1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV082 & Cisco PIX

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Fulien, Jun 19, 2006.

  1. Fulien

    Fulien LI Guru Member

    Hi All,

    I see few posts here where the RV082 and the cisco PIX router was compared. However i what i wanted to know is. If the Rv082 and the Cisco Pix can pull a VPN Tunnel betwen the both.

    I was told that the rv082 can make a VPN tunnel to any other IPSEC VPN device. So i was wondering if i purchase a Cisco Pix VPN firewall/Router if i a can pull a VPN Tunnel betwen the both devicec.

    Please Advice


    Thank you
     
  2. Cornloaf

    Cornloaf LI Guru Member

    Yes, you can create a tunnel to the Cisco PIX. I was successful in creating a tunnel between a D-Link VPN router to the Cisco PIX and to the RV082, and a connection from my RV082 to another RV082 and the same Cisco PIX. There are a couple little tricky things that come up that really frustrated me at the beginning and the VPN wizard on the PIX kinda slows down the progress.

    The Linksys wants to do Perfect Forward Secrecy by default and the PIX does not. You also have to uncheck a setting on the PIX to keep it from sending its host name back to the Linksys instead of just using the IP address to create the tunnel.

    Message me if you need any assistance. I can pull some screen shots.
     
  3. Fulien

    Fulien LI Guru Member

    Ok Great,

    Well my project is a little bit simpler. The only thing is that i dont have access to the PIX.

    What i am trying to do is to Pull a VPN Tunnel between one of our clients offices and ours. Our Client has a Cisco PIX and we have a RV082. So the only way to do this is to instruct/request some assistance from the I.T side from our client. Before going ahead and requesting this to be done i wanted to make sure that its possible.

    You also mention the fact that you have to do some minor settings changes at the PIX side. How Minor is this? i mean is it something the I.T Admins at one site would wanna perform?


    Let me know what you think.

    Thanks for the help
     
  4. Cornloaf

    Cornloaf LI Guru Member

    Hi,

    When I said minor changes, I just meant that you can't go with the default settings that the VPN Wizard creates for you on the PIX side. By default, it will not perform PFS and the Linksys is setup to do that on default. It's just minor tweaking. The first time I set one up, I beat my head in for about 2-3 hours and then figured it out after looking at the error logs on both devices. When I got my RV082 yesterday, I had a tunnel up to my data warehouse PIX in about 5 minutes.

    Let me know if I can help you out.
     
  5. Fulien

    Fulien LI Guru Member

    Reply

    Hi Again,

    Ok i finally got the cisco Pix Firewall setup at the other end and now i am ready to connect the RV082 to it through a VPN Tunnel. Can you please tell me what i need to do in order to do this? Do you want the Cisco Pix Actual Model ?

    What i want to do is to have the RV082 initiate the VPN tunnel through the Cisco Pix(RV082 dialing into Pix like).

    Let me know what sort of info you need from me to get me the instructions as to how to do it.

    Thank you
     
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    Cornloaf,

    in the interest of some of our PIX users, could you paste a config of the PIX side of things for a vpn tunnel for the folks to see?

    Jay
     
  7. nwagenaar

    nwagenaar LI Guru Member

    Sorry to bump this thread. Currently I'm trying to connect a Cisco Pix (model: unknown) from a RV082, and I can't get the connection up. I searched on this forum but I haven't seen (enough) information concerning the Pix configuration.

    We use 3DES/MD5 Encryption/Authentication (Group 2) and use IKE with Preshared key. PFS is disabled as well as all the other options in the Advanced section of the Tunnel setup.

    When I make a connection, I get the following output from the VPN Log:

    Code:
    Dec 14 20:35:32 2006     VPN Log    [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet  
    Dec 14 20:35:32 2006     VPN Log    initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #121  
    Dec 14 20:34:22 2006     VPN Log    [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet  
    Dec 14 20:34:22 2006     VPN Log    initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #120  
    Dec 14 20:33:12 2006     VPN Log    Received informational payload, type IPSEC_INITIAL_CONTACT  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet  
    Dec 14 20:33:12 2006     VPN Log    initiating Quick Mode PSK+TUNNEL  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] Responder Cookies = 6c2 5d66 b616 c33f  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] Initiator Cookies = d1f5 9289 f5c 4875  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] Main Mode Phase 1 SA Established  
    Dec 14 20:33:12 2006     VPN Log    Main mode peer ID is ID_FQDN: '@xxx.xxx.xxx'  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet  
    Dec 14 20:33:12 2006     VPN Log    Ignoring Vendor ID payload [99c5fa7bb617c33f...]  
    Dec 14 20:33:12 2006     VPN Log    Ignoring Vendor ID payload Type = [Cisco-Unity]  
    Dec 14 20:33:12 2006     VPN Log    Received Vendor ID payload Type = [Dead Peer Detection]  
    Dec 14 20:33:12 2006     VPN Log    Ignoring Vendor ID payload Type = [XAUTH]  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet  
    Dec 14 20:33:12 2006     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
    Dec 14 20:33:12 2006     VPN Log    Initiating Main Mode  
    
    It just 'hangs' on the IPSEC_INITIAL_CONTACT. I've upgraded my RV082 to the latest public firmware (v1.3.3.5). The problem is, the pix isn't configured by us and is done by a third party. I've been 2,5 hours on the phone with an employee from the other side and I/we can't get it working.

    Could anybody shed some light and perhaps come with a Pix config, something I can show to the other party.

    Any help is greatly appreciated!
     
  8. ifican

    ifican Network Guru Member

    Without seeing the entire log and the log from the pix i can only speculate, but it appears that the pix is set to use FQDN for identity instead of the ip address of the interface (the configuration i am sure you used on your side). Relevant pix config is below:

    sysopt connection permit-ipsec
    crypto ipsec transform-set TUNNEL_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group2
    crypto map outside_map 20 set peer 123.123.123.456
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 123.123.123.456 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

    I highlighted what i think needs to be changed, as long as everything else is configured identical on both sides it should work. Also i have pfs enabled so if the pix does not you need to remove line crypto map outside_map 20 set pfs group2. Let us know and we can go from there.
     
  9. nwagenaar

    nwagenaar LI Guru Member

    Dear Ifican,

    I'm happy to announce that your config was helpfull. The other employee used the template and we know have a working configuration. The Tunnel is now up and running.

    I'll post the config for 3DES/MD5 on the pix when I get it, so that other people can enjoy it as well :)
     

Share This Page