Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

configuring vpn link via ssh on 501

I've run into a frustrating problem on a 501. It's at a new remote site and I've not had direct access to the device, only via SSH. I was trying to configure their VPN for Pix to Pix access to the corporate office and can't get the link to come up. The site was originally configured with des only and I use 3des so I removed all the crypto statements and added the new connection configuration. I know the configuration works, I've tried it on a spare Pix we have at our corporate office and the link comes up fine. Does the application of the new crypto statements and change to 3des require a restart or can those changes be made on the fly? That's the only thing I haven't tried as I wasn't ready to save the config permanently yet. Here is the config I'm using:

sysopt connection permit-ipsec

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpn

crypto map vpn 20 ipsec-isakmp

crypto map vpn 20 match address 110

crypto map vpn 20 set peer x.x.x.x

crypto map vpn 20 set transform-set vpn

crypto map vpn 40 ipsec-isakmp dynamic dynmap

crypto map vpn interface outside

isakmp enable outside

isakmp key ****** address x.x.x.x netmask

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400


Re: configuring vpn link via ssh on 501

Firstly - Is the configuration on both pix symmetrical? For example, if you are using 3DES on one pix then the other must also be using 3DES and the correct ISAKMP key / crypto ACL etc / transform-set etc?

If both pix have the correct setup then have you issued: clear crypto isakmp sa and also clear crypto ipsec sa on both peers?

Make sure that you have L3 (Network) connectivity between both peers ? if you can ping the outside IP address of your peer pix from your pix then this will confirm that you have L3 connectivity.

You are using isakmp group 1 on your pix, is the remote pix also using group 1 for ISAKMP?

For reference and troubleshooting, look at the following document for help:

From what you have posted (minus the crypto ACL and NAT 0 statement) it looks OK to me, but verify everything by using the above URL.

Let me know how get on or require further help and if it helps please rate post!


New Member

Re: configuring vpn link via ssh on 501


I was able to get the configuration working by using the des config at the remote site and an configuring an extra pix I have. The script I posted worked fine then.

The sh ver indicates it's licensed for 3des but I can't get it to come up when I use the same config (with the 3des commands instead of des). Could 3des be incorrectly registered as enabled even if it's not installed?

I run two other VPN tunnels already on the main office Pix I was trying to connect to so I was using group 5 in my config, can I use group 1 concurrently on multiple connections?

I'll check the reference document you've posted as well.

thanks, nick


Re: configuring vpn link via ssh on 501

does access list 110 exist?

New Member

Re: configuring vpn link via ssh on 501

it does, I just didn't include it with the crypto config commands. It translates traffic on the two networks.