The Certified Geek

March 25, 2006

IPSec VPN (Symantec via Cisco)

Filed under: Lines Connected

IPSec VPN is still a mystery to me but this incident with one of our clients who just purchased an Symantec appliance (SGS 5420) had problems connecting via IPSec to the another corporate network which uses a Cisco PIX device. The problem situated more than 3 weeks with the Symantec vendor third party support cannot establish an IPSec tunnel with the Cisco device.

Taking our notes together, we tried connecting the SGS device to PIX firewall which we luckily have. And finally we got the IPSec tunnel established. The technical details for each system are discussed below:

The extensive testing has shown that it basically comes down to the global IKE parameter, the Phase 1 ID. This is better known within the Cisco configuration as isakmp identity key-id. This parameter has to be the same for both sites.

Extensive testing has proven that:

* The Diffie-Hellman group has no influence. As long they’re the same on both sides. (tested with group 1 and group 2)
* The hostname has no influence.
* The length of the PSK has no influence. As long as it is minimum 20 characters.

Cisco PIX Configuration
——-
sysopt connection permit-ipsec
# IPSec Policy
crypto ipsec transform-set SITE1-Policy esp-3des esp-md5-hmac
# Map IPSec policy to allowed site to connect
crypto map 20 ipsec-isakmp
crypto map SITE1-to-SITE2 20 match address ACL_Site1
crypto map SITE1-to-SITE2 20 set peer Site1 IP Address
crypto map SITE1-to-SITE2 20 set transform-set SITE1-Policy
crypto map SITE1-to-SITE2 interface outside

# ISAKMP Configuration
isakmp enable outside
isakmp key ******** address Site1 IP Address netmask 255.255.255.255
# This value must be set for 3rd party VPN headend device
isakmp identity key-id test
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

—–
from the Cisco PIX Firewall Command Reference, Version 6.3

isakmp identity key-id value

The isakmp identity key-id key_id_string command sends the specified key_id_string using aggressive mode. This is intended to enable
third-party VPN headend devices that do not support the Unity protocol to interoperate with a DHCP-enabled firewall at a remote site.

For debugging in the Cisco PIX, use “debug crypto isakmp” and “show isakmp log” and wait for the output to reach “ISAKMP (0): Creating IPSec SAs” and a value 1 for created tunnel.

Comments »

The URI to TrackBack this entry is: http://certifiedgeek.blogsome.com/2006/03/25/ipsec-vpn-symantec-via-cisco/trackback/

No comments yet.

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.