Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
0
Helpful
4
Replies

WRVS4400N Vs PIX515E

alexus
Level 1
Level 1

‎03-17-2008 09:54 PM - edited ‎03-09-2019 08:19 PM

I'm trying to get VPN tunnel going between these two devices and no matter what I do, it just won't work...

on WRVS4400N under IPSEC in Group it says 768bit

on PIX there is no bits, it just say group#

have anyone ever done something simliar?

Labels:
0 Helpful
4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

‎03-20-2008 12:43 PM

Can you post the configuration from the Pix and also "deb cr is" and "deb cr ips" from the pix when you are having issues trying to bring up the tunnel.

Regards,

Arul

0 Helpful

alexus
Level 1
Level 1
In response to ajagadee

‎03-23-2008 05:04 PM

i used asdm wizard to create vpn tunnel, here is what it proposed me to use

!PIX

!Single Routed

!23-Mar-08_19.53.50

!Preview CLI Commands

access-list outside_20_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240

access-list inside_nat0_outbound line 2 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l

tunnel-group XXX.XXX.XXX.XXX ipsec-attributes

pre-shared-key XXXXXXXXXXXX

isakmp keepalive threshold 10 retry 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer XXX.XXX.XXX.XXX

crypto map outside_map 20 set transform-set ESP-3DES-SHA

i replaced IP with XXX.XXX.XXX.XXX, and I also replaced my shared key

and this is from side of my linksys router

Local Group Setup

Local Security Gateway Type: IP Only

IP Address: XXX.XXX.XXX.XXX

Local Security Group Type: Subnet

IP Address: 10.10.10.0

Subnet Masl: 255.255.255.240

Remote Group Setup

Remote Security Gateway Type: IP Only

IP Address: XXX.XXX.XXX.XXX

Remote Security Group Type: Subnet

IP Address: 192.168.1.0

Subnet Mask 255.255.255.0

IPSec Setup

Keying Mode: IKE With Preshared key

Phase1

Encryption: 3DES

Authentication: SHA1

Group: 768-bit

Key Life Time: 28800

Phase2:

Encryption: 3DES

Authencation: SHA1

Perfect Forward Secrecy: Enable

Preshared Key: XXXXXXXXXXXX

Group: 768-bit

Key Life Time: 3600sec

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to alexus

‎03-23-2008 07:14 PM

Diffie-Hellman processes the secret key exchanged between the two IPsec tunnel points.The 768-bit refers to Diffie-Hellman group type 1 , there are several types of Diffie-Hellman groups 1,2,5,7.

In your PIX config you have Group 2 which specifies 1024- bit, in the other side is group1 768-bit ,these settings must much at both ends otherwise tunnel will not come up during Ipsec phase-1.

In pix change from crypto map outside_map 20 set pfs group2 to crypto map outside_map 20 set pfs group1

HTH

Rgds

Jorge

Jorge Rodriguez
0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to JORGE RODRIGUEZ

‎03-23-2008 08:57 PM

Correction, to change the DF group from 2 to 1 you need to change it in your Ike policy which is part of the Ipsec phase-1, so look in your configuration for statement isakmp policy xx group Y where xx is your ike policy number and Y is Diffie-Hellman type 1,2 or 5. you want 1.

isakmp policy xx group 1

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents