Basic Site to Site VPN with pre-shared key

In the following example I configured a basic L2L VPN between 2 PIX firewall with pre-shared key. The Firewalls has different software versions, the sp2 is an old 6.3.4 version firewall (no more support..).

sp1 (Cisco PIX Security Appliance Software Version 7.1(2), PIX-515E)
E0 – ssw fa0/20
E1 – ssw fa0/12

sp2 (Cisco PIX Firewall Version 6.3(4), PIX-501)
E0 – ssw fa0/24
E1 – ssw fa0/16

my pc (Windows XP)
vlan 20

ssw (IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA2, cisco WS-C2950-24)
Fa0/20 – vlan 30
Fa0/12 – vlan 20
Fa0/24 – vlan 30
Fa0/16 – vlan 40

Topology:

SP1 configuration:

hostname sp1 domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 30.30.30.1 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 50.50.50.1 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid ! ! Specify the NAT ACL for traffic that should be encrypted, but not translated. ! access-list inside_nat0_outbound extended permit ip 50.50.50.0 255.255.255.0 40.40.40.0 255.255.255.0 ! ! Specify the Crypto ACL for traffic that should be encrypted. ! access-list outside_cryptomap_20 extended permit ip 50.50.50.0 255.255.255.0 40.40.40.0 255.255.255.0 pager lines 24 logging console debugging mtu inside 1500 mtu outside 1500 no failover asdm image flash:/asdm no asdm history enable arp timeout 14400 ! ! Specify the identity NAT ACL for traffic that should be encrypted. ! nat (inside) 0 access-list inside_nat0_outbound ! ! Specify the route for the other LAN. In this case it is the outside IP of the VPN peer. ! route outside 40.40.40.0 255.255.255.0 30.30.30.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart ! ! Specify the Crypto ipsec transform set used for your crypto map. ! crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac ! ! Specify your crypto map. ! crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 30.30.30.2 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside ! ! Specify your isakmp map. ! isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! ! Specify your crypto map. ! tunnel-group 30.30.30.2 type ipsec-l2l tunnel-group 30.30.30.2 ipsec-attributes pre-shared-key mysecretkey telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global

SP2 configuration:

interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname sp2 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names ! ! Specify the NAT ACL for traffic that should be encrypted, but not translated. ! access-list inside_nat0_outbound permit ip 40.40.40.0 255.255.255.0 50.50.50.0 255.255.255.0 ! ! Specify the Crypto ACL for traffic that should be encrypted. ! access-list outside_cryptomap_20 permit ip 40.40.40.0 255.255.255.0 50.50.50.0 255.255.255.0 no pager mtu outside 1500 mtu inside 1500 ip address outside 30.30.30.2 255.255.255.0 ip address inside 40.40.40.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 ! ! Specify the identity NAT ACL for traffic that should be encrypted. ! nat (inside) 0 access-list inside_nat0_outbound ! ! Specify the route for the other LAN. In this case it is the outside IP of the VPN peer. ! route outside 50.50.50.0 255.255.255.0 30.30.30.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable ! ! Enable the VPN traffic. With this command we globally enable the FW terminated VPN traffics on interfaces ! sysopt connection permit-ipsec ! ! Specify the Crypto ipsec transform set used for your crypto map. ! crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac ! ! Specify your crypto map. ! crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 30.30.30.1 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside ! ! Specify your isakmp map. ! isakmp enable outside isakmp key mysecretkey address 30.30.30.1 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet timeout 5 ssh timeout 5 management-access inside console timeout 0 terminal width 80

Comment:

The PIX 7 OS accepts isakmp key <key> address <ip address> netmask <netmask> command, but it converts to tunnel-group … command format.