Friday, September 25, 2009

Nortel Business Secure Router 222 and CISCO ASA 5500 Series VPN Connection


You would like to connect Nortel Small Business Router 222 to CISCO ASA 5505 or 5510 type device. You were probably not successful for a while (at least for me).

What Worked For Me:
  • The major issue for me was to find what types of SA negotiation parameters to choose for the Phase 1. Pretty much this works only with 3DES-SHA1 combo for me. I tried others and won't work.
  • Phase 2 appears to have not much problem whatever you choose.
  • Also it seems that if you set the IKE->Policies : key lifetime to 86400 on the Nortel side they do not like.
Nortel Side:
  • Go to the VPN menu on the left
  • Edit or Create a new VPN Entry
  • Connection Type: Branch Office
  • Check Active
  • NAT Transversal enabled
  • Key management: IKE
  • Negotiation Mode: mAIN
  • Encapsulation Mode: Tunnel
  • Authentication: Pre-Shared Key
  • Local ID Type: IP
  • Content: The Outside IP address of the Nortel
  • Peer ID Type: IP
  • Content: The Peer VPN Access point address of CISCO ASA
  • My IP Address: The Outside IP address of the Nortel
  • Secure Gatway Address: The Peer VPN Access point address of CISCO ASA
  • ESP (Selected)
  • Go to Advanced Menu
  • Enable Replay Detection: Yes
  • Phase 1
  • Multiple Proposal: Not Checked
  • Negotiation Mode: Main
  • Encryption Algorithm: 3DES (most important, do not choose anything else)
  • Authentication Algorithm: SHA1 (most important, do not choose anything else)
  • SA Life Time (seconeds): 24000 (do not choose 86400)
  • Key Group DH1 (but make sure that IKE Policies on the CISCO end has this combo)
  • Phase 2
  • Multiple Proposal: Not Checked
  • Active Protocol: ESP
  • Encryption Algorithm: ASE 256 (but can be 3DES)
  • Authentication Algorithm: SHA1
  • SA Life Time (Seconds): 24000 (do not use 86400)
  • Encapsulation: Tunnel
  • Perfect Forwarding Security: None (very important)
On the CISCO Side (ASDM)
  • Go to Configuration
  • Open IKE->Policies node and be sure that 3des-sha DH group 1 pre-share authentication is in there. Lifetime(secs) can be left to 86400
  • Now use the VPN Wizard to complete the rest.

1 comment:

Anonymous said...

AWESOME! I had a BSR222 ASA5505 tunnel running forever, then we moved office and I could never get it back. Thanks to your post, I finally got it up and running. Happy camper when I saw the log entry "Rule [GCIVPNStaticTunnel] Tunnel built successfully"

Thanks so much for sharing