Tom, If you're still struggling with this, let me know. I recently got this working with a different Cisco end point using a trunk image.
Darrick Lonnie Abelbeck wrote: > Tom, > > IPsec "info" log level is usually quite useful on the AstLinux side. > Either post it here, or email me privately. > > Yes, "Group 2" for Phase one and "PFS Group: 2" for Phase 2. If the > PIX has "PFS Group: none" or "No perfect forward secrecy" this needs > to be changed. > > Lonnie > > > > On Sep 15, 2009, at 12:26 PM, Tom Mazzotta wrote: > >> FYI, changing the address on the astlinux side definably helped. >> However, even after doing that and adding double-quotes the pre- >> shared key (on the PIX side only) we are still not connecting. The >> final error is "phase1 negotiation failed due to time up", phase 2 >> is also failing (due to timeout on phase 1). We will try to analyze >> the logging on the PIX side next, but because the device is EOL, I >> we won't get any support from Cisco. >> >> We are using "Group 2" for phase 1 in the PIX; should we be using >> something else? I'm also checking if the PIX is configured for main >> mode. Any other ideas? >> >> -----Original Message----- >> From: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] >> Sent: Tuesday, September 15, 2009 10:52 AM >> To: AstLinux Users Mailing List >> Subject: Re: [Astlinux-users] VPN with Cisco PIX >> >> >> On Sep 15, 2009, at 8:33 AM, David Kerr wrote: >> >>> >>> On Tue, Sep 15, 2009 at 9:10 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com >>>> wrote: >>> On Sep 14, 2009, at 10:17 PM, Tom Mazzotta wrote: >>> >>>> 3. Regarding the addressing, astlinux lead me to believe that it >>>> supported a dynamic end-point because the default value in the >>> local- >>>> host ip field is $EXTIP. Is this a legit value, or should I change >>>> it to the actual IP used by the WAN i/f, even if it might change in >>>> the future? Is it possible that a future version might support at >>>> least one dynamic endpoint? >>> If you are using DHCP for the external interface, then you can't use >>> $EXTIP as the local-host value, instead use the actual IP address. >>> (or >>> 0.0.0.0 wildcard) >>> >>> Would it be possible to use a URL and DNS lookup? For example >>> xxxx.dyndns.org that is registered and kept up-to-date with inadyn? >>> >>> David >> No, not with IPsec using 'main' mode, the actual IP address is a part >> of the security policy. >> >> Using certificates is a solution, but trunk/0.7 does not support that. >> >> Also a FQDN 'could' be used as an identity, but that requires the use >> of 'aggressive' mode which has security issues, so we chose not to >> support that. >> >> Lonnie >> >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart >> your >> developing skills, take BlackBerry mobile applications to market and >> stay >> ahead of the curve. Join us from November 9-12, 2009. Register >> now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org >> . >> >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart >> your >> developing skills, take BlackBerry mobile applications to market and >> stay >> ahead of the curve. Join us from November 9-12, 2009. Register >> now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org >> . >> >> > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
