Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Vpn site to site with pix vpn

    Scheduled Pinned Locked Moved IPsec
    6 Posts 4 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      b4nsh33
      last edited by

      Hi, where can i find a good tutorial on setting a site to site vpn between pfsense and a ciso pix?
      Regards

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        no how to but…
        http://forum.pfsense.org/index.php/topic,3433.0.html

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • dotdashD
          dotdash
          last edited by

          The m0nowall howto is a good starting point, as the configuration is pretty much the same.
          http://doc.m0n0.ch/handbook/examplevpn.html#id2606293

          1 Reply Last reply Reply Quote 0
          • B
            b4nsh33
            last edited by

            perfect, how do i enable that my opt1's network is also "known" by the same tunnel?
            i mean, i have lan:192.168.10.0/24, opt1:192.168.100.0/24, i want the remote site can connect to servers in opt1's network, is it posible?
            regards

            1 Reply Last reply Reply Quote 0
            • R
              razor2000
              last edited by

              You can have your OPT1 network seen over the IPSEC tunnel, but you have to include it in your IPSEC vpn setup.  If your OPT1 network was in the 192.168.11.0/24 range, it would work more cleanly and here's why:

              Say your LAN is 192.168.10.0/24 and OPT1 is 192.168.11.0/24 and the LAN on the other side is 192.168.155.0/24.

              When you build your tunnel and set your "Local subnet" you would use a CIDR range of 192.168.10.0/23 which covers the 192.168.10.x and 192.168.11.x ranges.

              Back to your scenario of 192.168.100.0/24 (if you cannot change it), you could use a range 192.168.10.0/25, which covers all ip's from 192.168.0.1 up to 192.168.127.254 (that's 128 "/24" subnets).  The issues would be that this isn't the cleanest of items and the other item would be what if the other side network already has vpn's setup to a network on the, say for example, 192.168.22.0/24 range.  It could conflict.  Thus, the easiest, cleanest solution would be if you could change your OPT1 network to one of the following:

              192.168.11.0/24  –-> thus, you could use 192.168.10.0/23

              192.168.8.0/24 or 192.168.9.0/24 ---> you could use 192.168.10.0/22

              One last item that other have used is called parallel tunnels.

              Hope this helps.... Enjoy :)

              1 Reply Last reply Reply Quote 0
              • B
                b4nsh33
                last edited by

                ok, i will try the lan-vpn first, this is not working, i followed the monowall tutorial almost to the letter, i just changed the lifetime to 1000 and group options in fase 1 DH key group to 1 and in fase 2 PFS key group to 1,  this the error i get:

                ERROR: unknown notify message, no phase2 handle found.

                this is the pix config:

                isakmp policy 10 authentication pre-share
                isakmp policy 10 encryption des
                isakmp policy 10 hash md5
                isakmp policy 10 group 1
                isakmp policy 10 lifetime 1000
                crypto map newmap 10 ipsec-isakmp
                crypto map newmap 10 match address 100
                crypto map newmap 10 set peer aaa.bbb.ccc.ddd.
                crypto map newmap 10 set transform-set myset
                crypto ipsec transform-set myset esp-des esp-md5-hmac

                What could be wrong?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.