PIX to Nortel 4600 VPN

[foobad]

A client of ours want to use a site-to-site vpn from their nortel 4600 to our pix 520 (6.3/3.0). They want to connect to a server in our DMZ but they have no route to the internet. Ergo, they have to establish a tunnel and we have to setup a translation so that the server they need access to appears to be on their network.

Now, I figured this would be really easy. He ran his site-to-site wizard and I ran mine, we standardized on esp-3des-md5 and traded our shared secret. However he could not connect (and I have no idea how to tell the cisco to establish the tunnel). The nortel uses pfs by default, I turned that on. Still no dice. We switched to sha from md5, still no dice. His box was telling him that it couldnt even establish the tunnel between the peers.

Obviously we have to be able to establish the tunnel before we try testing the translation. Any tips?

 

[yizhar]

HI.

First of all - can each peer ping the other?

> I have no idea how to tell the cisco to establish the tunnel
You can try to ping from internal host to the other side over the tunnel to initiate it.

You should use some debug commands at the pix.
Try "debug crypto ?"
(If you connect via telnet/ssh, then you might also need the "terminal monitor" command).
And look at the links:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

http://www.cisco.com/pcgi-bin/Suppo...ementation_and_Configuration#Samples_and_Tips

You should check all the ISAKMP/IPSec timeout values.
The defaults are not the same with different devices.

Try also the command:
isakmp identity ?

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar