Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Contivity IPSec Peer with Cisco PIX 3

Status
Not open for further replies.
netKIZ

netKIZ

Technical User
Jan 24, 2007
8
0
0
US
Hi,

I have a site-to-site VPN (IPSec) tunnel between a Nortel Contivity and a Cisco PIX. Only when the tunnel is initiated from the Nortel Contivity is traffic encrypted and decrypted. If the tunnel is initiated from the Cisco PIX I cannot pass traffic.

Is there a setting on the Contivity that controls this behavior?

More details: I do not have access to the Contivity however I have screenshots of the IPsec and ISAKMP settings on the Contivity. Contivity device is in Spain and my spainish is limited so am unable to fully explain this behavior to the engineer.

Thanks for you help!
 
Sort by date Sort by votes
Hi - Want to ask again if anyone has ran into this issue?
Have any Contivity gurus successfuly built a VPN site-to-site IPSec tunnel with a Cisco PIX?

The problem I have ran into is if the Cisco PIX initiates the tunnel, packets are not encrypted/decrypted.

Would this be an access control issue or does the Contivity have a setting that would control which end can intiate the tunnel?

Any info/feedback is greatly appreciated!
 
Upvote 0 Downvote
The contivity has 3 possible settings for the tunnel setup. "Initiator", "Responder", and "Peer-to-Peer". I would recommend using "Peer-to-Peer. The other thing I would do is "Nail up" the tunnel on the Contivity.

Good Luck
 
Upvote 0 Downvote
Yes, we have been successful doing this. The trick was in the IPSec negotiation - you must ENSURE that all parameters are identical. All parameters must be same between the peer devices...the usual thing to mess up is the available networks. People overlook this as a routing issue, however this is necessary part of the IPSec negotiation. I agree to leave it as peer-to-peer to allow either side to negotiate.

I hope this is helpful.

-HH
 
Upvote 0 Downvote
I have also been sucessful with this configuration. Follow what HungyHouse said. IPSEC encryption set the same and IKE set the same. Also I have found that PIX may require a key to do 3des.

Also verify the Contiviy has the following IPSEC set in the group:

Compression: disabled
Vendor ID : disabled
PFS (perfect forward secrecy): disabled

 
Upvote 0 Downvote
Thank you all for your replies.

This issue has finally been resolved.

The resolution was to set Vendor ID to disabled (thx datacomm5).

We were able to leave PFS enabled on the Contivity and on the PIX we have set PFS to group 2.

Thanks again!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tre0307
  • Locked
  • Question
Need help with Upgrade recommendations
Replies
1
Views
133
Westi
Westi
Wayne VanTassell
  • Locked
  • Question
Nortel to Cisco
Replies
0
Views
48
Wayne VanTassell
Wayne VanTassell
Iniesta
  • Locked
  • Question
Connect 61C with Cisco router with Tie
Replies
0
Views
45
Iniesta
Iniesta
Elanaclearcom
  • Locked
  • Question
Can't communicate with switch
Replies
1
Views
99
Westi
Westi
sidisofi
  • Locked
  • Question
2 Avaya CS1000 failed to register one another across Cisco IP network running OSPF
Replies
0
Views
50
sidisofi
sidisofi

Part and Inventory Search

Sponsor

Back
Top