VPN between PIX and Contivity 4500

Thu, 07 Feb 2002 14:23:16 -0800 

Has anyone configure a VPN between a PIX (in my case a PIX501 SW 6.1(1)) and
a Nortel Contivity 4500 Extranet switch?

Unfortunately, I can only fill in (adequately) what is happening (or at
least I think is happening) on the PIX.

I have it configured as follows:
access-list 90 permit ip 192.168.173.96 255.255.255.224 172.21.0.0
255.255.0.0 
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong ah-sha-hmac esp-des esp-sha-hmac 
crypto map tomyco 20 ipsec-isakmp
crypto map tomyco 20 match address 90
crypto map tomyco 20 set peer 1.1.1.1
crypto map tomyco 20 set transform-set strong
crypto map tomyco interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 
isakmp identity address 
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400

Here is what appears to happen. When the PIX issues an sa_request, it never
gets an sa created response. When I debug the PIX, I get the following
output:

ISAKMP (0): Checking ISAKMP transform 1 against priority 9 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERRORs= 0x4004

My question is that last line, ID_FQDN. I know that my company can not
resolve my pix IP address via FQDN. Could this be the reason that we can't
communicate? Both sides can see each other connected, for example I can see:

firewall(config)# show crypto isakmp sa
Total     : 1
Embryonic : 1
        dst            src         state     pending    created
  1.1.1.1                  2.2.2.2     MM_KEY_EXCH  0           0

but no data will pass. Is the problem that they can't identify the PIX
correctly? I'm using the "isakmp identity address", which as I understand
means to use the peer address to validate identity.

The access list is being triggered, so I know that the data is at least on
its way out of the PIX.

Any help is greatly appreciated. TIA

Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
[EMAIL PROTECTED]
http://www.bmc.com

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to