Vpn site to site with pix vpn

  • Hi, where can i find a good tutorial on setting a site to site vpn between pfsense and a ciso pix?

  • The m0nowall howto is a good starting point, as the configuration is pretty much the same.

  • perfect, how do i enable that my opt1's network is also "known" by the same tunnel?
    i mean, i have lan:, opt1:, i want the remote site can connect to servers in opt1's network, is it posible?

  • You can have your OPT1 network seen over the IPSEC tunnel, but you have to include it in your IPSEC vpn setup.  If your OPT1 network was in the range, it would work more cleanly and here's why:

    Say your LAN is and OPT1 is and the LAN on the other side is

    When you build your tunnel and set your "Local subnet" you would use a CIDR range of which covers the 192.168.10.x and 192.168.11.x ranges.

    Back to your scenario of (if you cannot change it), you could use a range, which covers all ip's from up to (that's 128 "/24" subnets).  The issues would be that this isn't the cleanest of items and the other item would be what if the other side network already has vpn's setup to a network on the, say for example, range.  It could conflict.  Thus, the easiest, cleanest solution would be if you could change your OPT1 network to one of the following:  –-> thus, you could use or ---> you could use

    One last item that other have used is called parallel tunnels.

    Hope this helps.... Enjoy :)

  • ok, i will try the lan-vpn first, this is not working, i followed the monowall tutorial almost to the letter, i just changed the lifetime to 1000 and group options in fase 1 DH key group to 1 and in fase 2 PFS key group to 1,  this the error i get:

    ERROR: unknown notify message, no phase2 handle found.

    this is the pix config:

    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 100
    crypto map newmap 10 set peer aaa.bbb.ccc.ddd.
    crypto map newmap 10 set transform-set myset
    crypto ipsec transform-set myset esp-des esp-md5-hmac

    What could be wrong?

Log in to reply