Friday, September 25, 2009

Nortel Business Secure Router 222 and CISCO ASA 5500 Series VPN Connection

Symptom:

You would like to connect Nortel Small Business Router 222 to CISCO ASA 5505 or 5510 type device. You were probably not successful for a while (at least for me).

What Worked For Me:
  • The major issue for me was to find what types of SA negotiation parameters to choose for the Phase 1. Pretty much this works only with 3DES-SHA1 combo for me. I tried others and won't work.
  • Phase 2 appears to have not much problem whatever you choose.
  • Also it seems that if you set the IKE->Policies : key lifetime to 86400 on the Nortel side they do not like.
Nortel Side:
  • Go to the VPN menu on the left
  • Edit or Create a new VPN Entry
  • Connection Type: Branch Office
  • Check Active
  • NAT Transversal enabled
  • Key management: IKE
  • Negotiation Mode: mAIN
  • Encapsulation Mode: Tunnel
  • Authentication: Pre-Shared Key
  • Local ID Type: IP
  • Content: The Outside IP address of the Nortel
  • Peer ID Type: IP
  • Content: The Peer VPN Access point address of CISCO ASA
  • My IP Address: The Outside IP address of the Nortel
  • Secure Gatway Address: The Peer VPN Access point address of CISCO ASA
  • ESP (Selected)
  • Go to Advanced Menu
  • Enable Replay Detection: Yes
  • Phase 1
  • Multiple Proposal: Not Checked
  • Negotiation Mode: Main
  • Encryption Algorithm: 3DES (most important, do not choose anything else)
  • Authentication Algorithm: SHA1 (most important, do not choose anything else)
  • SA Life Time (seconeds): 24000 (do not choose 86400)
  • Key Group DH1 (but make sure that IKE Policies on the CISCO end has this combo)
  • Phase 2
  • Multiple Proposal: Not Checked
  • Active Protocol: ESP
  • Encryption Algorithm: ASE 256 (but can be 3DES)
  • Authentication Algorithm: SHA1
  • SA Life Time (Seconds): 24000 (do not use 86400)
  • Encapsulation: Tunnel
  • Perfect Forwarding Security: None (very important)
On the CISCO Side (ASDM)
  • Go to Configuration
  • Open IKE->Policies node and be sure that 3des-sha DH group 1 pre-share authentication is in there. Lifetime(secs) can be left to 86400
  • Now use the VPN Wizard to complete the rest.

1 comment:

Anonymous said...

AWESOME! I had a BSR222 ASA5505 tunnel running forever, then we moved office and I could never get it back. Thanks to your post, I finally got it up and running. Happy camper when I saw the log entry "Rule [GCIVPNStaticTunnel] Tunnel built successfully"

Thanks so much for sharing