This example is where Cisco routers, in this example Cisco 831 and Cisco 837 routers, are on remote sites and connection to a main site which has a NetScreen 5XT firewall.
Cisco 831/837 router VPN Configuration.
crypto keyring merope
pre-shared-key address <<NetScreen untrust ip address>> key <<key>>
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp profile vpn-connection
description VPN Connection to Main Site
keyring merope
self-identity user-fqdn <<hostname>>@<<domain name>>
match identity address <<NetScreen untrust ip address>> 255.255.255.255
initiate mode aggressive
!
!
crypto ipsec transform-set crypto-set esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer <<NetScreen untrust ip address>>
set transform-set crypto-set
set pfs group2
set isakmp-profile vpn-connection
match address VPN-ACL
!
ip access-list extended VPN-ACL
remark VPN Encryption with Main Site
permit ip <<local IP Range>> 0.0.0.255 <<Remote IP Range>> 0.0.0.255
!
interface <<External Interface>>
crypto map vpn
NetScreen 5XT Configuration.
(mind the line breaks)
set address "Untrust" "<<Remote IP Range>>/255.255.255.0" <<Remote IP Range>> 255.255.255.0 "Remote Site VPN" set ike gateway "<<remote-hostname>>" address 0.0.0.0 id "<<remote-hostname>>@<<domain name>>" \ Aggr outgoing-interface "ethernet3" preshare "<<key>>" proposal "pre-g2-3des-md5" unset ike gateway "<<remote-hostname>>" nat-traversal set vpn "<<remote-hostname>>" gateway "<<remote-hostname>>" replay tunnel idletime 0 proposal \ "g2-esp-3des-md5" set policy id 9 name "<<remote-hostname>>" from "Untrust" to "home" "<<Remote IP Range>>/255.255.255.0" \ "<<Local IP Range>>/255.255.255.0" "ANY" tunnel vpn "<<remote-hostname>>" id 6 pair-policy 8 set policy id 8 name "<<remote-hostname>>" from "home" to "Untrust" "<<Local IP Range>>/255.255.255.0" \ "<<Remote IP Range>>/255.255.255.0" "ANY" tunnel vpn "<<remote-hostname>>" id 6 pair-policy 9
No page links to NetscreenToCiscoVPN.
