Vpn site to site with pix vpn
-
Hi, where can i find a good tutorial on setting a site to site vpn between pfsense and a ciso pix?
Regards -
no how to but…
http://forum.pfsense.org/index.php/topic,3433.0.html -
The m0nowall howto is a good starting point, as the configuration is pretty much the same.
http://doc.m0n0.ch/handbook/examplevpn.html#id2606293 -
perfect, how do i enable that my opt1's network is also "known" by the same tunnel?
i mean, i have lan:192.168.10.0/24, opt1:192.168.100.0/24, i want the remote site can connect to servers in opt1's network, is it posible?
regards -
You can have your OPT1 network seen over the IPSEC tunnel, but you have to include it in your IPSEC vpn setup. If your OPT1 network was in the 192.168.11.0/24 range, it would work more cleanly and here's why:
Say your LAN is 192.168.10.0/24 and OPT1 is 192.168.11.0/24 and the LAN on the other side is 192.168.155.0/24.
When you build your tunnel and set your "Local subnet" you would use a CIDR range of 192.168.10.0/23 which covers the 192.168.10.x and 192.168.11.x ranges.
Back to your scenario of 192.168.100.0/24 (if you cannot change it), you could use a range 192.168.10.0/25, which covers all ip's from 192.168.0.1 up to 192.168.127.254 (that's 128 "/24" subnets). The issues would be that this isn't the cleanest of items and the other item would be what if the other side network already has vpn's setup to a network on the, say for example, 192.168.22.0/24 range. It could conflict. Thus, the easiest, cleanest solution would be if you could change your OPT1 network to one of the following:
192.168.11.0/24 –-> thus, you could use 192.168.10.0/23
192.168.8.0/24 or 192.168.9.0/24 ---> you could use 192.168.10.0/22
One last item that other have used is called parallel tunnels.
Hope this helps.... Enjoy :)
-
ok, i will try the lan-vpn first, this is not working, i followed the monowall tutorial almost to the letter, i just changed the lifetime to 1000 and group options in fase 1 DH key group to 1 and in fase 2 PFS key group to 1, this the error i get:
ERROR: unknown notify message, no phase2 handle found.
this is the pix config:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 100
crypto map newmap 10 set peer aaa.bbb.ccc.ddd.
crypto map newmap 10 set transform-set myset
crypto ipsec transform-set myset esp-des esp-md5-hmacWhat could be wrong?