User Guide

ManualsBrandsSonicWALL ManualsOtherVPN INTEROPERABILITY WITH CISCO IOS PIX USING IKE

Last updated by ah – October 30, 2000

COMMANDS FOR CISCO PIX

Command Description

Set ACCESS LIST

Access-list 120 permit ip host 10.0.0.0

255.255 255.0 host 192.0.0.0 255.0.0.0

To specify the inside and destination networks

Access-list nonat permit ip host 10.0.0.0

255.255 255.0 host 192.0.0.0 255.0.0.0

This turns NAT off for packets coming from the VPN

tunnel

Sysopt connection permit-ipsec

Sysopt ipsec pl-compatible Required for PIX version before 5.0

Define IKE parameters

isakmp enable outside

isakmp key SonicWALL address

128.6.3.12 netmask 255.255.255.255

To configure a pre-shared authentication key, use the

isakmp key

global configuration command. In this case

the pre-shared secret is “SonicWALL”

isakmp identity address

isakmp policy 20 encryption des To specify the encryption algorithm within an IKE policy

isakmp policy 20 hash md5 To specify the hash algorithm within an IKE policy

isakmp policy 20 group 1 This specifies DH group 1

isakmp policy 20 authentication pre-

To specify the authentication method within an IKE

policy, use the

authentication

(IKE policy)

ISAKMP

policy configuration command.

isakmp policy 20 lifetime 3600 This commands sets the life time intervals before IKE is

renegotiated. The value 3600 can be changed.

Define IPSEC parameters

Crypto ipsec transform-set sonic esp-des

esp-md5-hmac

To define a transform set---an acceptable combination of

security protocols and algorithms---use the

crypto ipsec

transform-set

global configuration command. Here you

can specify if you want to use ESP with authentication

and DES or 3DES.

crypto map sonic-map 20 ipsec-isakmp Indicates that IKE will be used to establish the IPSec

security associations for protecting the traffic specified by

this crypto map entry. 5 is a number assigned to the

crypto map entry

crypto map sonic-map 20 match address

120

To specify an extended access list for a crypto map entry

crypto map sonic-map 20 set peer

128.6.3.12

To specify an IPSec peer in a crypto map entry,

crypto map sonic-map 20 set transform-

set sonic

To specify which transform sets can be used with the

crypto map entry

crypto map sonic-map 20 interface

outside