This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Astaro ASG to Cisco Pix

Has anyone had success in integrating these two with the following parameters?

IKE encryption: 3DES
IKE authentication: MD5
IKE Lifetime SA: 86400
IKE DH Group: Group 1

IPSEC encryption: 3DES
IPSEC authentication: MD5
IPSEC SA Lifetime: 3600
IPSEC DH Group: None

Please share your experience and Cisco config files. Or if you think there is something wrong with this parameter please let me know. I keep getting NO_PROPOSAL_CHOSEN errors from the Cisco unit.
The pre-shared key is correct so I am not sure if there is anything else I need to do.

Thanks.

This thread was automatically locked due to age.

Parents

0 BarryG over 17 years ago

The MD5 settings were inconsistent before, so I used SHA1.
Also, I used AES as it should be faster than 3des.

More info
https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/52735

https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/52525

The real problem I originally had was getting the timeouts set equally on both ends... Cisco names some things differently, so it was confusing.

Running this on ASL 6.3x now, with a Cisco VPN concentrator, but I believe we were originally doing it with a PIX 525.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Flancer over 17 years ago in reply to BarryG

Hi Barry, thanks for the tips. Have you tried this from 7.1?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Flancer over 17 years ago in reply to BarryG

Hi Barry, thanks for the tips. Have you tried this from 7.1?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BarryG over 17 years ago in reply to Flancer

Not yet.

My understanding is the site-to-site VPNs in 7.x are similar to 6.x, with minor tweaks (such as fixing the automatic reconnects if a key is used for multiple tunnels).

7.x does radically change the remote access VPNs, though, using OpenSSL VPN tunnels, I believe.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 17 years ago in reply to BarryG

My experience with converting V6 customers over to V7 with site to site VPNs (between ASGs and other miscellaneous VPN hardware) has been relatively troublefree.

While Astaro has added the option to use a SSL VPN for remote "road warrior" users, the ability to configure "road warrior" IPSEC VPN users as well... they didn't eliminate that option.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel