Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NS 5GT Site-to-Site VPN Question

Status
Not open for further replies.
ETBOY

ETBOY

Technical User
Dec 2, 2002
56
0
0
PT
Hi,

I'm new in config NS devices and VPN's.

My network layout is:

(t)NS5gt(u)<--->WLAN bridge<--->WLAN bridge<--->(u)NS5gt(t)

I want setup a vpn between my to sites that are interconnected with wlan bridges. I have 3 diferents subnets.
For tests i use a cross-over cable instead of WLAN brigde.

My questions are:

1- what is the most secure method to implement, policy or route based VPN?

2- I have configured with success the example of policy based site-to-site vpn Manual key in C&E, but AutoIke case didn't work.

I have configured the following:

VPNs > AutoKey Advanced > Gateway > New: Enter the following, and then click OK:
Gateway Name: To_Paris
Security Level: Custom
Remote Gateway Type:
Static IP Address: (select), IP Address/Hostname: 2.2.2.2

Preshared Key: h1p8A24nG5
Outgoing Interface: ethernet3
> Advanced: Enter the following advanced settings, and then click OK to
return to the basic Gateway configuration page:
Security Level: Custom
Phase 1 Proposal (For Custom Security Level):
pre-g2-3des-sha
Mode (Initiator): Main (ID Protection)

VPNs > AutoKey IKE > New: Enter the following, and then click OK:
VPN Name: Tokyo_Paris
Security Level: Compatible
Remote Gateway: Predefined: (select), To_Paris


I use debug ike all, but i don't saw any info in console, how can i see that?

From inside trust zone of site A i can ping untrust zone of site B, but trust zone of site B i can't

3- I have 3 subnets in the two sites, what i have to config to foward traffic from the 3 subnets in vpn?

Someone could give me some help?
Thanks
Best Regards
 
Sort by date Sort by votes
Hello,

I would go with a Policy Based VPN like you did. Are the subnets defined in your Policies? Once you run "debug ike all" you would need to clear the DB "clear db" then test, and then "get db str". This will display the output iin the buffer.
Let me know.

Rgds,

John
 
Upvote 0 Downvote
Hello,

With reference to whether policy-based or route-based VPN tunnels are more secure, basically they are both as secure as each other. Route-based VPN's are definently more flexible especially as the size of your network grows, if it is just a single site-to-site VPN then it doesn't really matter to much. Although personaly I would recommend that you start to use route-based VPN's now before your infrastructure starts to grow.

With reference to debugging, you have selected the correct command to debug ike, but to list to the terminal enter the following command:-

get dbuf stream

If you want to clean down the dbuf buffer before commencing a new test, enter the following command:-

clear dbuf

I would also recommend that you use AutoKey IKE rather than manual and explicitly set the 'security level' the same at each end of the VPN, i.e. dh2-esp-3des-sha, it just reduces the potential for any errors.
 
Upvote 0 Downvote
Hi,

I'm sorry for my late reply...too many things to do!
I didn't understand how to configure NS 5GT for traffic with different subnets?

I have 3 subnets in the two sites, what i have to config to foward traffic from the 3 subnets in vpn?
Shouldn't I config NS 5GT in transparent mode?

Could someone give an example of configuration please?
Thank you

BR,
 
Upvote 0 Downvote
Hello Etboy,

You would use Transport mode when your Firewall is acting as a Layer 2 switch. If your Firewall is also routing between these three subnets, you would need to create bi-directional VPN's. Let me know what parts you don't understand and I will try and help.

Rgds,

John
 
Upvote 0 Downvote
Hi,

My LAB cenario is:

Layer2 Switch<--->NS5gt(u)<--->crossover calble<--->(u)NS5gt(t)<-->Layer3 Switch

I have 3 subnets in each site, and i'm only doing routing in L3 switch. I don't have firewall.

I'm newbie in configuring NS5GT, so what i have to configure to foward traffic for more than one subnet. I have configured with success policy based vpn, for one subnet following exemple in guide, but i don't know how to configure more subnets in NS5GT.
If you could please give me some config details.
Thank you

BR,

MC



 
Upvote 0 Downvote
Hey,

If your simply adding subnets, you would add them to the policy like you did for your existing Policy Based VPN.

I'm guessing you have default routes setup, so each LAN should be able to reach theother via the VPN.

Rgds,

John
 
Upvote 0 Downvote
Hi,

Following the example of C&E of policy based routing, i have created:(the IP address' are different)

Objects > Addresses > List > New: Enter the following, and then click OK:
Address Name: Trust_LAN
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.0/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK:
Address Name: Paris_Office
IP Address/Domain Name:
IP/Netmask: (select), 10.2.2.0/24
Zone: Untrust


VPNs > Manual Key > New: Enter the following, and then click OK:
VPN Tunnel Name: Tokyo_Paris
Gateway IP: 2.2.2.2
Security Index: 3020 (Local), 3030 (Remote)
Outgoing Interface: ethernet3
ESP-CBC: (select)
Encryption Algorithm: 3DES-CBC
Generate Key by Password: asdlk24234
Authentication Algorithm: SHA-1
Generate Key by Password: PNas134a
> Advanced: Enter the following advanced settings, and then click Return to
return to the basic Manual Key tunnel configuration page:
Bind to: Tunnel Zone, Untrust-Tun

Network > Routing > Routing Entries > trust-vr New: Enter the following, and then click OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.250


Policies > (From: Trust, To: Untrust) New: Enter the following, and then click OK:
Name: To/From Paris
Source Address:
Address Book Entry: (select), Trust_LAN
Destination Address:
Address Book Entry: (select), Paris_Office
Service: ANY
Action: Tunnel
Tunnel VPN: Tokyo_Paris
Modify matching bidirectional VPN policy: (select)
Position at Top: (select)


-So, i have to create more entries in addresses menu for the other subnets and then i create more policies,wright?

-VPN Tunnel in policy is the same in new policies?

-Regarding routing entries i don't have a router so,i put the ip address of untrust interface of the other site in one site and vice-versa. When i have more than one subnet how do i solve this?


Thanks,

BR,
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
232
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
237
intel233
intel233
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
247
Johnkite
Johnkite
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
55
wrighbr1
wrighbr1
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
106
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top