|
Question : linksys vpn will not connect with pix 501
|
|
hey everyone,
i think i setup the pix correctly...... but i'm not sure... i have a remote office that i'm trying to connect via the befvp41. it tries to connect.. but i get an error on the linksys... that says.
2007-01-05 09:36:32 IKE[1] Rx << MM_R1 : 216.165.204.118 SA
2007-01-05 09:36:32 IKE[1] ISAKMP SA CKI=[62b7f34f 12373e83] CKR=[cc54918d 181084d8]
2007-01-05 09:36:32 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768 / 1000 sec (*1000 sec)
2007-01-05 09:36:32 IKE[1] Tx >> MM_I2 : 216.165.204.118 KE, NONCE
2007-01-05 09:36:33 IKE[1] Rx << MM_R2 : 216.165.204.118 KE, NONCE, VID, VID, VID, VID
2007-01-05 09:36:33 IKE[1] Tx >> MM_I3 : 216.165.204.118 ID, HASH
2007-01-05 09:36:33 IKE[1] Rx << MM_R3 : 216.165.204.118 ID, HASH
2007-01-05 09:36:33 IKE[1] Tx >> QM_I1 : 216.165.204.118 HASH, SA, NONCE, ID, ID
2007-01-05 09:36:33 IKE[1] Rx << Notify :
2007-01-05 09:36:33 IKE[1] Rx << Notify : NO-PROPOSAL-CHOSEN
2007-01-05 09:36:33 IKE[1] **Check your Encryption, Authentication method and PFS settings !
and this is a copy of my pix.
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password jbdf6FYcLjZyXo55 encrypted
passwd jbdf6FYcLjZyXo55 encrypted
hostname ttifirewall
domain-name ttifirewall.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.165.204.117 exchange
access-list outsidein permit icmp any any echo-reply
access-list outsidein permit icmp any any source-quench
access-list outsidein permit icmp any any unreachable
access-list outsidein permit icmp any any time-exceeded
access-list outsidein permit icmp any any
access-list outsidein permit tcp any host exchange eq 3389
access-list outsidein permit udp any host exchange
access-list outsidein permit tcp any host exchange eq www
access-list outsidein permit tcp any host exchange eq https
access-list outsidein permit tcp any host exchange eq smtp
access-list outsidein permit tcp any any eq pptp
access-list outsidein permit udp any any eq 1723
access-list aclout permit icmp any any
access-list NoNAT permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNAT permit ip 192.168.0.0 255.255.255.0 10.99.99.0 255.255.255.0
access-list befvp41 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.
0
access-list befvp41 permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.
0
access-list bypass permit ip 192.168.2.0 255.255.255.0 10.99.99.0 255.255.255.0
pager lines 24
logging on
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.165.204.118 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp 10.99.99.1-10.99.99.15
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.165.204.117 192.168.0.6 netmask 255.255.255.255 0 0
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 216.165.204.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set befvp41-set esp-des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address befvp41
crypto map newmap 20 set pfs
crypto map newmap 20 set peer 216.136.86.15
crypto map newmap 20 set transform-set befvp41-set
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 216.136.86.15 netmask 255.255.255.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp
vpdn group 1 client configuration dns 192.168.0.6 192.168.0.6
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username admini password *********
vpdn username cfc password *********
vpdn username chuck password *********
vpdn enable outside
terminal width 80
Cryptochecksum:f7fbf1ea4f6fe824aaf77bd980dbfaf6
: end
ttifirewall(config)#
|
Answer : linksys vpn will not connect with pix 501
|
|
Just to also make sure the Linksys is set up properly..
Let's verify each and every setting, starting with the main Security| VPN page
Tunnel1 (tunnel1)
(*) Enabled
Tunnel Name [whatever ]
--------------
Local Secure Group (be sure that this is your local LAN subnet)
Subnet | 192.168.1.0 | 255.255.255.0
--------------
Remote Secure Group (be sure this is the local LAN behind the PIX, and is *not* the same as your local lan)
Subnet | 192.168.221.0 | 255.255.255.0
-------------
remote Security Gateway = public IP address of PIX
-------------
Encryption DES | Authentication MD5
-------------
Auto (IKE)
PFS (*)Disabled
Pre-shared Key [chappy ]
Key Lifetime [3600 ] sec
---------------
[ Advanced Settting ]
(*) Main Mode
Proposal1
DES | MD5 | 1024 | 3600
Phase 2 Proposal:
DES | MD5 PFS:OFF | 1024-bit | 3600
Other Settings - all un-checked (disable keep-alive)
On the PIX:
\\-- access-list for crypto map match = mirror image of Linksys Local/Remote settings
access-list VPN_to_linksys permit ip 192.168.221.0 255.255.255.0 192.168.1.0 255.255.255.0
\\-- access-list for nat bypass between these two networks
access-list no_nat permit ip 192.168.221.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no_nat
\\-- crypto map (make sure you have one for DES and one for 3DES - we'll get to that later)
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address VPN_to_linksys
crypto map outside_map 20 set peer
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
\\-- use wildcard address here, in case your Linksys IP address ever changes
isakmp key chappy address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600 <== to match the Linksys default
isakmp enable outside
\\-- create another policy for 3DES
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 3600
I have found that for some reason, PIX-- Linksys vpn prefers 3DES over DES. If that's the case, then we've already setup the PIX to require only a very minor tweak, and you can also change the Linksys very very quickly in two spots from DES to 3DES.
\\-- On the PIX, add this one line (it changes the existing line):
crypto map outside_map 20 set transform-set ESP-3DES-MD5
\\-- then re-apply the crypto map to the interface
crypto map outside_map interface outside
|
|
|
|
|
