1. Home
  2. Cisco Systems
  3. PIX <-> Borderware VPN

PIX <-> Borderware VPN

Hello,

I want to configure a VPN connection between a Borderware FW Release 7.0 and a PIX 506E. Does the VPN connection work with a 3DES 168Bit encryption? On the PIX I have a dynamic IP DSL connection and a static IP on thet Borderware site.

Has anyone done such a configuration between this two firewalls?

Is this the correct config for an Aggressive Mode configuration?

access-list pixaccesslist from_inside permit ip internal_vpn_net external_vpn_net sysopt connection permit-ipsec crypto ipsec transform-set vpnnetz esp-3des esp-md5-hmac crypto dynamic-map ciscopix 1 set transform-set vpnnetz crypto map dynmapto 30 ipsec-isakmp dynamic ciscopix crypto map dynmapto interface outside isakmp enable outside isakmp key xxxx address x.x.x.x isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group2 isakmp policy 10 lifetime 28800

Thanks in advance for any help !

Christian

Reply to
Wolle
Loading thread data ...

In article , Wolle wrote: :I want to configure a VPN connection between a Borderware FW Release 7.0 and :a PIX 506E. Does the VPN connection work with a 3DES 168Bit encryption?

:Is this the correct config for an Aggressive Mode configuration?

:access-list pixaccesslist from_inside permit ip internal_vpn_net external_vpn_net

Well, you can't have an accesslist name that includes a space, but that's a minor point.

:sysopt connection permit-ipsec :crypto ipsec transform-set vpnnetz esp-3des esp-md5-hmac

Due to known weaknesses in MD5, it is recommended to use SHA instead of MD5. That's with the exception of DES (instead of 3DES): the PIX wants MD5 for DES.

:crypto dynamic-map ciscopix 1 set transform-set vpnnetz :crypto map dynmapto 30 ipsec-isakmp dynamic ciscopix :crypto map dynmapto interface outside :isakmp enable outside

Those parts look fine.

:isakmp key xxxx address x.x.x.x isakmp identity address

That should be split into two lines, but that's a minor point.

:isakmp policy 10 authentication pre-share :isakmp policy 10 encryption 3des :isakmp policy 10 hash md5 :isakmp policy 10 group2 :isakmp policy 10 lifetime 28800

Again SHA is recommended over MD5 for 3DES.

On the other hand, I don't know what the restrictions are on Borderware so you just might find that you need to stick to MD5.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.