Vpn site to site with pix vpn



  • Hi, where can i find a good tutorial on setting a site to site vpn between pfsense and a ciso pix?
    Regards





  • The m0nowall howto is a good starting point, as the configuration is pretty much the same.
    http://doc.m0n0.ch/handbook/examplevpn.html#id2606293



  • perfect, how do i enable that my opt1's network is also "known" by the same tunnel?
    i mean, i have lan:192.168.10.0/24, opt1:192.168.100.0/24, i want the remote site can connect to servers in opt1's network, is it posible?
    regards



  • You can have your OPT1 network seen over the IPSEC tunnel, but you have to include it in your IPSEC vpn setup.  If your OPT1 network was in the 192.168.11.0/24 range, it would work more cleanly and here's why:

    Say your LAN is 192.168.10.0/24 and OPT1 is 192.168.11.0/24 and the LAN on the other side is 192.168.155.0/24.

    When you build your tunnel and set your "Local subnet" you would use a CIDR range of 192.168.10.0/23 which covers the 192.168.10.x and 192.168.11.x ranges.

    Back to your scenario of 192.168.100.0/24 (if you cannot change it), you could use a range 192.168.10.0/25, which covers all ip's from 192.168.0.1 up to 192.168.127.254 (that's 128 "/24" subnets).  The issues would be that this isn't the cleanest of items and the other item would be what if the other side network already has vpn's setup to a network on the, say for example, 192.168.22.0/24 range.  It could conflict.  Thus, the easiest, cleanest solution would be if you could change your OPT1 network to one of the following:

    192.168.11.0/24  –-> thus, you could use 192.168.10.0/23

    192.168.8.0/24 or 192.168.9.0/24 ---> you could use 192.168.10.0/22

    One last item that other have used is called parallel tunnels.

    Hope this helps.... Enjoy :)



  • ok, i will try the lan-vpn first, this is not working, i followed the monowall tutorial almost to the letter, i just changed the lifetime to 1000 and group options in fase 1 DH key group to 1 and in fase 2 PFS key group to 1,  this the error i get:

    ERROR: unknown notify message, no phase2 handle found.

    this is the pix config:

    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 100
    crypto map newmap 10 set peer aaa.bbb.ccc.ddd.
    crypto map newmap 10 set transform-set myset
    crypto ipsec transform-set myset esp-des esp-md5-hmac

    What could be wrong?


Log in to reply