I only took a cursory glance at this thread, but it might be of use. Check it out:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd %3Ddisplay_location%26location%3D.ee78ecb/1 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Craig Columbus Sent: Thursday, April 18, 2002 7:39 AM To: [EMAIL PROTECTED] Subject: PIX VPN Connection to Linksys Router [7:41821] Here's the deal: I've got a PIX that serves as a security gateway for a Cisco VPN Client 3.1. Settings are basically DES/MD5/ESP with pre-shared key. Part of the VPN3.1 client requires vpngroup name, as defined in the configuration on the PIX. I just bought one of the Linksys BEFVP41 VPN routers to test connectivity to the PIX. The Linksys doesn't understand vpngroup associations, so I need to configure the PIX to also allow the connection based solely on pre-shared key. I think I've got it configured properly, and VPN Client-to-PIX connections work fine, but negotiations break down at phase 2 when connecting with the Linksys. It's probably something simple that I'm missing because I've been staring at it too long. Anyone have any ideas? PIX relevant config (sanitized): access-list bypassingnat permit ip 10.0.0.0 255.0.0.0 192.168.100.0 255.255.255.0 ip local pool mypool 192.168.100.1-192.168.100.254 nat (inside) 0 access-list bypassingnat sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set strong esp-des esp-md5-hmac crypto dynamic-map users 11 set transform-set strong crypto map remote 11 ipsec-isakmp dynamic users crypto map remote client configuration address initiate crypto map remote client configuration address respond crypto map remote interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local mypool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpn3000 address-pool mypool vpngroup vpn3000 dns-server 10.x.x.x vpngroup vpn3000 default-domain xxxxxxxx vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** Debug from PIX (sanitized....y.y.69.129 is the Linksys, x.x.67.2 is the public interface of the PIX): crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_QM exchange ISAKMP (0:0): Need config/address ISAKMP (0:0): initiating peer config to y.y.69.129. ID = 3267015605 (0xc2bab3b 5) return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 Finally it just times out trying to retransmit phase 2. Thanks in advance! Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41913&t=41821 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
