On Wed, May 02, 2012 at 08:28:52AM -0400, Chris Buechler wrote: > On Wed, May 2, 2012 at 8:25 AM, Eugen Leitl <[email protected]> wrote: > > > > I need to make terminate a VPN tunnel (users behind NAT) > > with above Cisco box. > > > > Parameters are > > > > ISAKMP Phase I > > preshared key > > AES128 > > SHA > > Group 2 > > Lifetime 28800 sec > > > > IPSEC Phase II > > AES 128 > > SHA > > Group 2 > > Perfect forwarding secrecy: No > > Lifetime 3600 sec > > > > Anyone terminating such IPsec tunnels to Cisco? Any problems? > > Lots of people. One thing to keep in mind with Cisco is it's > relatively easy initially and/or after the fact to set a policy the > Cisco will use as an initiator that's different from what it will > accept as responder. To minimize any such issues, set the P1 on > pfSense to proposal checking "obey". Otherwise you may find you can > initiate fine from your side, but the Cisco side can't initiate from > their end. If not initially, it may happen when they add another VPN > in the future.
Thank you very much for the hint. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
