Vpn site to site with pix vpn
Hi, where can i find a good tutorial on setting a site to site vpn between pfsense and a ciso pix?
GruensFroeschli last edited by
no how to but…
dotdash last edited by
The m0nowall howto is a good starting point, as the configuration is pretty much the same.
perfect, how do i enable that my opt1's network is also "known" by the same tunnel?
i mean, i have lan:192.168.10.0/24, opt1:192.168.100.0/24, i want the remote site can connect to servers in opt1's network, is it posible?
You can have your OPT1 network seen over the IPSEC tunnel, but you have to include it in your IPSEC vpn setup. If your OPT1 network was in the 192.168.11.0/24 range, it would work more cleanly and here's why:
Say your LAN is 192.168.10.0/24 and OPT1 is 192.168.11.0/24 and the LAN on the other side is 192.168.155.0/24.
When you build your tunnel and set your "Local subnet" you would use a CIDR range of 192.168.10.0/23 which covers the 192.168.10.x and 192.168.11.x ranges.
Back to your scenario of 192.168.100.0/24 (if you cannot change it), you could use a range 192.168.10.0/25, which covers all ip's from 192.168.0.1 up to 192.168.127.254 (that's 128 "/24" subnets). The issues would be that this isn't the cleanest of items and the other item would be what if the other side network already has vpn's setup to a network on the, say for example, 192.168.22.0/24 range. It could conflict. Thus, the easiest, cleanest solution would be if you could change your OPT1 network to one of the following:
192.168.11.0/24 –-> thus, you could use 192.168.10.0/23
192.168.8.0/24 or 192.168.9.0/24 ---> you could use 192.168.10.0/22
One last item that other have used is called parallel tunnels.
Hope this helps.... Enjoy :)
ok, i will try the lan-vpn first, this is not working, i followed the monowall tutorial almost to the letter, i just changed the lifetime to 1000 and group options in fase 1 DH key group to 1 and in fase 2 PFS key group to 1, this the error i get:
ERROR: unknown notify message, no phase2 handle found.
this is the pix config:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 100
crypto map newmap 10 set peer aaa.bbb.ccc.ddd.
crypto map newmap 10 set transform-set myset
crypto ipsec transform-set myset esp-des esp-md5-hmac
What could be wrong?