From: Szabo, Vilmos (VS183600@exchange.UnitedKingdom.NCR.COM)
Date: Tue Jun 10 2003 - 12:54:49 GMT-3
Stefan,
You defined the interesting traffic that should be encrypted to the same IP
address (host 192.168.0.1) as IPSec tunnel termination point (a.k.a. peer)
that is not correct.
acl defines interesting traffic
peer defines tunnel termination point
These should be different unless you wnat to use transport mode, but as I
guess you want to use tunnel mode.
Regards,
Vilmos
-----Original Message-----
From: stefan vogt [mailto:stefan-uwe_vogt@web.de]
Sent: 10 June 2003 16:15
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: PIX VPN question
Hello all,
Can somebody help me out with a sample configuration for the following
scenario.
I have 2 PIX FW at different sites which should be connected using a vpn
tunnel with preshared keys. On my local PIX, only specific traffic should be
sent via the tunnel. The remaining traffic should be sent without encryption
to the internet.
I tryed the following config (addresses changed ;)), but seems I'm missing
something, since the 'normal' internet connectivity is broken.
---snip---
access-list myacl permit ip host 172.30.0.1 host 192.168.0.1
access-list myacl permit ip host 172.30.0.2 host 192.168.0.1
crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec isakmp
crypto map mymap 10 match address myacl
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 192.168.100.1
crypto map mymap 10 set transform-set mytransformset
crypto map mymap interface outside
isakmp enable outside
isakmp key yyy address 192.168.100.1 netmask 255.255.255.255
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
---snip---
Any input/link/sample config is very wellcome.
TIA,
Stefan
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:56 GMT-3