User Guide

ManualsBrandsSonicWALL ManualsOtherVPN INTEROPERABILITY WITH CISCO IOS PIX USING IKE

Last updated by ah – October 30, 2000

SonicWALL VPN Interoperability with Cisco IOS/PIX using IKE

Tech note prepared by SonicWALL, Inc.

SonicWALL, Inc.

1160 Bordeaux Drive

Sunnyvale, CA

94089

1-408-745-9600

Summary of content (6 pages)

PAGE 1
SonicWALL VPN Interoperability with Cisco IOS/PIX using IKE Tech note prepared by SonicWALL, Inc. SonicWALL, Inc.
PAGE 2
Introduction: VPN standards are still evolving and interoperability between products is a continued effort. SonicWALL has made progress in this area and is interoperable with Cisco IOS/PIX using IKE as shown below. Advanced setups are possible but are not covered in this document. This tech-note assumes the reader has a working knowledge of Cisco IOS/PIX management tools and SonicWALL appliance configuration.
PAGE 3
SonicWALL Configuration On the SonicWALL, create an SA. 1. Change the IPSec Keying Mode to IKE. 2. Fill in the IPSec gateway (in this example 216.5.31.42) 3. Fill in the appropriate Destination Network (in this example 10.0.0.0) and Subnet Mask (in this example 255.255.255.0) 4. Select ESP DES HMAC MD5 or ESP 3DES HMAC MD5 A Sample Screen shot from SonicWALL firmware version 5.0 is displayed below CISCO IOS/PIX Configuration The Cisco IOS/PIX system has a very rich and complex instruction set.
PAGE 4
COMMANDS FOR CISCO IOS Command Access-list 120 permit ip 10.0.0.0 0.255.255.255 host 192.0.0.0 0.0.0.255 crypto isakmp policy 20 encr 3des hash md5 authentication pre-share exit crypto isakmp key SonicWALL address 128.6.3.12 crypto ipsec transform-set sonic esp-des esp-md5-hmac crypto map sonic-map20 localaddress Ethernet0/1 crypto map sonic-map20 5 ipsec-isakmp set peer 128.6.3.
PAGE 5
COMMANDS FOR CISCO PIX Command Description Set ACCESS LIST To specify the inside and destination networks Access-list 120 permit ip host 10.0.0.0 255.255 255.0 host 192.0.0.0 255.0.0.0 Access-list nonat permit ip host 10.0.0.0 This turns NAT off for packets coming from the VPN 255.255 255.0 host 192.0.0.0 255.0.0.0 tunnel Sysopt connection permit-ipsec Sysopt ipsec pl-compatible Required for PIX version before 5.
PAGE 6
To Test the VPN tunnel: From the PC behind the Cisco IOS/PIX firewall, try to ping 192.0.0.1 From the PC behind the SonicWALL, try to ping 10.0.0.1 Trouble Shooting Tips: Use the Log Viewer on the Cisco IOS/PIX and the SonicWALL to determine if IKE negotiation has started. If IKE negotiation is complete but pings timeout, the Cisco IOS/PIX host computer may need route configuration.