WRVS4400N Vs PIX515E

Unanswered Question
Mar 17th, 2008
User Badges:

I'm trying to get VPN tunnel going between these two devices and no matter what I do, it just won't work...


on WRVS4400N under IPSEC in Group it says 768bit


on PIX there is no bits, it just say group#


have anyone ever done something simliar?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Thu, 03/20/2008 - 12:43
User Badges:
  • Cisco Employee,

Can you post the configuration from the Pix and also "deb cr is" and "deb cr ips" from the pix when you are having issues trying to bring up the tunnel.


Regards,

Arul

alexus Sun, 03/23/2008 - 17:04
User Badges:

i used asdm wizard to create vpn tunnel, here is what it proposed me to use


!PIX

!Single Routed

!23-Mar-08_19.53.50

!Preview CLI Commands

access-list outside_20_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240

access-list inside_nat0_outbound line 2 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l

tunnel-group XXX.XXX.XXX.XXX ipsec-attributes

pre-shared-key XXXXXXXXXXXX

isakmp keepalive threshold 10 retry 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer XXX.XXX.XXX.XXX

crypto map outside_map 20 set transform-set ESP-3DES-SHA


i replaced IP with XXX.XXX.XXX.XXX, and I also replaced my shared key



and this is from side of my linksys router


Local Group Setup

Local Security Gateway Type: IP Only

IP Address: XXX.XXX.XXX.XXX

Local Security Group Type: Subnet

IP Address: 10.10.10.0

Subnet Masl: 255.255.255.240


Remote Group Setup

Remote Security Gateway Type: IP Only

IP Address: XXX.XXX.XXX.XXX

Remote Security Group Type: Subnet

IP Address: 192.168.1.0

Subnet Mask 255.255.255.0


IPSec Setup

Keying Mode: IKE With Preshared key

Phase1

Encryption: 3DES

Authentication: SHA1

Group: 768-bit

Key Life Time: 28800

Phase2:

Encryption: 3DES

Authencation: SHA1

Perfect Forward Secrecy: Enable

Preshared Key: XXXXXXXXXXXX

Group: 768-bit

Key Life Time: 3600sec


JORGE RODRIGUEZ Sun, 03/23/2008 - 19:14
User Badges:
  • Green, 3000 points or more

Diffie-Hellman processes the secret key exchanged between the two IPsec tunnel points.The 768-bit refers to Diffie-Hellman group type 1 , there are several types of Diffie-Hellman groups 1,2,5,7.


In your PIX config you have Group 2 which specifies 1024- bit, in the other side is group1 768-bit ,these settings must much at both ends otherwise tunnel will not come up during Ipsec phase-1.


In pix change from crypto map outside_map 20 set pfs group2 to crypto map outside_map 20 set pfs group1


HTH

Rgds

Jorge

JORGE RODRIGUEZ Sun, 03/23/2008 - 20:57
User Badges:
  • Green, 3000 points or more

Correction, to change the DF group from 2 to 1 you need to change it in your Ike policy which is part of the Ipsec phase-1, so look in your configuration for statement isakmp policy xx group Y where xx is your ike policy number and Y is Diffie-Hellman type 1,2 or 5. you want 1.

isakmp policy xx group 1


Actions

This Discussion