the PIX:
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800

crypto map TUNNEL 1 match address ACL
crypto map TUNNEL 1 set peer 8.x.x.x
crypto map TUNNEL 1 set transform-set DES-MD5

tunnel-group 8.x.x.x type ipsec-l2l
tunnel-gruop 8.x.x.x type ipsec-attributes
pre-shared-key Share

Here's what was configured on the old router that the EdgeMarc used to connect to (I used this to base my configuration on the PIX):
crypto isakmp policy 20
encr 3des
auth pre-share
group 2
lifetime 28800

crypto isakmp key Share address 8.x.x.x no-xauth

crypto map TUNNEL 1 ipsec-isakmp
set peer 8.x.x.x
set transform-set 3DES-MD5
match address ACL

The PIX works with the other Cisco routers that I configured using the same type of configuration above. It's just that with the EdgeMarc firewall, it's a little hard to see where each IKE phases corresponds on the Cisco device. For example, the "Tunnel Cipher" box on the EdgeMarc setting is the transform set on the Cisco. But I'm not sure how the Isakmp policies on the EdgeMarc are configured to match the Isakmp policy on the Cisco device. But i know it is used.

Lastly, what do you mean by "order of operations"? Are you referring to the sequence numbers that you configure for each crypto map and isakmp statements?

Thanks DT for taking the time to look at it.

dtlokee

You don't have the IPSec transforms listed, on the pix it is called "DES-MD5" and on the router it is called "3DES-MD5", are they both the same? And what does the proxy ACL look like?

aragoen_celtdra

dtlokee wrote:

You don't have the IPSec transforms listed, on the pix it is called "DES-MD5" and on the router it is called "3DES-MD5", are they both the same? And what does the proxy ACL look like?

Ooops! Good catch on the DES-MD5. I did mean to write 3DES-MD5. The transform set is crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac for anyone trying to follow along. And yes they were the same on the pix and the router.

Anyway, it finally worked. Thanks for your interest in helping me. Been working on it non-stop since yesterday. Here's a summary of what I discovered:

The "Tunnel Cipher" setting on the Edgewater device is the Transform Set on the PIX and routers (IKE Phase II, as I've seen it described in some documentations).
The ISAKMP policies (IKE Phase I, as I've seen it called) doesn't seem to be configurable on the Edgewater. Maybe there is a way to configure it but it's certainly not on the configuration page I was on.
I did find an "Advanced" button that showed me the default "IKE Proposal" settings which read "3DES-SHA1-MODP1024". I took it to mean encr=3DES; hash=SHA1; DH=group2 (I'm guessing on this last one). I didn't find a way to modify it on the Edgewater device so I changed the config on the PIX instead to match those settings.
Lastly recreating a new tunnel with all these parameters won't seem to work correctly. So I "re-used" the old tunnel simply by changing the peer router from the old one to the new one and that started the negotiations.

Hope this would be some help to anyone else that come across this problem in the future. Thanks again DTLOOKEE for helping.

dtlokee

perhaps there was a way on the Edgewater device to bounce the tunnel and that would have caused it to renegoitiate the tunnel.

Glad to hear it's working.

aragoen_celtdra

I wanted to find a way to bounce the tunnel but I didn't know the EdgeMarc well enough to mess around with it too much. Since we don't own the device, I was only given limited access by the sites admin to configure the tunnel. So I couldn't even reboot the device until monday when their admin returns.

I appreciate all your help.

For others who might come across the same problems, below is some configs that got it to work:

Again, here's the configuration on the EdgeMarc:
Local VPN Gateway: 8.x.x.x
Protected Local network: 10.100.226.0/24
Remote VPN Gateway: 72.x.x.x
Protected Remote Network: 10.100.194.0/24
Tunnel Cipher: 3DES-MD5
Key Management: IKE Main Mode
Authentication: Preshared Secret
Shared Secret: Share
IKE SA Lifetime: 28800
IPsec SA Lifetime: 28800

Here's the configuration on the PIX that got them to talk:
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha (this was the default on the EdgeMarc, but I orginally had it as MD5 here)
group 2
lifetime 86400 (although the timer here didn't match the timer of 28800 on the Edgewater, it seems to still work.)

crypto map TUNNEL 1 match address ACL
crypto map TUNNEL 1 set peer 8.x.x.x
crypto map TUNNEL 1 set transform-set 3DES-MD5

tunnel-group 8.x.x.x type ipsec-l2l
tunnel-gruop 8.x.x.x type ipsec-attributes
pre-shared-key Share