I am trying to establish IPSEC VPN tunnels between Cisco PIX and an Astaro Security Gateway 220. The following shows the details of the 3 sites involved with sample IP addresses.
Site A:
WAN IP: 100.100.100.100
LAN IP 1: 10.10.10.0 /24
LAN IP 2: 20.20.20.0 /24
Device: Cisco PIX
Managed by: Me
Site B:
WAN IP: 110.110.110.110
LAN IP: 30.30.30.0 /24
Device: Cisco PIX
Managed by: Me
Site C: 120.120.120.120
LAN IP : 40.40.40.0 /24
Device: Astaro Security Gateway 220
Managed by: Third party at remote site
On Site C, I need to create VPN tunnels to both Site A and Site B. On both the Cisco PIX, I have configured in a similar way to when I need to connect to another site with Cisco PIX. On Site C, the Astaro has been configured by the third party and the following shows the Site-to-Site IPSec tunnel status now.
Site C to Site B [0 of 1 SAs established]
SA: 40.40.40.0 /24=120.120.120.120 -- 110.110.110.110=30.30.30.0 /24
VPN ID: 120.120.120.120
Error: No connection
Site C to Site A [1 of 2 SAs established]
SA: 40.40.40.0 /24=120.120.120.120 -- 100.100.100.100=10.10.10.0 /24
VPN ID: 120.120.120.120
IKE: Auth PSK / Enc 3DES_CBC_192 / Hash SHA / Lifetime 28800s / DPD
IPSec: Enc 3DEC_0 / Hash HMAC_MD5 / Lifetime 28800s
SA: 40.40.40.0 /24=120.120.120.120 -- 100.100.100.100=20.20.20.0 /24
VPN ID: 120.120.120.120
Error: No connection
1) From the status sent to me by the third party, it seems like 2 seperate VPN tunnels from Site C to Site A (one to 10.10.10.0 and the other to 20.20.20.0) were configured. Normally, in Cisco PIX, we will only create one VPN tunnel and configure access-list based on the number of LAN segments within that single VPN tunnel. I presume it should work the same way on other brands of firewall as well. Please advise me as I have not touched an Astaro before.
2) The VPN ID for all 3 sites are the same. Could this be preventing the tunnel for Site C to Site B from coming up? Again, normally we create unique VPN ID in Cisco.
This thread was automatically locked due to age.