Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Contivity IPSec Peer with Cisco PIX 3

Status
Not open for further replies.

netKIZ

Technical User
Jan 24, 2007
8
US
Hi,

I have a site-to-site VPN (IPSec) tunnel between a Nortel Contivity and a Cisco PIX. Only when the tunnel is initiated from the Nortel Contivity is traffic encrypted and decrypted. If the tunnel is initiated from the Cisco PIX I cannot pass traffic.

Is there a setting on the Contivity that controls this behavior?

More details: I do not have access to the Contivity however I have screenshots of the IPsec and ISAKMP settings on the Contivity. Contivity device is in Spain and my spainish is limited so am unable to fully explain this behavior to the engineer.

Thanks for you help!
 
Hi - Want to ask again if anyone has ran into this issue?
Have any Contivity gurus successfuly built a VPN site-to-site IPSec tunnel with a Cisco PIX?

The problem I have ran into is if the Cisco PIX initiates the tunnel, packets are not encrypted/decrypted.

Would this be an access control issue or does the Contivity have a setting that would control which end can intiate the tunnel?

Any info/feedback is greatly appreciated!
 
The contivity has 3 possible settings for the tunnel setup. "Initiator", "Responder", and "Peer-to-Peer". I would recommend using "Peer-to-Peer. The other thing I would do is "Nail up" the tunnel on the Contivity.

Good Luck
 
Yes, we have been successful doing this. The trick was in the IPSec negotiation - you must ENSURE that all parameters are identical. All parameters must be same between the peer devices...the usual thing to mess up is the available networks. People overlook this as a routing issue, however this is necessary part of the IPSec negotiation. I agree to leave it as peer-to-peer to allow either side to negotiate.

I hope this is helpful.

-HH
 
I have also been sucessful with this configuration. Follow what HungyHouse said. IPSEC encryption set the same and IKE set the same. Also I have found that PIX may require a key to do 3des.

Also verify the Contiviy has the following IPSEC set in the group:

Compression: disabled
Vendor ID : disabled
PFS (perfect forward secrecy): disabled

 
Thank you all for your replies.

This issue has finally been resolved.

The resolution was to set Vendor ID to disabled (thx datacomm5).

We were able to leave PFS enabled on the Contivity and on the PIX we have set PFS to group 2.

Thanks again!!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top